c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

freifunk: get backbone tunnel to work

This commit is contained in:
Astro 2022-03-23 22:46:22 +01:00
parent 9d4afa5870
commit 66a3255d3d
1 changed files with 31 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
hosts/containers/freifunk/default.nix
View File

@ -7,6 +7,7 @@ let
meshInterface = "bmx"; meshInterface = "bmx";
meshLoopback = "bmx_prime"; meshLoopback = "bmx_prime";
ddmeshRegisterUrl = "https://register.freifunk-dresden.de/bot.php"; ddmeshRegisterUrl = "https://register.freifunk-dresden.de/bot.php";
ddmeshBroadcast = "10.255.255.255";
inherit (pkgs.c3d2-freifunk) ddmeshRegisterKey; inherit (pkgs.c3d2-freifunk) ddmeshRegisterKey;
ddmeshNode = 51073; ddmeshNode = 51073;
ddmeshAddrPart = "200.74"; ddmeshAddrPart = "200.74";
@ -19,7 +20,7 @@ let
upstreamMark = 3; upstreamMark = 3;
rt_table_upstream = 100; rt_table_upstream = 100;
vpn6AddrPart = "200.2"; node51001AddrPart = "200.2";
in { in {
imports = [ imports = [
"${modulesPath}/profiles/minimal.nix" "${modulesPath}/profiles/minimal.nix"
@ -60,6 +61,8 @@ in {
${pkgs.iptables}/bin/iptables -t nat -F POSTROUTING ${pkgs.iptables}/bin/iptables -t nat -F POSTROUTING
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \ ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \
\! --source 10.200.0.0/15 -o ${meshInterface} -j SNAT --to 10.200.${ddmeshAddrPart} \! --source 10.200.0.0/15 -o ${meshInterface} -j SNAT --to 10.200.${ddmeshAddrPart}
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \
\! --source 10.200.0.0/15 -o ipip-node51001 -j SNAT --to 10.200.${ddmeshAddrPart}
${pkgs.iptables}/bin/iptables -t nat -o bat0 -A POSTROUTING -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -o bat0 -A POSTROUTING -j MASQUERADE
set -e set -e
''; '';
@ -75,7 +78,7 @@ in {
''; '';
}; };
environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools ]; environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools iperf ];
sops.secrets."wireguard/vpn6/privateKey" = { sops.secrets."wireguard/vpn6/privateKey" = {
group = "systemd-network"; group = "systemd-network";
@ -83,10 +86,13 @@ in {
}; };
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# unbreak wg-vpn6 ingress path
boot.kernel.sysctl."net.ipv4.conf.core.rp_filter" = 0;
systemd.network = { systemd.network = {
netdevs = { netdevs = {
# Dummy interface for primary (10.200) address # Dummy interface for primary (10.200) address
bmx-prime = { "10-bmx-prime" = {
enable = true; enable = true;
netdevConfig = { netdevConfig = {
Kind = "bridge"; Kind = "bridge";
@ -94,11 +100,12 @@ in {
}; };
}; };
# Freifunk Dresden Backbone # Freifunk Dresden Backbone
wg-vpn6 = { "31-wg-vpn6" = {
enable = true; enable = true;
netdevConfig = { netdevConfig = {
Name = "wg-vpn6"; Name = "wg-vpn6";
Kind = "wireguard"; Kind = "wireguard";
MTUBytes = "1320";
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wireguard/vpn6/privateKey".path; PrivateKeyFile = config.sops.secrets."wireguard/vpn6/privateKey".path;
@ -111,19 +118,19 @@ in {
# vpn6.freifunk-dresden.de # vpn6.freifunk-dresden.de
Endpoint = "85.195.253.169:5006"; Endpoint = "85.195.253.169:5006";
PublicKey = "CIJa7xiRRIrLtEB7uyzwoyaQcpe0b8F2d16+3hk8KjU="; PublicKey = "CIJa7xiRRIrLtEB7uyzwoyaQcpe0b8F2d16+3hk8KjU=";
AllowedIPs = "10.203.${vpn6AddrPart}/32"; AllowedIPs = "10.203.0.0/16";
}; };
} ]; } ];
}; };
ipip-vpn6 = { "32-ipip-node51001" = {
enable = true; enable = true;
netdevConfig = { netdevConfig = {
Name = "ipip-vpn6"; Name = "ipip-node51001";
Kind = "ipip"; Kind = "ipip";
}; };
tunnelConfig = { tunnelConfig = {
Local = "10.203.${ddmeshAddrPart}"; Local = "10.203.${ddmeshAddrPart}";
Remote = "10.203.${vpn6AddrPart}"; Remote = "10.203.${node51001AddrPart}";
}; };
}; };
}; };
@ -133,7 +140,10 @@ in {
enable = true; enable = true;
matchConfig = { Name = meshInterface; }; matchConfig = { Name = meshInterface; };
addresses = [{ addresses = [{
addressConfig.Address = "10.201.${ddmeshAddrPart}/16"; addressConfig = {
Address = "10.201.${ddmeshAddrPart}/16";
Broadcast = ddmeshBroadcast;
};
}]; }];
}; };
# Dummy interface for primary (10.200) address # Dummy interface for primary (10.200) address
@ -148,17 +158,19 @@ in {
enable = true; enable = true;
matchConfig.Name = "wg-vpn6"; matchConfig.Name = "wg-vpn6";
addresses = [{ addresses = [{
addressConfig.Address = "10.203.${ddmeshAddrPart}/32"; addressConfig.Address = "10.203.${ddmeshAddrPart}/16";
}]; }];
routes = [ { # reverse dependency
routeConfig.Destination = "10.203.${vpn6AddrPart}/32"; networkConfig.Tunnel = [ "ipip-node51001" ];
} ];
}; };
"32-ipip-vpn6" = { "32-ipip-node51001" = {
enable = true; enable = true;
matchConfig.Name = "ipip-vpn6"; matchConfig.Name = "ipip-node51001";
addresses = [{ addresses = [{
addressConfig.Address = "10.201.${ddmeshAddrPart}/16"; addressConfig = {
Address = "10.201.${ddmeshAddrPart}/16";
Broadcast = ddmeshBroadcast;
};
}]; }];
}; };
# ZW # ZW
@ -180,6 +192,8 @@ in {
FirewallMark = upstreamMark; FirewallMark = upstreamMark;
}; };
} ]; } ];
# reverse dependency
networkConfig.Tunnel = [ "wg-vpn6" ];
}; };
}; };
}; };
@ -200,7 +214,7 @@ in {
-r 3 --gateway_hysteresis 20 \ -r 3 --gateway_hysteresis 20 \
dev=${meshLoopback} /linklayer 0 \ dev=${meshLoopback} /linklayer 0 \
dev=${meshInterface} /linklayer 1 \ dev=${meshInterface} /linklayer 1 \
dev=ipip-vpn6 /linklayer 1 dev=ipip-node51001 /linklayer 1
''; '';
Restart = "always"; Restart = "always";
}; };