forked from zentralwerk/network
nixos-module/container/wireguard: rename rt_table vpn4 to vpn, add to wg settings
This commit is contained in:
parent
da6b2d55fc
commit
5eb915e4f6
|
@ -97,15 +97,15 @@ in
|
||||||
hostName == "flpk-gw"
|
hostName == "flpk-gw"
|
||||||
) ''
|
) ''
|
||||||
# BIRD routing table for Wireguard transport
|
# BIRD routing table for Wireguard transport
|
||||||
ipv4 table vpn4_table;
|
ipv4 table vpn_table;
|
||||||
|
|
||||||
# Kernel routing table for Wireguard transport
|
# Kernel routing table for Wireguard transport
|
||||||
protocol kernel VPN4 {
|
protocol kernel VPN {
|
||||||
# "vpn4_table" configured on anon routers
|
# "vpn_table" configured on anon routers
|
||||||
kernel table 100;
|
kernel table 100;
|
||||||
ipv4 {
|
ipv4 {
|
||||||
export all;
|
export all;
|
||||||
table vpn4_table;
|
table vpn_table;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
''}
|
''}
|
||||||
|
@ -220,7 +220,7 @@ in
|
||||||
builtins.match "anon.*" hostName != null ||
|
builtins.match "anon.*" hostName != null ||
|
||||||
hostName == "flpk-gw"
|
hostName == "flpk-gw"
|
||||||
) ''
|
) ''
|
||||||
table vpn4_table;
|
table vpn_table;
|
||||||
''}
|
''}
|
||||||
};
|
};
|
||||||
area 0 {
|
area 0 {
|
||||||
|
|
|
@ -14,8 +14,7 @@ let
|
||||||
privateKeyFile = ifName:
|
privateKeyFile = ifName:
|
||||||
"/run/wireguard-keys/${ifName}.key";
|
"/run/wireguard-keys/${ifName}.key";
|
||||||
|
|
||||||
wireguardMark = 3;
|
vpnTable = 100;
|
||||||
vpn4Table = 100;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
systemd.services = builtins.foldl' (services: ifName: services // {
|
systemd.services = builtins.foldl' (services: ifName: services // {
|
||||||
|
@ -51,8 +50,7 @@ in
|
||||||
};
|
};
|
||||||
wireguardConfig = {
|
wireguardConfig = {
|
||||||
PrivateKeyFile = privateKeyFile ifName;
|
PrivateKeyFile = privateKeyFile ifName;
|
||||||
# Mark for routing with another routing table
|
RouteTable = "vpn";
|
||||||
FirewallMark = wireguardMark;
|
|
||||||
};
|
};
|
||||||
wireguardPeers = [ {
|
wireguardPeers = [ {
|
||||||
wireguardPeerConfig = {
|
wireguardPeerConfig = {
|
||||||
|
@ -67,10 +65,9 @@ in
|
||||||
# Wireguard transported through another routing table
|
# Wireguard transported through another routing table
|
||||||
# (containing upstream by bird ospf)
|
# (containing upstream by bird ospf)
|
||||||
core.routingPolicyRules = [ {
|
core.routingPolicyRules = [ {
|
||||||
# Marked wireguard packets take the vpn4 routing table
|
# Marked wireguard packets take the vpn routing table
|
||||||
routingPolicyRuleConfig = {
|
routingPolicyRuleConfig = {
|
||||||
Table = vpn4Table;
|
Table = vpnTable;
|
||||||
FirewallMark = wireguardMark;
|
|
||||||
};
|
};
|
||||||
} ];
|
} ];
|
||||||
} // builtins.mapAttrs (ifName: { wireguard, upstream, ... }: {
|
} // builtins.mapAttrs (ifName: { wireguard, upstream, ... }: {
|
||||||
|
@ -109,7 +106,7 @@ in
|
||||||
networking.iproute2 = lib.mkIf enabled {
|
networking.iproute2 = lib.mkIf enabled {
|
||||||
enable = true;
|
enable = true;
|
||||||
rttablesExtraConfig = ''
|
rttablesExtraConfig = ''
|
||||||
${toString vpn4Table} vpn4
|
${toString vpnTable} vpn
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user