nixos-module/container/{anon,bird}: route wireguard with policy routing over default routes learned from OSPF

2 years ago · 0350826bc5
parent a467699f48
commit 0350826bc5
2 changed files with 49 additions and 7 deletions
--- a/nix/nixos-module/container/anon.nix
+++ b/nix/nixos-module/container/anon.nix
@ -14,6 +14,9 @@ let

  privateKeyFile = ifName:
    "/run/wireguard-keys/${ifName}.key";
+
+  wireguardMark = 1;
+  vpn4Table = 100;
 in
 {
  systemd.services = builtins.foldl' (services: ifName: services // {
@ -47,7 +50,11 @@ in
      Name = ifName;
      Kind = "wireguard";
    };
-    wireguardConfig.PrivateKeyFile = privateKeyFile ifName;
+    wireguardConfig = {
+      PrivateKeyFile = privateKeyFile ifName;
+      # Mark for routing with another routing table
+      FirewallMark = wireguardMark;
+    };
    wireguardPeers = [ {
      wireguardPeerConfig = {
        PublicKey = wireguard.publicKey;
@ -58,13 +65,15 @@ in
  }) tunnels;

  systemd.network.networks = {
-    # Endpoint host-routes
-    core.routes = map (wireguard: {
-      routeConfig = {
-        Destination = builtins.head (builtins.match "(.+):.*" wireguard.endpoint) + "/32";
-        Gateway = config.site.net.core.hosts4.${gateway};
+    # Wireguard transported through another routing table
+    # (containing upstream by bird ospf)
+    core.routingPolicyRules = [ {
+      # Marked wireguard packets take the vpn4 routing table
+      routingPolicyRuleConfig = {
+        Table = vpn4Table;
+        FirewallMark = wireguardMark;
      };
-    }) (builtins.attrValues tunnels);
+    } ];
  } // builtins.mapAttrs (ifName: wireguard: {
    # Wireguard interfaces
    matchConfig.Name = ifName;
@ -97,5 +106,13 @@ in
    inherit (config.site.hosts.${hostName}) forwardPorts;
  };

+  # Configure rt_table name
+  networking.iproute2 = {
+    enable = true;
+    rttablesExtraConfig = ''
+      ${toString vpn4Table} vpn4
+    '';
+  };
+
  # TODO: firewall
 }
--- a/nix/nixos-module/container/bird.nix
+++ b/nix/nixos-module/container/bird.nix
@ -66,6 +66,31 @@ in
        scan time 10;
      }

+      ${lib.optionalString (builtins.match "anon.*" hostName != null) ''
+        ipv4 table vpn4_table;
+        protocol pipe {
+          table master4;
+          peer table vpn4_table;
+          export filter {
+            if net ~ [ 0.0.0.0/0 ] then {
+              # Copy default route to vpn4 table
+              accept;
+            }
+            reject;
+          };
+        }
+
+        # Routing table for Wireguard transport
+        protocol kernel VPN4 {
+          # "vpn4_table" configured on anon routers
+          kernel table 100;
+          ipv4 {
+            table vpn4_table;
+            export all;
+          };
+        }
+      ''}
+
      ${lib.optionalString (gatewayNet != null) ''
        # Router advertisements
        protocol radv {