nixos-module/container/{anon,bird}: route wireguard with policy routing over default routes learned from OSPF
parent
a467699f48
commit
0350826bc5
|
@ -14,6 +14,9 @@ let
|
|||
|
||||
privateKeyFile = ifName:
|
||||
"/run/wireguard-keys/${ifName}.key";
|
||||
|
||||
wireguardMark = 1;
|
||||
vpn4Table = 100;
|
||||
in
|
||||
{
|
||||
systemd.services = builtins.foldl' (services: ifName: services // {
|
||||
|
@ -47,7 +50,11 @@ in
|
|||
Name = ifName;
|
||||
Kind = "wireguard";
|
||||
};
|
||||
wireguardConfig.PrivateKeyFile = privateKeyFile ifName;
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = privateKeyFile ifName;
|
||||
# Mark for routing with another routing table
|
||||
FirewallMark = wireguardMark;
|
||||
};
|
||||
wireguardPeers = [ {
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = wireguard.publicKey;
|
||||
|
@ -58,13 +65,15 @@ in
|
|||
}) tunnels;
|
||||
|
||||
systemd.network.networks = {
|
||||
# Endpoint host-routes
|
||||
core.routes = map (wireguard: {
|
||||
routeConfig = {
|
||||
Destination = builtins.head (builtins.match "(.+):.*" wireguard.endpoint) + "/32";
|
||||
Gateway = config.site.net.core.hosts4.${gateway};
|
||||
# Wireguard transported through another routing table
|
||||
# (containing upstream by bird ospf)
|
||||
core.routingPolicyRules = [ {
|
||||
# Marked wireguard packets take the vpn4 routing table
|
||||
routingPolicyRuleConfig = {
|
||||
Table = vpn4Table;
|
||||
FirewallMark = wireguardMark;
|
||||
};
|
||||
}) (builtins.attrValues tunnels);
|
||||
} ];
|
||||
} // builtins.mapAttrs (ifName: wireguard: {
|
||||
# Wireguard interfaces
|
||||
matchConfig.Name = ifName;
|
||||
|
@ -97,5 +106,13 @@ in
|
|||
inherit (config.site.hosts.${hostName}) forwardPorts;
|
||||
};
|
||||
|
||||
# Configure rt_table name
|
||||
networking.iproute2 = {
|
||||
enable = true;
|
||||
rttablesExtraConfig = ''
|
||||
${toString vpn4Table} vpn4
|
||||
'';
|
||||
};
|
||||
|
||||
# TODO: firewall
|
||||
}
|
||||
|
|
|
@ -66,6 +66,31 @@ in
|
|||
scan time 10;
|
||||
}
|
||||
|
||||
${lib.optionalString (builtins.match "anon.*" hostName != null) ''
|
||||
ipv4 table vpn4_table;
|
||||
protocol pipe {
|
||||
table master4;
|
||||
peer table vpn4_table;
|
||||
export filter {
|
||||
if net ~ [ 0.0.0.0/0 ] then {
|
||||
# Copy default route to vpn4 table
|
||||
accept;
|
||||
}
|
||||
reject;
|
||||
};
|
||||
}
|
||||
|
||||
# Routing table for Wireguard transport
|
||||
protocol kernel VPN4 {
|
||||
# "vpn4_table" configured on anon routers
|
||||
kernel table 100;
|
||||
ipv4 {
|
||||
table vpn4_table;
|
||||
export all;
|
||||
};
|
||||
}
|
||||
''}
|
||||
|
||||
${lib.optionalString (gatewayNet != null) ''
|
||||
# Router advertisements
|
||||
protocol radv {
|
||||
|
|
Loading…
Reference in New Issue