From 0350826bc501f8ead6c96608b5e0dbc7401c3568 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Thu, 29 Apr 2021 22:46:03 +0200
Subject: [PATCH] nixos-module/container/{anon,bird}: route wireguard with
 policy routing over default routes learned from OSPF

---
 nix/nixos-module/container/anon.nix | 31 ++++++++++++++++++++++-------
 nix/nixos-module/container/bird.nix | 25 +++++++++++++++++++++++
 2 files changed, 49 insertions(+), 7 deletions(-)

diff --git a/nix/nixos-module/container/anon.nix b/nix/nixos-module/container/anon.nix
index f72c69b..2876bfd 100644
--- a/nix/nixos-module/container/anon.nix
+++ b/nix/nixos-module/container/anon.nix
@@ -14,6 +14,9 @@ let
 
   privateKeyFile = ifName:
     "/run/wireguard-keys/${ifName}.key";
+
+  wireguardMark = 1;
+  vpn4Table = 100;
 in
 {
   systemd.services = builtins.foldl' (services: ifName: services // {
@@ -47,7 +50,11 @@ in
       Name = ifName;
       Kind = "wireguard";
     };
-    wireguardConfig.PrivateKeyFile = privateKeyFile ifName;
+    wireguardConfig = {
+      PrivateKeyFile = privateKeyFile ifName;
+      # Mark for routing with another routing table
+      FirewallMark = wireguardMark;
+    };
     wireguardPeers = [ {
       wireguardPeerConfig = {
         PublicKey = wireguard.publicKey;
@@ -58,13 +65,15 @@ in
   }) tunnels;
 
   systemd.network.networks = {
-    # Endpoint host-routes
-    core.routes = map (wireguard: {
-      routeConfig = {
-        Destination = builtins.head (builtins.match "(.+):.*" wireguard.endpoint) + "/32";
-        Gateway = config.site.net.core.hosts4.${gateway};
+    # Wireguard transported through another routing table
+    # (containing upstream by bird ospf)
+    core.routingPolicyRules = [ {
+      # Marked wireguard packets take the vpn4 routing table
+      routingPolicyRuleConfig = {
+        Table = vpn4Table;
+        FirewallMark = wireguardMark;
       };
-    }) (builtins.attrValues tunnels);
+    } ];
   } // builtins.mapAttrs (ifName: wireguard: {
     # Wireguard interfaces
     matchConfig.Name = ifName;
@@ -97,5 +106,13 @@ in
     inherit (config.site.hosts.${hostName}) forwardPorts;
   };
 
+  # Configure rt_table name
+  networking.iproute2 = {
+    enable = true;
+    rttablesExtraConfig = ''
+      ${toString vpn4Table} vpn4
+    '';
+  };
+
   # TODO: firewall
 }
diff --git a/nix/nixos-module/container/bird.nix b/nix/nixos-module/container/bird.nix
index 39f9a31..68fd940 100644
--- a/nix/nixos-module/container/bird.nix
+++ b/nix/nixos-module/container/bird.nix
@@ -66,6 +66,31 @@ in
         scan time 10;
       }
 
+      ${lib.optionalString (builtins.match "anon.*" hostName != null) ''
+        ipv4 table vpn4_table;
+        protocol pipe {
+          table master4;
+          peer table vpn4_table;
+          export filter {
+            if net ~ [ 0.0.0.0/0 ] then {
+              # Copy default route to vpn4 table
+              accept;
+            }
+            reject;
+          };
+        }
+
+        # Routing table for Wireguard transport
+        protocol kernel VPN4 {
+          # "vpn4_table" configured on anon routers
+          kernel table 100;
+          ipv4 {
+            table vpn4_table;
+            export all;
+          };
+        }
+      ''}
+
       ${lib.optionalString (gatewayNet != null) ''
         # Router advertisements
         protocol radv {