nixos-module/container/{anon,bird}: route wireguard with policy routing over default routes learned from OSPF
This commit is contained in:
parent
a467699f48
commit
0350826bc5
|
@ -14,6 +14,9 @@ let
|
||||||
|
|
||||||
privateKeyFile = ifName:
|
privateKeyFile = ifName:
|
||||||
"/run/wireguard-keys/${ifName}.key";
|
"/run/wireguard-keys/${ifName}.key";
|
||||||
|
|
||||||
|
wireguardMark = 1;
|
||||||
|
vpn4Table = 100;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
systemd.services = builtins.foldl' (services: ifName: services // {
|
systemd.services = builtins.foldl' (services: ifName: services // {
|
||||||
|
@ -47,7 +50,11 @@ in
|
||||||
Name = ifName;
|
Name = ifName;
|
||||||
Kind = "wireguard";
|
Kind = "wireguard";
|
||||||
};
|
};
|
||||||
wireguardConfig.PrivateKeyFile = privateKeyFile ifName;
|
wireguardConfig = {
|
||||||
|
PrivateKeyFile = privateKeyFile ifName;
|
||||||
|
# Mark for routing with another routing table
|
||||||
|
FirewallMark = wireguardMark;
|
||||||
|
};
|
||||||
wireguardPeers = [ {
|
wireguardPeers = [ {
|
||||||
wireguardPeerConfig = {
|
wireguardPeerConfig = {
|
||||||
PublicKey = wireguard.publicKey;
|
PublicKey = wireguard.publicKey;
|
||||||
|
@ -58,13 +65,15 @@ in
|
||||||
}) tunnels;
|
}) tunnels;
|
||||||
|
|
||||||
systemd.network.networks = {
|
systemd.network.networks = {
|
||||||
# Endpoint host-routes
|
# Wireguard transported through another routing table
|
||||||
core.routes = map (wireguard: {
|
# (containing upstream by bird ospf)
|
||||||
routeConfig = {
|
core.routingPolicyRules = [ {
|
||||||
Destination = builtins.head (builtins.match "(.+):.*" wireguard.endpoint) + "/32";
|
# Marked wireguard packets take the vpn4 routing table
|
||||||
Gateway = config.site.net.core.hosts4.${gateway};
|
routingPolicyRuleConfig = {
|
||||||
|
Table = vpn4Table;
|
||||||
|
FirewallMark = wireguardMark;
|
||||||
};
|
};
|
||||||
}) (builtins.attrValues tunnels);
|
} ];
|
||||||
} // builtins.mapAttrs (ifName: wireguard: {
|
} // builtins.mapAttrs (ifName: wireguard: {
|
||||||
# Wireguard interfaces
|
# Wireguard interfaces
|
||||||
matchConfig.Name = ifName;
|
matchConfig.Name = ifName;
|
||||||
|
@ -97,5 +106,13 @@ in
|
||||||
inherit (config.site.hosts.${hostName}) forwardPorts;
|
inherit (config.site.hosts.${hostName}) forwardPorts;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Configure rt_table name
|
||||||
|
networking.iproute2 = {
|
||||||
|
enable = true;
|
||||||
|
rttablesExtraConfig = ''
|
||||||
|
${toString vpn4Table} vpn4
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
# TODO: firewall
|
# TODO: firewall
|
||||||
}
|
}
|
||||||
|
|
|
@ -66,6 +66,31 @@ in
|
||||||
scan time 10;
|
scan time 10;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
${lib.optionalString (builtins.match "anon.*" hostName != null) ''
|
||||||
|
ipv4 table vpn4_table;
|
||||||
|
protocol pipe {
|
||||||
|
table master4;
|
||||||
|
peer table vpn4_table;
|
||||||
|
export filter {
|
||||||
|
if net ~ [ 0.0.0.0/0 ] then {
|
||||||
|
# Copy default route to vpn4 table
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
reject;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
# Routing table for Wireguard transport
|
||||||
|
protocol kernel VPN4 {
|
||||||
|
# "vpn4_table" configured on anon routers
|
||||||
|
kernel table 100;
|
||||||
|
ipv4 {
|
||||||
|
table vpn4_table;
|
||||||
|
export all;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
''}
|
||||||
|
|
||||||
${lib.optionalString (gatewayNet != null) ''
|
${lib.optionalString (gatewayNet != null) ''
|
||||||
# Router advertisements
|
# Router advertisements
|
||||||
protocol radv {
|
protocol radv {
|
||||||
|
|
Loading…
Reference in New Issue