nixos-module/container/{anon,bird}: route wireguard with policy routing over default routes learned from OSPF

This commit is contained in:
Astro 2021-04-29 22:46:03 +02:00
parent a467699f48
commit 0350826bc5
2 changed files with 49 additions and 7 deletions

View File

@ -14,6 +14,9 @@ let
privateKeyFile = ifName:
"/run/wireguard-keys/${ifName}.key";
wireguardMark = 1;
vpn4Table = 100;
in
{
systemd.services = builtins.foldl' (services: ifName: services // {
@ -47,7 +50,11 @@ in
Name = ifName;
Kind = "wireguard";
};
wireguardConfig.PrivateKeyFile = privateKeyFile ifName;
wireguardConfig = {
PrivateKeyFile = privateKeyFile ifName;
# Mark for routing with another routing table
FirewallMark = wireguardMark;
};
wireguardPeers = [ {
wireguardPeerConfig = {
PublicKey = wireguard.publicKey;
@ -58,13 +65,15 @@ in
}) tunnels;
systemd.network.networks = {
# Endpoint host-routes
core.routes = map (wireguard: {
routeConfig = {
Destination = builtins.head (builtins.match "(.+):.*" wireguard.endpoint) + "/32";
Gateway = config.site.net.core.hosts4.${gateway};
# Wireguard transported through another routing table
# (containing upstream by bird ospf)
core.routingPolicyRules = [ {
# Marked wireguard packets take the vpn4 routing table
routingPolicyRuleConfig = {
Table = vpn4Table;
FirewallMark = wireguardMark;
};
}) (builtins.attrValues tunnels);
} ];
} // builtins.mapAttrs (ifName: wireguard: {
# Wireguard interfaces
matchConfig.Name = ifName;
@ -97,5 +106,13 @@ in
inherit (config.site.hosts.${hostName}) forwardPorts;
};
# Configure rt_table name
networking.iproute2 = {
enable = true;
rttablesExtraConfig = ''
${toString vpn4Table} vpn4
'';
};
# TODO: firewall
}

View File

@ -66,6 +66,31 @@ in
scan time 10;
}
${lib.optionalString (builtins.match "anon.*" hostName != null) ''
ipv4 table vpn4_table;
protocol pipe {
table master4;
peer table vpn4_table;
export filter {
if net ~ [ 0.0.0.0/0 ] then {
# Copy default route to vpn4 table
accept;
}
reject;
};
}
# Routing table for Wireguard transport
protocol kernel VPN4 {
# "vpn4_table" configured on anon routers
kernel table 100;
ipv4 {
table vpn4_table;
export all;
};
}
''}
${lib.optionalString (gatewayNet != null) ''
# Router advertisements
protocol radv {