nixos-module/container/wireguard: rename rt_table vpn4 to vpn, add to wg settings

2022-09-18 16:13:36 +02:00 · 2022-09-18 16:13:36 +02:00 · 5eb915e4f6
parent da6b2d55fc
commit 5eb915e4f6
2 changed files with 10 additions and 13 deletions
--- a/nix/nixos-module/container/bird.nix
+++ b/nix/nixos-module/container/bird.nix
@ -97,15 +97,15 @@ in
        hostName == "flpk-gw"
      ) ''
        # BIRD routing table for Wireguard transport
-        ipv4 table vpn4_table;
+        ipv4 table vpn_table;

        # Kernel routing table for Wireguard transport
-        protocol kernel VPN4 {
-          # "vpn4_table" configured on anon routers
+        protocol kernel VPN {
+          # "vpn_table" configured on anon routers
          kernel table 100;
          ipv4 {
            export all;
-            table vpn4_table;
+            table vpn_table;
          };
        }
      ''}
@ -220,7 +220,7 @@ in
                  builtins.match "anon.*" hostName != null ||
                  hostName == "flpk-gw"
                ) ''
-                  table vpn4_table;
+                  table vpn_table;
                ''}
              };
              area 0 {
--- a/nix/nixos-module/container/wireguard.nix
+++ b/nix/nixos-module/container/wireguard.nix
@ -14,8 +14,7 @@ let
  privateKeyFile = ifName:
    "/run/wireguard-keys/${ifName}.key";

-  wireguardMark = 3;
-  vpn4Table = 100;
+  vpnTable = 100;
 in
 {
  systemd.services = builtins.foldl' (services: ifName: services // {
@ -51,8 +50,7 @@ in
    };
    wireguardConfig = {
      PrivateKeyFile = privateKeyFile ifName;
-      # Mark for routing with another routing table
-      FirewallMark = wireguardMark;
+      RouteTable = "vpn";
    };
    wireguardPeers = [ {
      wireguardPeerConfig = {
@ -67,10 +65,9 @@ in
    # Wireguard transported through another routing table
    # (containing upstream by bird ospf)
    core.routingPolicyRules = [ {
-      # Marked wireguard packets take the vpn4 routing table
+      # Marked wireguard packets take the vpn routing table
      routingPolicyRuleConfig = {
-        Table = vpn4Table;
-        FirewallMark = wireguardMark;
+        Table = vpnTable;
      };
    } ];
  } // builtins.mapAttrs (ifName: { wireguard, upstream, ... }: {
@ -109,7 +106,7 @@ in
  networking.iproute2 = lib.mkIf enabled {
    enable = true;
    rttablesExtraConfig = ''
-      ${toString vpn4Table} vpn4
+      ${toString vpnTable} vpn
    '';
  };