zentralwerk/network
zentralwerk
/
network
12
4
Fork 2
Code Issues 3 Pull Requests 1 Releases Wiki Activity

nixos-module/container/wireguard: rename rt_table vpn4 to vpn, add to wg settings

This commit is contained in:
Astro 2022-09-18 16:13:36 +02:00
parent da6b2d55fc
commit 5eb915e4f6
2 changed files with 10 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nix/nixos-module/container/bird.nix
View File

@ -97,15 +97,15 @@ in
hostName == "flpk-gw" hostName == "flpk-gw"
) '' ) ''
# BIRD routing table for Wireguard transport # BIRD routing table for Wireguard transport
ipv4 table vpn4_table; ipv4 table vpn_table;
# Kernel routing table for Wireguard transport # Kernel routing table for Wireguard transport
protocol kernel VPN4 { protocol kernel VPN {
# "vpn4_table" configured on anon routers # "vpn_table" configured on anon routers
kernel table 100; kernel table 100;
ipv4 { ipv4 {
export all; export all;
table vpn4_table; table vpn_table;
}; };
} }
''} ''}
@ -220,7 +220,7 @@ in
builtins.match "anon.*" hostName != null || builtins.match "anon.*" hostName != null ||
hostName == "flpk-gw" hostName == "flpk-gw"
) '' ) ''
table vpn4_table; table vpn_table;
''} ''}
}; };
area 0 { area 0 {

13
nix/nixos-module/container/wireguard.nix
View File

@ -14,8 +14,7 @@ let
privateKeyFile = ifName: privateKeyFile = ifName:
"/run/wireguard-keys/${ifName}.key"; "/run/wireguard-keys/${ifName}.key";
wireguardMark = 3; vpnTable = 100;
vpn4Table = 100;
in in
{ {
systemd.services = builtins.foldl' (services: ifName: services // { systemd.services = builtins.foldl' (services: ifName: services // {
@ -51,8 +50,7 @@ in
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = privateKeyFile ifName; PrivateKeyFile = privateKeyFile ifName;
# Mark for routing with another routing table RouteTable = "vpn";
FirewallMark = wireguardMark;
}; };
wireguardPeers = [ { wireguardPeers = [ {
wireguardPeerConfig = { wireguardPeerConfig = {
@ -67,10 +65,9 @@ in
# Wireguard transported through another routing table # Wireguard transported through another routing table
# (containing upstream by bird ospf) # (containing upstream by bird ospf)
core.routingPolicyRules = [ { core.routingPolicyRules = [ {
# Marked wireguard packets take the vpn4 routing table # Marked wireguard packets take the vpn routing table
routingPolicyRuleConfig = { routingPolicyRuleConfig = {
Table = vpn4Table; Table = vpnTable;
FirewallMark = wireguardMark;
}; };
} ]; } ];
} // builtins.mapAttrs (ifName: { wireguard, upstream, ... }: { } // builtins.mapAttrs (ifName: { wireguard, upstream, ... }: {
@ -109,7 +106,7 @@ in
networking.iproute2 = lib.mkIf enabled { networking.iproute2 = lib.mkIf enabled {
enable = true; enable = true;
rttablesExtraConfig = '' rttablesExtraConfig = ''
${toString vpn4Table} vpn4 ${toString vpnTable} vpn
''; '';
}; };