ambroisie/nix-config
ambroisie/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

services: wireguard: use 'wg-quick'

Browse source 
Turns out the `wireguard` service isn't meant to be used for VPN-like
workflows (see [1]). and I'll probably have less trouble by using
`wg-quick` instead.

Nice bonus is that instead of having awfully named services running for
each peer, I only need the one service for `wg-quick` itself.

[1]: https://github.com/NixOS/nixpkgs/issues/51258
This commit is contained in:
Bruno BELANYI 2021-02-17 15:31:47 +00:00
parent a4da864981
commit ecded82986
1 changed files with 15 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
services/wireguard.nix
View file

@ -61,11 +61,10 @@ in
}; };
}; };
config.networking = lib.mkIf cfg.enable { config.networking = lib.mkIf cfg.enable {
wireguard.interfaces."${cfg.iface}" = { wg-quick.interfaces."${cfg.iface}" = {
listenPort = cfg.port; listenPort = cfg.port;
ips = with cfg.net; with lib; [ address = with cfg.net; with lib; [
"${v4.subnet}.${toString thisPeer.clientNum}/${toString v4.mask}" "${v4.subnet}.${toString thisPeer.clientNum}/${toString v4.mask}"
"${v6.subnet}::${toString thisPeer.clientNum}/${toHexString v6.mask}" "${v6.subnet}::${toString thisPeer.clientNum}/${toHexString v6.mask}"
]; ];
@ -92,19 +91,25 @@ in
]; ];
# Roaming clients need to keep NAT-ing active # Roaming clients need to keep NAT-ing active
persistentKeepalive = 10; persistentKeepalive = 10;
# Use server DNS
}) })
otherPeers; otherPeers;
} // lib.optionalAttrs (thisPeer ? externalIp) { } // lib.optionalAttrs (thisPeer ? externalIp) {
# Setup forwarding on server # Setup forwarding on server
# FIXME: 'eth0' should not hard-coded # FIXME: 'eth0' should not hard-coded
postSetup = with cfg.net; '' postUp = with cfg.net; ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${v4.subnet}.0/${toString v4.mask} -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/iptables -A FORWARD -i ${cfg.iface} -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${v6.subnet}::0/${toString v6.mask} -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${v4.subnet}.1/${toString v4.mask} -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i ${cfg.iface} -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s ${v6.subnet}::1/${toString v6.mask} -o eth0 -j MASQUERADE
''; '';
postShutdown = with cfg.net; '' preDown = with cfg.net; ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${v4.subnet}.0/${toString v4.mask} -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/iptables -D FORWARD -i ${cfg.iface} -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${v6.subnet}::0/${toString v6.mask} -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${v4.subnet}.1/${toString v4.mask} -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i ${cfg.iface} -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s ${v6.subnet}::1/${toString v6.mask} -o eth0 -j MASQUERADE
''; '';
}; };
nat = lib.optionalAttrs (thisPeer ? externalIp) { nat = lib.optionalAttrs (thisPeer ? externalIp) {
@ -113,6 +118,6 @@ in
internalInterfaces = [ cfg.iface ]; internalInterfaces = [ cfg.iface ];
}; };
firewall.allowedUDPPorts = lib.optional (thisPeer ? externalIp) cfg.port; firewall.allowedUDPPorts = [ cfg.port ];
}; };
} }