diff options
| -rw-r--r-- | hosts/ahmed/configuration.nix | 1 | ||||
| -rw-r--r-- | hosts/ahmed/wireguard-vpn/default.nix | 53 | ||||
| -rw-r--r-- | metadata.toml | 6 | ||||
| -rw-r--r-- | secrets/secrets.nix | 1 | ||||
| -rw-r--r-- | secrets/wireguard-vpn-key.age | bin | 0 -> 1189 bytes |
5 files changed, 61 insertions, 0 deletions
diff --git a/hosts/ahmed/configuration.nix b/hosts/ahmed/configuration.nix index bee715b..e1062c5 100644 --- a/hosts/ahmed/configuration.nix +++ b/hosts/ahmed/configuration.nix @@ -25,6 +25,7 @@ ./nginx ./local-dns ./vaultwarden + ./wireguard-vpn ]; # Create the main user. diff --git a/hosts/ahmed/wireguard-vpn/default.nix b/hosts/ahmed/wireguard-vpn/default.nix new file mode 100644 index 0000000..e419b31 --- /dev/null +++ b/hosts/ahmed/wireguard-vpn/default.nix @@ -0,0 +1,53 @@ +# This module sets up thi sserver as a VPN exit node. We define a virtual +# private network on 10.100.0.0/16 which all the devices are connected to. +# Since this host is guaranteed to have a static ip address, all trafic is +# routed through here. +{ + pkgs, + config, + metadata, + ... +}: let + wireguardInterface = "wg1"; # wg0 is used for torrenting. + + externalInterface = "enp0s31f6"; +in { + networking.wireguard.interfaces.${wireguardInterface} = { + # This is "network" part of VPN. Also defines the IP of this host within that virtual network. + ips = ["10.100.0.1/16"]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = metadata.hosts.ahmed.wireguard.port; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + postSetup = "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -o eth0 -j MASQUERADE"; + postShutdown = "${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/16 -o eth0 -j MASQUERADE"; + + privateKeyFile = config.age.secrets.wireguard-vpn-key.path; + + peers = [ + { + # Muhammed + publicKey = "l0HoOpGEkyxG3dTsJ3+zNItD6bQEkzymGvcsMLFOdmA="; + allowedIPs = ["10.100.0.2/32"]; + } + ]; + }; + + # Allow connections to the wireguard server. All clients need to connect to + # this port. + networking.firewall.allowedUDPPorts = [metadata.hosts.ahmed.wireguard.port]; + + # Get the private keys. + age.secrets.wireguard-vpn-key.file = ../../../secrets/wireguard-vpn-key.age; + + # Forward packets from wireguard onto the LAN while also doing address translation. + networking.nat = { + enable = true; + inherit externalInterface; + internalInterfaces = [wireguardInterface]; + }; + + # Allow DNS from Wireguard. + services.dnscache.clientIps = ["10.100"]; +} diff --git a/metadata.toml b/metadata.toml index 7c2cac1..ce62ec5 100644 --- a/metadata.toml +++ b/metadata.toml @@ -5,8 +5,14 @@ network = "rumpenettet" ipv4Address = "192.168.68.222" [hosts.ahmed.sshKeys] +linus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTV0NShiJXtHKtOk1kG28xvcSXww5LQTfCDued/Yog0 linus@ahmed" root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodiSwTcZcaZxqLyHjI2MGe1CpIBvIzzbjpXrwAyiYO root@ahmed" +[hosts.ahmed.wireguard] +pubkey = "OyVax+rmBHEJsN3DmLAMEczO9mHwFDNb+D16cAV6TzM=" # Matches ./secrets/wireguard-vpn-key.age +port = 50000 +ipv4Address = "77.33.188.139" # This is technically dynamic. Should use DDNS. + [hosts.muhammed] network = "rumpenettet" ipv4Address = "192.168.68.111" diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e81ff62..f66a2fb 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -24,4 +24,5 @@ in { "mullvad-wg.key.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys; "wraaath-sftp-password.txt.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys; "linus.onl-github-secret.txt.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys; + "wireguard-vpn-key.age".publicKeys = [decodingKeys.ahmed] ++ interactiveKeys; } diff --git a/secrets/wireguard-vpn-key.age b/secrets/wireguard-vpn-key.age Binary files differnew file mode 100644 index 0000000..9b8b231 --- /dev/null +++ b/secrets/wireguard-vpn-key.age |