summaryrefslogtreecommitdiff
path: root/hosts/ahmed/wireguard-vpn/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/ahmed/wireguard-vpn/default.nix')
-rw-r--r--hosts/ahmed/wireguard-vpn/default.nix53
1 files changed, 53 insertions, 0 deletions
diff --git a/hosts/ahmed/wireguard-vpn/default.nix b/hosts/ahmed/wireguard-vpn/default.nix
new file mode 100644
index 0000000..e419b31
--- /dev/null
+++ b/hosts/ahmed/wireguard-vpn/default.nix
@@ -0,0 +1,53 @@
+# This module sets up thi sserver as a VPN exit node. We define a virtual
+# private network on 10.100.0.0/16 which all the devices are connected to.
+# Since this host is guaranteed to have a static ip address, all trafic is
+# routed through here.
+{
+ pkgs,
+ config,
+ metadata,
+ ...
+}: let
+ wireguardInterface = "wg1"; # wg0 is used for torrenting.
+
+ externalInterface = "enp0s31f6";
+in {
+ networking.wireguard.interfaces.${wireguardInterface} = {
+ # This is "network" part of VPN. Also defines the IP of this host within that virtual network.
+ ips = ["10.100.0.1/16"];
+
+ # The port that WireGuard listens to. Must be accessible by the client.
+ listenPort = metadata.hosts.ahmed.wireguard.port;
+
+ # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+ postSetup = "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -o eth0 -j MASQUERADE";
+ postShutdown = "${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/16 -o eth0 -j MASQUERADE";
+
+ privateKeyFile = config.age.secrets.wireguard-vpn-key.path;
+
+ peers = [
+ {
+ # Muhammed
+ publicKey = "l0HoOpGEkyxG3dTsJ3+zNItD6bQEkzymGvcsMLFOdmA=";
+ allowedIPs = ["10.100.0.2/32"];
+ }
+ ];
+ };
+
+ # Allow connections to the wireguard server. All clients need to connect to
+ # this port.
+ networking.firewall.allowedUDPPorts = [metadata.hosts.ahmed.wireguard.port];
+
+ # Get the private keys.
+ age.secrets.wireguard-vpn-key.file = ../../../secrets/wireguard-vpn-key.age;
+
+ # Forward packets from wireguard onto the LAN while also doing address translation.
+ networking.nat = {
+ enable = true;
+ inherit externalInterface;
+ internalInterfaces = [wireguardInterface];
+ };
+
+ # Allow DNS from Wireguard.
+ services.dnscache.clientIps = ["10.100"];
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-07 20:33:21 +0000