blob: 4ba8edc87ce274188b1e096d8d0e8df1bc21e6f2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
# This module sets up thi sserver as a VPN exit node. We define a virtual
# private network on 10.100.0.0/16 which all the devices are connected to.
# Since this host is guaranteed to have a static ip address, all trafic is
# routed through here.
{
pkgs,
config,
metadata,
...
}: let
wireguardInterface = "wg1"; # wg0 is used for torrenting.
externalInterface = "enp0s31f6";
in {
networking.wireguard.interfaces.${wireguardInterface} = {
# This is "network" part of VPN. Also defines the IP of this host within that virtual network.
ips = ["10.100.0.1/16"];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = metadata.hosts.ahmed.wireguard.port;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
postSetup = "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/16 -o eth0 -j MASQUERADE";
postShutdown = "${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/16 -o eth0 -j MASQUERADE";
privateKeyFile = config.age.secrets.wireguard-vpn-key.path;
peers = [
{
# Muhammed
publicKey = metadata.hosts.muhammed.wireguard.pubkey;
allowedIPs = ["10.100.0.2/32"];
}
{
# iPhone
publicKey = "/BCjhCe68dSoORo9XQvGsUKOos/h1xu3LaAJoHvn/yw=";
allowedIPs = ["10.100.0.3/32"];
}
];
};
# Allow connections to the wireguard server. All clients need to connect to
# this port.
networking.firewall.allowedUDPPorts = [metadata.hosts.ahmed.wireguard.port];
# Get the private keys.
age.secrets.wireguard-vpn-key.file = ../../../secrets/wireguard-keys/ahmed.age;
# Forward packets from wireguard onto the LAN while also doing address translation.
networking.nat = {
enable = true;
inherit externalInterface;
internalInterfaces = [wireguardInterface];
};
# Allow DNS from Wireguard.
services.dnscache.clientIps = ["10.100"];
}
|
