nixos/l2mesh: Add option to enable UDP encapsulation

2024-03-23 12:04:07 +00:00 · 2024-03-23 12:04:07 +00:00 · 682865a0e1
commit 682865a0e1
parent a0e4cf2479
3 changed files with 10 additions and 3 deletions
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@ -9,6 +9,7 @@ in
    vpns = {
      l2 = {
        as211024 = {
+          udpEncapsulation = true;
          vni = 211024;
          security.enable = true;
          peers = {
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -135,6 +135,7 @@ let
      ipv6 = mkBoolOpt' false "Whether this mesh's underlay operates over IPv6.";
      baseMTU = mkOpt' ints.unsigned 1500 "Base MTU to calculate VXLAN MTU with.";
      l3Overhead = mkOpt' ints.unsigned 40 "Overhead of L3 header (to calculate MTU).";
+      udpEncapsulation = mkBoolOpt' false "Whether to encapsulate ESP frames in UDP.";
      firewall = mkBoolOpt' true "Whether to generate firewall rules.";
      vni = mkOpt' ints.unsigned 1 "VXLAN VNI.";
      peers = mkOpt' (attrsOf (submodule l2PeerOpts)) { } "Peers.";
--- a/nixos/modules/l2mesh.nix
+++ b/nixos/modules/l2mesh.nix
@ -36,8 +36,8 @@ let
        espOverhead =
          if (!mesh.security.enable) then 0
          else
-            # SPI + seq + IV + pad / header + ICV
-            4 + 4 + (if mesh.security.encrypt then 8 else 0) + 2 + 16;
+            # UDP encap + SPI + seq + IV + pad / header + ICV
+            (if mesh.udpEncapsulation then 8 else 0) + 4 + 4 + (if mesh.security.encrypt then 8 else 0) + 2 + 16;
        # UDP + VXLAN + Ethernet + L3 (IPv4/IPv6)
        overhead = espOverhead + 8 + 8 + 14 + mesh.l3Overhead;
      in
@ -62,7 +62,11 @@ let
      chain l2mesh-${name} {
        ${optionalString mesh.security.enable ''
          udp dport isakmp accept
-          meta l4proto esp accept
+          ${if mesh.udpEncapsulation then ''
+            udp dport ipsec-nat-t accept
+          '' else ''
+            meta l4proto esp accept
+          ''}
        ''}
        ${optionalString (!mesh.security.enable) (vxlanAllow mesh.vni)}
        return
@ -94,6 +98,7 @@ let
          esp=${if mesh.security.encrypt then "aes_gcm256" else "null-sha256"}
          ikev2=yes
          modecfgpull=no
+          encapsulation=${if mesh.udpEncapsulation then "yes" else "no"}
        '';
      })
    otherPeers);