From 72b8bd089c6fd8d05183c1adc402f308aee1e7c2 Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Wed, 22 Jan 2025 19:19:03 +0000 Subject: [PATCH] nixos/uk: Add WireGuard VPN for access --- lib/constants.nix | 9 ++++++ nixos/boxes/britnet.nix | 56 ++++++++++++++++++++++++++++++++++++-- secrets/britnet/wg.key.age | 13 +++++++++ 3 files changed, 75 insertions(+), 3 deletions(-) create mode 100644 secrets/britnet/wg.key.age diff --git a/lib/constants.nix b/lib/constants.nix index e9c046d..0feb28e 100644 --- a/lib/constants.nix +++ b/lib/constants.nix @@ -337,6 +337,15 @@ rec { britnet = { domain = "bhx1.int.${pubDomain}"; pubV4 = "77.74.199.67"; + vpn = { + port = 51820; + }; + prefixes = with lib.my.net.cidr; rec { + vpn = { + v4 = "10.200.0.0/24"; + v6 = "fdfb:5ebf:6e84::/64"; + }; + }; }; tailscale = { diff --git a/nixos/boxes/britnet.nix b/nixos/boxes/britnet.nix index 1f03455..22e3df9 100644 --- a/nixos/boxes/britnet.nix +++ b/nixos/boxes/britnet.nix @@ -2,7 +2,7 @@ let inherit (lib.my) net; inherit (lib.my.c) pubDomain; - inherit (lib.my.c.britnet) domain pubV4; + inherit (lib.my.c.britnet) domain pubV4 prefixes; in { nixos.systems.britnet = { @@ -22,6 +22,13 @@ in gateway = "2a12:ab46:5344::1"; }; }; + vpn = { + ipv4 = { + address = net.cidr.host 1 prefixes.vpn.v4; + gateway = null; + }; + ipv6.address = net.cidr.host 1 prefixes.vpn.v6; + }; }; configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }: @@ -65,6 +72,12 @@ in }; }; + environment = { + systemPackages = with pkgs; [ + wireguard-tools + ]; + }; + services = { iperf3 = { enable = true; @@ -89,6 +102,28 @@ in networking = { inherit domain; }; systemd.network = { + netdevs = { + "30-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets."britnet/wg.key".path; + ListenPort = lib.my.c.britnet.vpn.port; + }; + wireguardPeers = [ + { + PublicKey = "EfPwREfZ/q3ogHXBIqFZh4k/1NRJRyq4gBkBXtegNkE="; + AllowedIPs = [ + (net.cidr.host 10 prefixes.vpn.v4) + (net.cidr.host 10 prefixes.vpn.v6) + ]; + } + ]; + }; + }; + links = { "10-veth0" = { matchConfig.PermanentMACAddress = "00:db:d9:62:68:1a"; @@ -110,6 +145,12 @@ in ]; } ]; + "30-wg0" = mkMerge [ + (networkdAssignment "wg0" assignments.vpn) + { + networkConfig.IPv6AcceptRA = mkForce false; + } + ]; }; }; @@ -119,16 +160,25 @@ in key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJIEx+1EC/lN6WKIaOB+O5LJgVHRK962YpZEPQg/m78O"; files = { "tailscale-auth.key" = {}; + "britnet/wg.key" = { + owner = "systemd-network"; + }; }; }; firewall = { + udp.allowed = [ lib.my.c.britnet.vpn.port ]; trustedInterfaces = [ "tailscale0" ]; extraRules = '' + table inet filter { + chain forward { + iifname wg0 oifname veth0 accept + } + } table inet nat { chain postrouting { - iifname tailscale0 oifname veth0 snat ip to ${assignments.allhost.ipv4.address} - iifname tailscale0 oifname veth0 snat ip6 to ${assignments.allhost.ipv6.address} + iifname { tailscale0, wg0 } oifname veth0 snat ip to ${assignments.allhost.ipv4.address} + iifname { tailscale0, wg0 } oifname veth0 snat ip6 to ${assignments.allhost.ipv6.address} } } ''; diff --git a/secrets/britnet/wg.key.age b/secrets/britnet/wg.key.age new file mode 100644 index 0000000..5256c81 --- /dev/null +++ b/secrets/britnet/wg.key.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHNqUFR5ZyBVVkI0 +dE5YN1pJWExzLzltcmhna2tJUmdRNjZ1Y1hwbzdtRE0wa2hReTNBCk4ydmNFK0FF +b0RUdVl3a3d4amhKSEVhZWZPeHZDenBiTXpkVVFiNXFXNGsKLT4gWDI1NTE5IG9i +K0ZrNEc5SVlyWU1EbXdlbWppRG1DdjFRbTBCREY2OUxrMmVqNHhSazQKVnRaVmVn +MFBRL1dWeFNOaEwyU2szb1lOVzF1enQwdmVZZWRJcHd5MHdFbwotPiB2Wy1gUV8/ +LWdyZWFzZSBdSDFebHsgKkBkVzl+KnggJTEKdlhrdzVpMHYxUUliQnhaYXNaVWNR +S3NxbjhFMEFGamZkRU1RNURhcmwzOGxFbGxXelhOdDBWTHBSY1hBcGFtUwpkampi +WnhzMDcxTk1seWZ6VURZb1l1QU1GdwotLS0gRFNpcXpDUFZLTXFJN3Z0bEJQd280 +WGROWUVvdSt3ZUdBbmRNcGFhRE9BWQoDDlPEY/t2eapa4Xbv8FcW6gdLzQn7Y2cH +5UwD+0CTF3JdUpxWUIx9RWFleHekkt8j1+2/oO+m7+24yCg5mdqTJ3ZIwu9uk1eI +0As8IA== +-----END AGE ENCRYPTED FILE-----