Server: add wireguard

2023-07-14 15:24:33 +02:00 · 2023-07-14 15:24:33 +02:00 · 6a83942761
commit 6a83942761
parent 23c444cdd0
9 changed files with 121 additions and 0 deletions
--- a/roles/server/default.nix
+++ b/roles/server/default.nix
@ -12,5 +12,6 @@
 		./transmission.nix
 		./ddclient.nix
 		./beep.nix
+		./wireguard.nix
 	];
 }
--- a/roles/server/wireguard.nix
+++ b/roles/server/wireguard.nix
@ -0,0 +1,73 @@
+{ config, pkgs, ... }:
+
+{
+	# Set up secrets
+	age.secrets = {
+		silverPrivate.file = ../../secrets/wg/silver/serverPriv;
+		silverPhonePsk.file = ../../secrets/wg/silver/phonePsk;
+		toastPrivate.file = ../../secrets/wg/toast/serverPriv;
+		toastPhonePsk.file = ../../secrets/wg/toast/phonePsk;
+	};
+	
+	networking = {
+		# You need NAT if you want to use wireguard as a VPN
+		nat = {
+			enable = true;
+			externalInterface = "eno1";
+			internalInterfaces = [ "wg-*" ];
+		};
+
+		# Allow the wireguard port though the firewall
+		firewall.allowedUDPPorts = with config.networking.wireguard.interfaces; [ vpn-silver.listenPort vpn-toast.listenPort];
+
+		wireguard = {
+			enable = true;
+			interfaces = {
+				vpn-silver = {
+					/*
+					I see people normally use 10.0.X.X, but I already have the muscle memory of
+					typing 192.168.X.X so I went with this one. Plus I'm only going to have 2-3 
+					peers connected at once, so a type C IP is more than enough
+					*/
+					ips = [ "192.168.10.1/24" ];
+					listenPort = 51820;
+					privateKeyFile = config.age.secrets.silverPrivate.path;
+					postSetup = ''
+						${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE
+					'';
+					postShutdown = ''
+						${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE
+					'';
+					peers = [
+						{
+							# Silver's phone
+							allowedIPs = [ "192.168.10.2" ];
+							publicKey = "silvrNOD8j5aDm4PhY8zJBV3JZOeBX6VK5KPvT+3yic=";
+							presharedKeyFile = config.age.secrets.silverPhonePsk.path;
+						}
+					];
+				};
+				vpn-toast = {
+					ips = [ "192.168.11.1/24" ];
+					listenPort = 51821;
+					privateKeyFile = config.age.secrets.toastPrivate.path;
+					postSetup = ''
+						${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE
+					'';
+					postShutdown = ''
+						${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE
+					'';
+					peers = [
+						{
+							# My phone
+							allowedIPs = [ "192.168.11.2" ];
+							publicKey = "pHonE1YaBZcTU5sTMLg6Iy4FIyzInfHfH4x0NZ1lBRA=";
+							presharedKeyFile = config.age.secrets.toastPhonePsk.path;
+						}
+					];
+				};
+				
+			};
+		};
+	};
+}