{ config, pkgs, ... }: { # Set up secrets age.secrets = { silverPrivate.file = ../../secrets/wg/silver/serverPriv; silverPhonePsk.file = ../../secrets/wg/silver/phonePsk; toastPrivate.file = ../../secrets/wg/toast/serverPriv; toastPhonePsk.file = ../../secrets/wg/toast/phonePsk; }; networking = { # You need NAT if you want to use wireguard as a VPN nat = { enable = true; externalInterface = "eno1"; internalInterfaces = [ "wg-*" ]; }; # Allow the wireguard port though the firewall firewall.allowedUDPPorts = with config.networking.wireguard.interfaces; [ vpn-silver.listenPort vpn-toast.listenPort]; wireguard = { enable = true; interfaces = { vpn-silver = { /* I see people normally use 10.0.X.X, but I already have the muscle memory of typing 192.168.X.X so I went with this one. Plus I'm only going to have 2-3 peers connected at once, so a type C IP is more than enough */ ips = [ "192.168.10.1/24" ]; listenPort = 51820; privateKeyFile = config.age.secrets.silverPrivate.path; postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE ''; peers = [ { # Silver's phone allowedIPs = [ "192.168.10.2" ]; publicKey = "silvrNOD8j5aDm4PhY8zJBV3JZOeBX6VK5KPvT+3yic="; presharedKeyFile = config.age.secrets.silverPhonePsk.path; } ]; }; vpn-toast = { ips = [ "192.168.11.1/24" ]; listenPort = 51821; privateKeyFile = config.age.secrets.toastPrivate.path; postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE ''; peers = [ { # My phone allowedIPs = [ "192.168.11.2" ]; publicKey = "pHonE1YaBZcTU5sTMLg6Iy4FIyzInfHfH4x0NZ1lBRA="; presharedKeyFile = config.age.secrets.toastPhonePsk.path; } ]; }; }; }; }; }