Toast/nix-stuff
1
0
Fork 0
Code Issues Pull requests Projects 1 Wiki Activity
nix-stuff/roles/server/wireguard.nix
Toast 6a83942761 Server: add wireguard
2023-07-14 15:24:33 +02:00

73 lines
2.2 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
{
# Set up secrets
age.secrets = {
silverPrivate.file = ../../secrets/wg/silver/serverPriv;
silverPhonePsk.file = ../../secrets/wg/silver/phonePsk;
toastPrivate.file = ../../secrets/wg/toast/serverPriv;
toastPhonePsk.file = ../../secrets/wg/toast/phonePsk;
};
networking = {
# You need NAT if you want to use wireguard as a VPN
nat = {
enable = true;
externalInterface = "eno1";
internalInterfaces = [ "wg-*" ];
};
# Allow the wireguard port though the firewall
firewall.allowedUDPPorts = with config.networking.wireguard.interfaces; [ vpn-silver.listenPort vpn-toast.listenPort];
wireguard = {
enable = true;
interfaces = {
vpn-silver = {
/*
I see people normally use 10.0.X.X, but I already have the muscle memory of
typing 192.168.X.X so I went with this one. Plus I'm only going to have 2-3
peers connected at once, so a type C IP is more than enough
*/
ips = [ "192.168.10.1/24" ];
listenPort = 51820;
privateKeyFile = config.age.secrets.silverPrivate.path;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE
'';
peers = [
{
# Silver's phone
allowedIPs = [ "192.168.10.2" ];
publicKey = "silvrNOD8j5aDm4PhY8zJBV3JZOeBX6VK5KPvT+3yic=";
presharedKeyFile = config.age.secrets.silverPhonePsk.path;
}
];
};
vpn-toast = {
ips = [ "192.168.11.1/24" ];
listenPort = 51821;
privateKeyFile = config.age.secrets.toastPrivate.path;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE
'';
peers = [
{
# My phone
allowedIPs = [ "192.168.11.2" ];
publicKey = "pHonE1YaBZcTU5sTMLg6Iy4FIyzInfHfH4x0NZ1lBRA=";
presharedKeyFile = config.age.secrets.toastPhonePsk.path;
}
];
};
};
};
};
}
Reference in a new issue View git blame Copy permalink