etheroute-lon01: GRE->Wireguard

This commit is contained in:
Luke Granger-Brown 2023-07-15 12:09:18 +01:00
parent 1c4530988d
commit 551c4f27ad

View file

@ -84,14 +84,8 @@
"8.8.8.8" "8.8.8.8"
"8.8.4.4" "8.8.4.4"
]; ];
defaultGateway = { defaultGateway.address = "103.141.25.49";
address = "103.141.25.49"; defaultGateway6.address = "2a07:242:800:64::1";
interface = "eno1";
};
defaultGateway6 = {
address = "2a07:242:800:64::1";
interface = "eno1";
};
interfaces.eno1 = { interfaces.eno1 = {
ipv4.addresses = [{ address = "103.141.25.50"; prefixLength = 30; }]; ipv4.addresses = [{ address = "103.141.25.50"; prefixLength = 30; }];
ipv6.addresses = [{ address = "2a07:242:800:64::68"; prefixLength = 64; }]; ipv6.addresses = [{ address = "2a07:242:800:64::68"; prefixLength = 64; }];
@ -101,6 +95,7 @@
# virtual = true; # virtual = true;
#}; #};
firewall.allowedTCPPorts = [ 80 443 ]; firewall.allowedTCPPorts = [ 80 443 ];
firewall.allowedUDPPorts = [ 51820 ];
firewall.extraCommands = '' firewall.extraCommands = ''
# Flush old rules. # Flush old rules.
ip46tables -D FORWARD -j lukegb-forward 2>/dev/null || true ip46tables -D FORWARD -j lukegb-forward 2>/dev/null || true
@ -118,8 +113,8 @@
ip46tables -N lukegb-forward ip46tables -N lukegb-forward
# Accept from "trusted" quadv1-4 interface # Accept from "trusted" quadv1 interface
ip46tables -A lukegb-forward -i quadv1-4 -j lukegb-fwd-accept ip46tables -A lukegb-forward -i quadv1 -j lukegb-fwd-accept
# Accept from established/related connections. # Accept from established/related connections.
ip46tables -A lukegb-forward -m conntrack --ctstate ESTABLISHED,RELATED -j lukegb-fwd-accept ip46tables -A lukegb-forward -m conntrack --ctstate ESTABLISHED,RELATED -j lukegb-fwd-accept
@ -132,6 +127,37 @@
my.ip.tailscale = "100.99.227.112"; my.ip.tailscale = "100.99.227.112";
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6263:e370"; my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6263:e370";
systemd.network.netdevs.quadv1 = {
netdevConfig = {
Name = "quadv1";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = pkgs.writeText "etheroute-lon01-quadv" depot.ops.secrets.wireguard.quadv1.lukegb.privateKey;
ListenPort = 51820;
RouteTable = "off";
};
wireguardPeers = [{
wireguardPeerConfig = {
PublicKey = depot.ops.secrets.wireguard.quadv1.quadv.publicKey;
AllowedIPs = "0.0.0.0/0,::/0";
};
}];
};
systemd.network.networks.quadv1 = {
matchConfig.Name = "quadv1";
networkConfig.Address = "169.254.111.0/31";
routes = [{
routeConfig = {
Gateway = "169.254.111.1";
Destination = "92.118.31.0/24";
};
}];
};
services.openssh.hostKeys = [ services.openssh.hostKeys = [
{ {
path = "/persist/etc/ssh/ssh_host_ed25519_key"; path = "/persist/etc/ssh/ssh_host_ed25519_key";