diff --git a/hosts/modules/wg-home.nix b/hosts/modules/wg-home.nix index 0208703ee..a2acbb58a 100644 --- a/hosts/modules/wg-home.nix +++ b/hosts/modules/wg-home.nix @@ -97,6 +97,7 @@ in sane.vpn.wg-home = lib.mkIf cfg.routeThroughServo { id = 51; endpoint = config.sane.hosts.by-name."servo".wg-home.endpoint; + keepalive = true; publicKey = config.sane.hosts.by-name."servo".wg-home.pubkey; addrV4 = cfg.ip; subnetV4 = "24"; diff --git a/modules/vpn.nix b/modules/vpn.nix index 38d16d19f..088d95ad4 100644 --- a/modules/vpn.nix +++ b/modules/vpn.nix @@ -70,6 +70,14 @@ let e.g. "vpn.example.com:55280" ''; }; + keepalive = mkOption { + type = types.bool; + default = false; + description = '' + whether to send periodic packets to keep the NAT alive. + this should only be needed if you want to receive unprompted inbound packets. + ''; + }; publicKey = mkOption { type = types.str; description = '' @@ -118,7 +126,7 @@ let priorityFwMark = config.id + 300; }; }); - mkVpnConfig = name: { addrV4, dns, endpoint, fwmark, id, privateKeyFile, publicKey, subnetV4, ... }: { + mkVpnConfig = name: { addrV4, dns, endpoint, fwmark, id, keepalive, privateKeyFile, publicKey, subnetV4, ... }: { assertions = [ { assertion = (lib.count (c: c.id == id) (builtins.attrValues cfg)) == 1; @@ -136,14 +144,18 @@ let PrivateKeyFile = privateKeyFile; FirewallMark = fwmark; }; - wireguardPeers = [{ - AllowedIPs = [ - "0.0.0.0/0" - "::/0" - ]; - Endpoint = endpoint; - PublicKey = publicKey; - }]; + wireguardPeers = [ + ({ + AllowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; + Endpoint = endpoint; + PublicKey = publicKey; + } // lib.optionalAttrs keepalive { + PersistentKeepalive = 25; + }) + ]; }; systemd.network.networks."50-${name}" = {