servo: hardcode the doof/ovpns listen ports, and forward them through the NAT

2024-11-25 18:07:37 +00:00
parent 3ed0ff6611
commit 6be6c08e7c
3 changed files with 19 additions and 0 deletions
--- a/hosts/by-name/servo/net/doof.nix
+++ b/hosts/by-name/servo/net/doof.nix
@@ -10,6 +10,7 @@
    veth.initns.ipv4 = "10.0.2.5";
    veth.netns.ipv4 = "10.0.2.6";
    routeTable = 12;
+    wg.port = 51821;
    wg.privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
    wg.address.ipv4 = "205.201.63.12";
    wg.peer.publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
--- a/hosts/by-name/servo/net/ovpn.nix
+++ b/hosts/by-name/servo/net/ovpn.nix
@@ -10,6 +10,7 @@
    veth.netns.ipv4 = "10.0.1.6";
    routeTable = 11;
    dns.ipv4 = "46.227.67.134";  #< DNS requests inside the namespace are forwarded here
+    wg.port = 51822;
    wg.privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
    wg.address.ipv4 = "185.157.162.178";
    wg.peer.publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs=";
--- a/modules/netns.nix
+++ b/modules/netns.nix
@@ -30,6 +30,9 @@ let
          each netns gets its own routing table so that i can route a packet out by placing it in the table.
        '';
      };
+      wg.port = mkOption {
+        type = types.port;
+      };
      wg.privateKeyFile = mkOption {
        type = types.path;
      };
@@ -175,6 +178,11 @@ let
      serviceConfig.RestartSteps = 9; # roughly: 10s, 30s, 50s, ... 180s, then keep the 180s retry
      script = ''
        ${ip} link add wg-${name} type wireguard
+
+        # listen on a public port. the other end of the tunnel doesn't send keepalives
+        # so i *hope* setting to a fixed port, which is opened in `sane.ports.ports`, make the tunnel more robust
+        ${wg'} set wg-${name} listen-port ${builtins.toString wg.port}
+
        # resolve the endpoint *now*, from a namespace which can do DNS lookups, before moving it into its destination netns
        # at this point, our wg device can neither send nor receive traffic, because we haven't given it a private key.
        # hence, it's 100% safe to configure peers even inside the root ns at this point.
@@ -210,6 +218,14 @@ let
      ];
    };

+    sane.ports.ports."${builtins.toString wg.port}" = {
+      protocol = [ "udp" ];
+      visibleTo.lan = true;
+      visibleTo.wan = true;
+      # visibleTo.doof = true;
+      description = "colin-wireguard-${name}";
+    };
+
    # for some reason network-pre doesn't actually get run before network.target by default??
    systemd.targets.network-pre.wantedBy = [ "network.target" ];
    systemd.targets.network-pre.before = [ "network.target" ];
@@ -263,6 +279,7 @@ in
      networking.localCommands = f.networking.localCommands;
      networking.iproute2.rttablesExtraConfig = f.networking.iproute2.rttablesExtraConfig;
      networking.iproute2.enable = f.networking.iproute2.enable;
+      sane.ports.ports = f.sane.ports.ports;
      systemd.services = f.systemd.services;
      systemd.targets = f.systemd.targets;
    };