colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

vpn: add a service to auto-refresh wireguard endpoints

Browse Source
This commit is contained in:
Colin
2024-07-05 20:06:16 +00:00
parent a31f67b793
commit 6d66a5dbf8
1 changed files with 20 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
modules/vpn.nix
View File

@@ -1,14 +1,16 @@
# debugging:
# - `journalctl -u systemd-networkd`
# - `networkctl --help`
#
# docs:
# - wireguard (nixos): <https://nixos.wiki/wiki/WireGuard#Setting_up_WireGuard_with_systemd-networkd>
# - wireguard (arch): <https://wiki.archlinux.org/title/WireGuard>
#
# to route all internet traffic through a VPN endpoint, run `systemctl start vpn-${vpnName}`
# to route all internet traffic through a VPN endpoint, run `sane-vpn up ${vpnName}`
# to route an application's traffic through a VPN: `sane-vpn do ${vpnName} ${command[@]}`
# to show the routing table: `ip rule`
# to show the NAT rules used for bridging: `sudo iptables -t nat --list-rules -v`
# to force a peer address change (e.g. DNS change): `wg set "${interface}" peer "${publicKey}" endpoint "${endpoint}"`
#
# the rough idea here is:
# 1. each VPN has an IP address: if we originate a packet, and the source address is the VPN's address, then it gets routed over the VPN trivially.
@@ -179,6 +181,23 @@ let
# but i couldn't get that to work for netns with SNAT, so set rpfilter to "loose".
networking.firewall.checkReversePath = "loose";
systemd.services."${name}-refresh" = {
# periodically re-apply peers, to ensure DNS mappings stay fresh
# borrowed from <repo:nixos/nixpkgs:nixos/modules/services/networking/wireguard.nix>
wantedBy = [ "network.target" ];
path = with pkgs; [ wireguard-tools ];
serviceConfig.Restart = "always";
serviceConfig.RestartSec = "60"; #< retry delay when we fail (because e.g. there's no network)
serviceConfig.Type = "simple";
unitConfig.StartLimitIntervalSec = 0;
script = ''
while wg set ${name} peer ${publicKey} endpoint ${endpoint}; do
# in the normal case that DNS resolves, and whatnot, sleep before the next attempt
sleep 180
done
'';
};
# networking.firewall.extraCommands = with pkgs; ''
# # wireguard packet marking. without this, rpfilter drops responses from a wireguard VPN
# # because the "reverse path check" fails (i.e. it thinks a response to the packet would go out via a different interface than what the wireguard packet arrived at).