colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

net conf: add OVPN wireguard netns

Browse Source 
i'll be migrating the postfix install to use this net namespace
so that IPv4-only mailservers have a port25-unblocked IP to contact
(HurricaneElectric gives a port-25 IPv6 /64 block for free, but
Zoho won't send mail to it. gmail does. didn't test other providers)
This commit is contained in:
Colin 2022-05-02 08:23:09 +00:00
parent a976c0db3e
commit 8d0deffd61
1 changed files with 104 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
net-configuration.nix
View File

@ -3,8 +3,108 @@
{
networking.domain = "uninsane.org";
# networking.firewall.enable = false;
networking.firewall.allowedTCPPorts = [ 25 80 443 ];
# DLNA ports: https://jellyfin.org/docs/general/networking/index.html
networking.firewall.allowedUDPPorts = [ 1900 7359 ];
# TODO: enable firewall
networking.firewall.enable = false;
# networking.firewall.allowedTCPPorts = [ 25 80 443 ];
# # DLNA ports: https://jellyfin.org/docs/general/networking/index.html
# networking.firewall.allowedUDPPorts = [ 1900 7359 ];
# OVPN CONFIG:
# DOCS: https://nixos.wiki/wiki/WireGuard
# note: this WORKS. i believe it routes ALL (most??) outbound traffic over wg (but still accepts inbound on eth0??)
# TODO: add wg0 as an interface, and selectively route applications over it.
# try: https://mth.st/blog/nixos-wireguard-netns/
# networking.wg-quick.interfaces.wg0 = {
# privateKeyFile = "/etc/nixos/wireguard.private";
# address = [
# "185.157.162.190/32"
# ];
# dns = [
# "46.227.67.134"
# "192.165.9.158"
# ];
# peers = [
# {
# publicKey = "Qno+hILmJ8TZ6/PpOOhtspmncyILY2phiTBFaER9IFE=";
# endpoint = "vpn29.prd.amsterdam.ovpn.com:9930";
# allowedIPs = [ "0.0.0.0/0" ];
# # nixOS says this is important for keeping NATs active
# persistentKeepalive = 25;
# }
# ];
# };
# note: without the namespace, you'll need to add a specific route through eth0 for the peer (185.157.162.7/32)
networking.wireguard.enable = true;
networking.wireguard.interfaces.wg0 = {
privateKeyFile = "/etc/nixos/wireguard.private";
# listenPort = 51820; # shouldn't be necessary
interfaceNamespace = "ovpns";
preSetup = "${pkgs.iproute2}/bin/ip netns add ovpns || true";
postShutdown = "${pkgs.iproute2}/bin/ip netns delete ovpns";
ips = [
"185.157.162.190/32"
];
peers = [
{
publicKey = "Qno+hILmJ8TZ6/PpOOhtspmncyILY2phiTBFaER9IFE=";
endpoint = "vpn29.prd.amsterdam.ovpn.com:9930";
# TODO: switch back to 0.0.0.0/0?
# allowedIPs = [ "0.0.0.0/0" ];
allowedIPs = [
"0.0.0.0/1"
"128.0.0.0/1"
];
# nixOS says this is important for keeping NATs active
persistentKeepalive = 25;
}
];
};
# HURRICANE ELECTRIC CONFIG:
# networking.sits = {
# hurricane = {
# remote = "216.218.226.238";
# local = "192.168.0.5";
# # local = "10.0.0.5";
# # remote = "10.0.0.1";
# # local = "10.0.0.22";
# dev = "eth0";
# ttl = 255;
# };
# };
# networking.interfaces."hurricane".ipv6 = {
# addresses = [
# # mx.uninsane.org (publically routed /64)
# {
# address = "2001:470:b:465::1";
# prefixLength = 128;
# }
# # client addr
# # {
# # address = "2001:470:a:466::2";
# # prefixLength = 64;
# # }
# # HW addr?
# # {
# # address = "fe80::c0a8:16";
# # prefixLength = 64;
# # }
# ];
# routes = [
# {
# address = "::";
# prefixLength = 0;
# # via = "2001:470:a:466::1";
# }
# ];
# };
# # after configuration, we want the hurricane device to look like this:
# # hurricane: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1480
# # inet6 2001:470:a:450::2 prefixlen 64 scopeid 0x0<global>
# # inet6 fe80::c0a8:16 prefixlen 64 scopeid 0x20<link>
# # sit txqueuelen 1000 (IPv6-in-IPv4)
# # test with:
# # curl --interface hurricane http://[2607:f8b0:400a:80b::2004]
# # ping 2607:f8b0:400a:80b::2004
}