From 8d0deffd61b6247ba46557ea53a7a3444e25512f Mon Sep 17 00:00:00 2001 From: Colin Date: Mon, 2 May 2022 08:23:09 +0000 Subject: [PATCH] net conf: add OVPN wireguard netns i'll be migrating the postfix install to use this net namespace so that IPv4-only mailservers have a port25-unblocked IP to contact (HurricaneElectric gives a port-25 IPv6 /64 block for free, but Zoho won't send mail to it. gmail does. didn't test other providers) --- net-configuration.nix | 108 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 104 insertions(+), 4 deletions(-) diff --git a/net-configuration.nix b/net-configuration.nix index 52ec2771..4e7d0ae9 100644 --- a/net-configuration.nix +++ b/net-configuration.nix @@ -3,8 +3,108 @@ { networking.domain = "uninsane.org"; - # networking.firewall.enable = false; - networking.firewall.allowedTCPPorts = [ 25 80 443 ]; - # DLNA ports: https://jellyfin.org/docs/general/networking/index.html - networking.firewall.allowedUDPPorts = [ 1900 7359 ]; + # TODO: enable firewall + networking.firewall.enable = false; + # networking.firewall.allowedTCPPorts = [ 25 80 443 ]; + # # DLNA ports: https://jellyfin.org/docs/general/networking/index.html + # networking.firewall.allowedUDPPorts = [ 1900 7359 ]; + + # OVPN CONFIG: + # DOCS: https://nixos.wiki/wiki/WireGuard + # note: this WORKS. i believe it routes ALL (most??) outbound traffic over wg (but still accepts inbound on eth0??) + # TODO: add wg0 as an interface, and selectively route applications over it. + # try: https://mth.st/blog/nixos-wireguard-netns/ + # networking.wg-quick.interfaces.wg0 = { + # privateKeyFile = "/etc/nixos/wireguard.private"; + # address = [ + # "185.157.162.190/32" + # ]; + # dns = [ + # "46.227.67.134" + # "192.165.9.158" + # ]; + # peers = [ + # { + # publicKey = "Qno+hILmJ8TZ6/PpOOhtspmncyILY2phiTBFaER9IFE="; + # endpoint = "vpn29.prd.amsterdam.ovpn.com:9930"; + # allowedIPs = [ "0.0.0.0/0" ]; + # # nixOS says this is important for keeping NATs active + # persistentKeepalive = 25; + # } + # ]; + # }; + # note: without the namespace, you'll need to add a specific route through eth0 for the peer (185.157.162.7/32) + networking.wireguard.enable = true; + networking.wireguard.interfaces.wg0 = { + privateKeyFile = "/etc/nixos/wireguard.private"; + # listenPort = 51820; # shouldn't be necessary + interfaceNamespace = "ovpns"; + preSetup = "${pkgs.iproute2}/bin/ip netns add ovpns || true"; + postShutdown = "${pkgs.iproute2}/bin/ip netns delete ovpns"; + ips = [ + "185.157.162.190/32" + ]; + peers = [ + { + publicKey = "Qno+hILmJ8TZ6/PpOOhtspmncyILY2phiTBFaER9IFE="; + endpoint = "vpn29.prd.amsterdam.ovpn.com:9930"; + # TODO: switch back to 0.0.0.0/0? + # allowedIPs = [ "0.0.0.0/0" ]; + allowedIPs = [ + "0.0.0.0/1" + "128.0.0.0/1" + ]; + # nixOS says this is important for keeping NATs active + persistentKeepalive = 25; + } + ]; + }; + + # HURRICANE ELECTRIC CONFIG: + # networking.sits = { + # hurricane = { + # remote = "216.218.226.238"; + # local = "192.168.0.5"; + # # local = "10.0.0.5"; + # # remote = "10.0.0.1"; + # # local = "10.0.0.22"; + # dev = "eth0"; + # ttl = 255; + # }; + # }; + # networking.interfaces."hurricane".ipv6 = { + # addresses = [ + # # mx.uninsane.org (publically routed /64) + # { + # address = "2001:470:b:465::1"; + # prefixLength = 128; + # } + # # client addr + # # { + # # address = "2001:470:a:466::2"; + # # prefixLength = 64; + # # } + # # HW addr? + # # { + # # address = "fe80::c0a8:16"; + # # prefixLength = 64; + # # } + # ]; + # routes = [ + # { + # address = "::"; + # prefixLength = 0; + # # via = "2001:470:a:466::1"; + # } + # ]; + # }; + + # # after configuration, we want the hurricane device to look like this: + # # hurricane: flags=209 mtu 1480 + # # inet6 2001:470:a:450::2 prefixlen 64 scopeid 0x0 + # # inet6 fe80::c0a8:16 prefixlen 64 scopeid 0x20 + # # sit txqueuelen 1000 (IPv6-in-IPv4) + # # test with: + # # curl --interface hurricane http://[2607:f8b0:400a:80b::2004] + # # ping 2607:f8b0:400a:80b::2004 }