diff --git a/atauno/configuration.nix b/atauno/configuration.nix index a6d6d49..5437d77 100644 --- a/atauno/configuration.nix +++ b/atauno/configuration.nix @@ -102,6 +102,59 @@ # Or disable the firewall altogether. networking.firewall.enable = false; + # enable NAT + networking.nat.enable = true; + networking.nat.externalInterface = "enp42s0"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall = { + allowedUDPPorts = [ 51820 ]; + }; + + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = [ "10.100.0.1/24" ]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = 51820; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/home/alex/wireguard-keys/private"; + + peers = [ + # List of allowed peers. + { + # Feel free to give a meaning full name + # Public key of the peer (not a file path). + publicKey = "KVViY+Bgu7PoBeS+rthcyQVQB03IdolxDzc5ZwsdNnM="; + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = [ "10.100.0.2/32" ]; + } + { + # John Doe + publicKey = "{john doe's public key}"; + allowedIPs = [ "10.100.0.3/32" ]; + } + ]; + }; + }; + # Copy the NixOS configuration file and link it from the resulting system # (/run/current-system/configuration.nix). This is useful in case you # accidentally delete configuration.nix. diff --git a/nixos76/system/configuration.nix b/nixos76/system/configuration.nix index ca38be0..5f84c18 100644 --- a/nixos76/system/configuration.nix +++ b/nixos76/system/configuration.nix @@ -26,6 +26,46 @@ # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking.firewall = { + allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport + }; + # Enable WireGuard + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = [ "10.100.0.2/24" ]; + listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/home/alex/wireguard-keys/private"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # Public key of the server (not a file path). + publicKey = "aD40D1jcgLbIZGkA1AoXkwpmP6hSWcttf3ptq4GRjC0="; + + # Forward all the traffic via VPN. + allowedIPs = [ "0.0.0.0/0" ]; + # Or forward only particular subnets + #allowedIPs = [ "10.100.0.1" "91.108.12.0/22" ]; + + # Set this to the server IP and port. + endpoint = "192.168.1.226:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + }; + }; + # Set your time zone. time.timeZone = "America/New_York";