diff --git a/nixos/hosts/EDI/configuration.nix b/nixos/hosts/EDI/configuration.nix index bc8c206..af72205 100644 --- a/nixos/hosts/EDI/configuration.nix +++ b/nixos/hosts/EDI/configuration.nix @@ -53,14 +53,16 @@ networking.wg-quick.interfaces = { wg0 = { autostart = true; - dns = ["1.1.1.1"]; - address = ["10.5.5.3/32"]; + address = ["10.0.0.3/24" "fdc9:281f:04d7:9ee9::3/64"]; + dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; + listenPort = 51821; privateKeyFile = config.sops.secrets."wg-private-key".path; peers = [ { publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; endpoint = "84.87.146.85:51821"; - allowedIPs = ["0.0.0.0/0" "::0/0"]; + allowedIPs = ["0.0.0.0/0" "::/0"]; + persistentKeepalive = 25; } ]; }; diff --git a/nixos/hosts/GLaDOS/configuration.nix b/nixos/hosts/GLaDOS/configuration.nix index 72c7437..18dad69 100644 --- a/nixos/hosts/GLaDOS/configuration.nix +++ b/nixos/hosts/GLaDOS/configuration.nix @@ -95,14 +95,16 @@ networking.wg-quick.interfaces = { wg0 = { autostart = true; - dns = ["1.1.1.1"]; - address = ["10.5.5.2/32"]; + address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"]; + dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; + listenPort = 51821; privateKeyFile = config.sops.secrets."wg-private-key".path; peers = [ { publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; endpoint = "84.87.146.85:51821"; - allowedIPs = ["0.0.0.0/0"]; + allowedIPs = ["0.0.0.0/0" "::/0"]; + persistentKeepalive = 25; } ]; }; diff --git a/nixos/hosts/shodan/configuration.nix b/nixos/hosts/shodan/configuration.nix index c922cb5..e2f2d85 100644 --- a/nixos/hosts/shodan/configuration.nix +++ b/nixos/hosts/shodan/configuration.nix @@ -222,14 +222,16 @@ networking.wg-quick.interfaces = { wg0 = { autostart = true; - dns = ["1.1.1.1"]; - address = ["10.5.5.4/32"]; + address = ["10.0.0.4/24" "fdc9:281f:04d7:9ee9::4/64"]; + dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; + listenPort = 51821; privateKeyFile = config.sops.secrets."wg-private-key".path; peers = [ { publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; endpoint = "84.87.146.85:51821"; - allowedIPs = ["0.0.0.0/0" "::0/0"]; + allowedIPs = ["0.0.0.0/0" "::/0"]; + persistentKeepalive = 25; } ]; }; diff --git a/nixos/hosts/wheatley/configuration.nix b/nixos/hosts/wheatley/configuration.nix index 3582f7e..6e646cd 100644 --- a/nixos/hosts/wheatley/configuration.nix +++ b/nixos/hosts/wheatley/configuration.nix @@ -175,41 +175,67 @@ ]; }; wg1 = { - autostart = true; - address = ["10.5.5.1/24"]; + # Determines the IP address and subnet of the server's end of the tunnel interface. + address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"]; + + # The port that WireGuard listens to. Must be accessible by the client. listenPort = 51821; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + postUp = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE + ''; + + # Undo the above + preDown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE + ''; + privateKeyFile = config.sops.secrets."wg-private-key".path; peers = [ { #GLaDOS public key publicKey = "yieF2yQptaE3jStoaGytUnN+HLxyVhFBZIUOGUNAV38="; - allowedIPs = ["10.5.5.2/32"]; + allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"]; } { #EDI public key publicKey = "i4nDZbU+a2k5C20tFJRNPVE1vhYKJwhoqGHEdeC4704="; - allowedIPs = ["10.5.5.3/32"]; + allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"]; } { #Shodan public key publicKey = "Zah2nZDaHF8jpP5AtMA5bhE7t38fMB2UHzbXAc96/jw="; - allowedIPs = ["10.5.5.4/32"]; + allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"]; } { #ADA public key publicKey = "SHu7xxRVWuqp4U4uipMoITKrFPWZATGsJevUeqBSzWo="; - allowedIPs = ["10.5.5.5/32"]; + allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"]; } ]; }; }; - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + services.dnsmasq = { + enable = true; + settings = { + interface = "wg1"; + }; + }; - networking.firewall.extraCommands = '' - iptables -t nat -A POSTROUTING -s 10.5.5.1/24 ! -d 10.5.5.1/24 -j MASQUERADE - ''; + # enable NAT + networking.nat.enable = true; + networking.nat.externalInterface = "end0"; + networking.nat.internalInterfaces = ["wg1"]; networking.firewall = { enable = true; allowPing = false; @@ -219,13 +245,17 @@ 5350 # STUN tls alt 80 # http 443 # https - 51821 + 51821 # wg 7878 + 53 # dnsmasq + ]; + allowedUDPPorts = [ + 53 #dnsmasq ]; allowedUDPPortRanges = [ { from = 51820; - to = 51822; + to = 51822; # wg } { from = 49152;