changed a whole lot to comform to the article + dnsmasq is now not extraConfig but settings

2024-12-06 22:40:12 +01:00 · 2024-12-06 22:40:12 +01:00 · 47dc699ed1
commit 47dc699ed1
parent 30a16e746e
4 changed files with 57 additions and 21 deletions
--- a/nixos/hosts/wheatley/configuration.nix
+++ b/nixos/hosts/wheatley/configuration.nix
@ -175,41 +175,67 @@
      ];
    };
    wg1 = {
-      autostart = true;
-      address = ["10.5.5.1/24"];
+      # Determines the IP address and subnet of the server's end of the tunnel interface.
+      address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
+
+      # The port that WireGuard listens to. Must be accessible by the client.
      listenPort = 51821;
+
+      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+      postUp = ''
+        ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
+        ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
+        ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
+      '';
+
+      # Undo the above
+      preDown = ''
+        ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
+        ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
+        ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
+      '';
+
      privateKeyFile = config.sops.secrets."wg-private-key".path;

      peers = [
        {
          #GLaDOS public key
          publicKey = "yieF2yQptaE3jStoaGytUnN+HLxyVhFBZIUOGUNAV38=";
-          allowedIPs = ["10.5.5.2/32"];
+          allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
        }
        {
          #EDI public key
          publicKey = "i4nDZbU+a2k5C20tFJRNPVE1vhYKJwhoqGHEdeC4704=";
-          allowedIPs = ["10.5.5.3/32"];
+          allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
        }
        {
          #Shodan public key
          publicKey = "Zah2nZDaHF8jpP5AtMA5bhE7t38fMB2UHzbXAc96/jw=";
-          allowedIPs = ["10.5.5.4/32"];
+          allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
        }
        {
          #ADA public key
          publicKey = "SHu7xxRVWuqp4U4uipMoITKrFPWZATGsJevUeqBSzWo=";
-          allowedIPs = ["10.5.5.5/32"];
+          allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
        }
      ];
    };
  };

-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      interface = "wg1";
+    };
+  };

-  networking.firewall.extraCommands = ''
-    iptables -t nat -A POSTROUTING -s 10.5.5.1/24 ! -d 10.5.5.1/24 -j MASQUERADE
-  '';
+  # enable NAT
+  networking.nat.enable = true;
+  networking.nat.externalInterface = "end0";
+  networking.nat.internalInterfaces = ["wg1"];
  networking.firewall = {
    enable = true;
    allowPing = false;
@ -219,13 +245,17 @@
      5350 # STUN tls alt
      80 # http
      443 # https
-      51821
+      51821 # wg
      7878
+      53 # dnsmasq
+    ];
+    allowedUDPPorts = [
+      53 #dnsmasq
    ];
    allowedUDPPortRanges = [
      {
        from = 51820;
-        to = 51822;
+        to = 51822; # wg
      }
      {
        from = 49152;