shinobu/router: Switch provider for wg-upstream

The old provider was doing weird stuff with DNS that I wasn’t able to debug well. However, apparently, the old provider did MSS clamping on their side. Therefore, it is now required that I do this on my side.
2023-09-05 15:18:32 +02:00 · 2023-09-05 15:18:32 +02:00 · 0bcc5d6141
parent fcbd6806b9
commit 0bcc5d6141
2 changed files with 20 additions and 9 deletions
--- a/machines/shinobu/secrets.yaml
+++ b/machines/shinobu/secrets.yaml
@ -1,5 +1,6 @@
 wg-home-private-key: ENC[AES256_GCM,data:gm4INfmp226u4wp+LuKgf5m2nTFFw4S24w4PRPcW/A7CU713c9NtQ+kPDKg=,iv:JAir9z5/Db6+Oroq+0vXPZLZLA2gjY2Be6hRAmgV5AE=,tag:fxL9nK3v5xERfcoBbCUsXg==,type:str]
-wg-upstream-private-key: ENC[AES256_GCM,data:CO50H7QsLQ2x0QQXnB7c0leG8NdV66gWrdWBWOR9z4ukSN7qj/qqe83t82k=,iv:2as2HfTfRje3TEap8QpPfzz4saNDgjo6Ty1DTF23JVE=,tag:ZYe+59wrpX7mV1HcDllMdg==,type:str]
+wg-upstream-private-key: ENC[AES256_GCM,data:SjgY73YEI9t64KhhjtmBSqzbxp+Pz6twcei1/PgDyJEKHQ3zJTGutfM1oSQ=,iv:j6sUVzS6oAu9rUNtUwkit59vytJn1z9Ku8kGVFZOsbI=,tag:7iaeo5mvWqO7JraGMxLriQ==,type:str]
+wg-upstream-psk: ENC[AES256_GCM,data:0XXEALKWvUQ7amx2hhia8a6Jd5WG1/+gEVI2edNukjM7BZj66FJ9YFMtSiU=,iv:C6w+P1RzJIggmzT5V5xu0IS/j5NLFiQOLoTNRILND1A=,tag:zZqmO4/GcYWmz2hUCP3W1Q==,type:str]
 hostapd-config: ENC[AES256_GCM,data:a0ESrrsquLq6VRJM588C5A+FmVxJwJSzwRuv2o//LL5OybcDS8jkVUajosXEs0qmQ6Xfc1gFDcevCYUwJ24eZ+ynKLWwoNx8RXXwbpllO7FkI68vcauUij1CtUgVb8aHheKfrFuyW7WU1wE3NTtOt2gij1+nM3iKS3vFXtX2n9L2fuy2b3EhOUBiakxAeQmyVmclSVBDYt12i4h4tW7GpPr8AjoIiZgz0Hyx5zA5f/JTPzz/P200eM0tCttNPbMNPBGztJfw7raRIX+v6xw7QNPMgf03TOae17mt6uggTNKJfEPeanzcEMA3xR6xoFUqJL6Hvowyl4MrSFc+E5Rvft+qhp8m6tAqQln9Z3MzaDtxSBWnWdvWEcyeK1aDBQ57/aIwo8kVs47Iblqbi5+jM/n4DoeQtqTM1kS7sZ3XDQ26suW5KCw+VIeqEEqdu6g5ZXMO2SipSOzP5jPjX+5ubX3SXcyoAIo41Efa6YGdWtl3,iv:oLk5tatZEY5AI/PlTBJHShGCKiyvve9rPhGARAtMMj4=,tag:Bkan2Hff8L8ZcC67r+fWjg==,type:str]
 sops:
    kms: []
@ -7,8 +8,8 @@ sops:
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-08-08T09:43:37Z"
-    mac: ENC[AES256_GCM,data:lxoKzGyPwdfeI5Dlmgx9K9SBhfRIaokvum+dJWABUoGtIMtrhp4K4ZRF1Rjja8oTi4w3b+s9aUBpxt8TLu9vJZFsUkhY2gqW5bX3Ub/3xMAR9YSG3LtijRSMuKkdVlAkdjB6Guz9aHNVBG3fTZ+SfTlyOQdImW6bK4tydbGHKgY=,iv:6kVR4zZfHnqhcOT3N2tClGST8h7FLjIseXDu2xS2DEY=,tag:rd/f7cHSoxLT3O7HluVWLA==,type:str]
+    lastmodified: "2023-09-05T08:32:27Z"
+    mac: ENC[AES256_GCM,data:obOQ6xkGzmMnpEQGOk77onTNcvK+5aV0m2lGu+h+GLESKigls+vcBSqS/uuluPvzpWEVRMffnDzG9xuafU5r/GsOvzb7QzD7kGd+qe/U3XI2sI7fSQyMgRfcTV+YfgG2hrZ4inAufe1vprybVhl2Cx1pGxLuqHufc5KBZT6QRGU=,iv:3JYOkO8gtZLoMBtR9XWQ0OP/qr9JW23NJf6ACm/2aoU=,tag:Ocut0Q6RnVDl+/8CvJl9HA==,type:str]
    pgp:
        - created_at: "2023-06-29T16:44:16Z"
          enc: |-
--- a/machines/shinobu/services/router.nix
+++ b/machines/shinobu/services/router.nix
@ -34,6 +34,10 @@ in
    owner = config.users.users.systemd-network.name;
    sopsFile = ../secrets.yaml;
  };
+  sops.secrets.wg-upstream-psk = {
+    owner = config.users.users.systemd-network.name;
+    sopsFile = ../secrets.yaml;
+  };
  sops.secrets.hostapd-config = {
    sopsFile = ../secrets.yaml;
  };
@ -61,6 +65,12 @@ in
          chain forward {
            type filter hook forward priority filter; policy drop;

+            # Use MSS clamping
+            # to avoid too large packets from client on the lan
+            # not going through the tunnel.
+            iifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu
+            oifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu
+
            iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
            iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;

@ -117,8 +127,9 @@ in
        };
        wireguardPeers = lib.singleton {
          wireguardPeerConfig = {
-            Endpoint = "193.32.248.71:51820";
-            PublicKey = "eprzkkkSbXCANngQDo305DIAvkKAnZaN71IpTNaOoTk=";
+            Endpoint = "185.189.112.26:1637";
+            PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
+            PresharedKeyFile = config.sops.secrets.wg-upstream-psk.path;
            AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
            PersistentKeepalive = 25;
          };
@ -158,8 +169,8 @@ in
      };
      wg-upstream = {
        name = "wg-upstream";
-        address = [ "10.66.208.88/32" "fc00:bbbb:bbbb:bb01::3:d057/128" ];
-        dns = [ "10.64.0.1" ];
+        address = [ "10.128.218.130/32" "fd7d:76ee:e68f:a993:316e:a8d5:2b60:8e69/128" ];
+        dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
        routingPolicyRules = [
          {
            routingPolicyRuleConfig = {
@ -246,8 +257,7 @@ in
      # but from lan instead.
      # So it has to use static configuration.
      host-record = "switchviech,switchviech.${domain},10.80.1.19";
-      server = [
-        "10.64.0.1" # mullvad DNS, should be fastest overall
+      server = config.systemd.network.networks.wg-upstream.dns ++ [
        #"9.9.9.9" # dns.quad9.net
        #"2620:fe::fe"
      ];