shinobu/router: Switch provider for wg-upstream
The old provider was doing weird stuff with DNS that I wasn’t able to debug well. However, apparently, the old provider did MSS clamping on their side. Therefore, it is now required that I do this on my side.
This commit is contained in:
parent
fcbd6806b9
commit
0bcc5d6141
|
@ -1,5 +1,6 @@
|
|||
wg-home-private-key: ENC[AES256_GCM,data:gm4INfmp226u4wp+LuKgf5m2nTFFw4S24w4PRPcW/A7CU713c9NtQ+kPDKg=,iv:JAir9z5/Db6+Oroq+0vXPZLZLA2gjY2Be6hRAmgV5AE=,tag:fxL9nK3v5xERfcoBbCUsXg==,type:str]
|
||||
wg-upstream-private-key: ENC[AES256_GCM,data:CO50H7QsLQ2x0QQXnB7c0leG8NdV66gWrdWBWOR9z4ukSN7qj/qqe83t82k=,iv:2as2HfTfRje3TEap8QpPfzz4saNDgjo6Ty1DTF23JVE=,tag:ZYe+59wrpX7mV1HcDllMdg==,type:str]
|
||||
wg-upstream-private-key: ENC[AES256_GCM,data:SjgY73YEI9t64KhhjtmBSqzbxp+Pz6twcei1/PgDyJEKHQ3zJTGutfM1oSQ=,iv:j6sUVzS6oAu9rUNtUwkit59vytJn1z9Ku8kGVFZOsbI=,tag:7iaeo5mvWqO7JraGMxLriQ==,type:str]
|
||||
wg-upstream-psk: ENC[AES256_GCM,data:0XXEALKWvUQ7amx2hhia8a6Jd5WG1/+gEVI2edNukjM7BZj66FJ9YFMtSiU=,iv:C6w+P1RzJIggmzT5V5xu0IS/j5NLFiQOLoTNRILND1A=,tag:zZqmO4/GcYWmz2hUCP3W1Q==,type:str]
|
||||
hostapd-config: ENC[AES256_GCM,data:a0ESrrsquLq6VRJM588C5A+FmVxJwJSzwRuv2o//LL5OybcDS8jkVUajosXEs0qmQ6Xfc1gFDcevCYUwJ24eZ+ynKLWwoNx8RXXwbpllO7FkI68vcauUij1CtUgVb8aHheKfrFuyW7WU1wE3NTtOt2gij1+nM3iKS3vFXtX2n9L2fuy2b3EhOUBiakxAeQmyVmclSVBDYt12i4h4tW7GpPr8AjoIiZgz0Hyx5zA5f/JTPzz/P200eM0tCttNPbMNPBGztJfw7raRIX+v6xw7QNPMgf03TOae17mt6uggTNKJfEPeanzcEMA3xR6xoFUqJL6Hvowyl4MrSFc+E5Rvft+qhp8m6tAqQln9Z3MzaDtxSBWnWdvWEcyeK1aDBQ57/aIwo8kVs47Iblqbi5+jM/n4DoeQtqTM1kS7sZ3XDQ26suW5KCw+VIeqEEqdu6g5ZXMO2SipSOzP5jPjX+5ubX3SXcyoAIo41Efa6YGdWtl3,iv:oLk5tatZEY5AI/PlTBJHShGCKiyvve9rPhGARAtMMj4=,tag:Bkan2Hff8L8ZcC67r+fWjg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
|
@ -7,8 +8,8 @@ sops:
|
|||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2023-08-08T09:43:37Z"
|
||||
mac: ENC[AES256_GCM,data:lxoKzGyPwdfeI5Dlmgx9K9SBhfRIaokvum+dJWABUoGtIMtrhp4K4ZRF1Rjja8oTi4w3b+s9aUBpxt8TLu9vJZFsUkhY2gqW5bX3Ub/3xMAR9YSG3LtijRSMuKkdVlAkdjB6Guz9aHNVBG3fTZ+SfTlyOQdImW6bK4tydbGHKgY=,iv:6kVR4zZfHnqhcOT3N2tClGST8h7FLjIseXDu2xS2DEY=,tag:rd/f7cHSoxLT3O7HluVWLA==,type:str]
|
||||
lastmodified: "2023-09-05T08:32:27Z"
|
||||
mac: ENC[AES256_GCM,data:obOQ6xkGzmMnpEQGOk77onTNcvK+5aV0m2lGu+h+GLESKigls+vcBSqS/uuluPvzpWEVRMffnDzG9xuafU5r/GsOvzb7QzD7kGd+qe/U3XI2sI7fSQyMgRfcTV+YfgG2hrZ4inAufe1vprybVhl2Cx1pGxLuqHufc5KBZT6QRGU=,iv:3JYOkO8gtZLoMBtR9XWQ0OP/qr9JW23NJf6ACm/2aoU=,tag:Ocut0Q6RnVDl+/8CvJl9HA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-06-29T16:44:16Z"
|
||||
enc: |-
|
||||
|
|
|
@ -34,6 +34,10 @@ in
|
|||
owner = config.users.users.systemd-network.name;
|
||||
sopsFile = ../secrets.yaml;
|
||||
};
|
||||
sops.secrets.wg-upstream-psk = {
|
||||
owner = config.users.users.systemd-network.name;
|
||||
sopsFile = ../secrets.yaml;
|
||||
};
|
||||
sops.secrets.hostapd-config = {
|
||||
sopsFile = ../secrets.yaml;
|
||||
};
|
||||
|
@ -61,6 +65,12 @@ in
|
|||
chain forward {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
|
||||
# Use MSS clamping
|
||||
# to avoid too large packets from client on the lan
|
||||
# not going through the tunnel.
|
||||
iifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu
|
||||
oifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu
|
||||
|
||||
iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
|
||||
iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;
|
||||
|
||||
|
@ -117,8 +127,9 @@ in
|
|||
};
|
||||
wireguardPeers = lib.singleton {
|
||||
wireguardPeerConfig = {
|
||||
Endpoint = "193.32.248.71:51820";
|
||||
PublicKey = "eprzkkkSbXCANngQDo305DIAvkKAnZaN71IpTNaOoTk=";
|
||||
Endpoint = "185.189.112.26:1637";
|
||||
PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
|
||||
PresharedKeyFile = config.sops.secrets.wg-upstream-psk.path;
|
||||
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||||
PersistentKeepalive = 25;
|
||||
};
|
||||
|
@ -158,8 +169,8 @@ in
|
|||
};
|
||||
wg-upstream = {
|
||||
name = "wg-upstream";
|
||||
address = [ "10.66.208.88/32" "fc00:bbbb:bbbb:bb01::3:d057/128" ];
|
||||
dns = [ "10.64.0.1" ];
|
||||
address = [ "10.128.218.130/32" "fd7d:76ee:e68f:a993:316e:a8d5:2b60:8e69/128" ];
|
||||
dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
|
||||
routingPolicyRules = [
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
|
@ -246,8 +257,7 @@ in
|
|||
# but from lan instead.
|
||||
# So it has to use static configuration.
|
||||
host-record = "switchviech,switchviech.${domain},10.80.1.19";
|
||||
server = [
|
||||
"10.64.0.1" # mullvad DNS, should be fastest overall
|
||||
server = config.systemd.network.networks.wg-upstream.dns ++ [
|
||||
#"9.9.9.9" # dns.quad9.net
|
||||
#"2620:fe::fe"
|
||||
];
|
||||
|
|
Loading…
Reference in a new issue