shinobu/router: Disable wg-upstream

This only complicates many things and creates too much overhead on such
a slow connection.
This commit is contained in:
Simon Bruder 2023-09-26 15:38:02 +02:00
parent 3658865ad2
commit 362243f7f6
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
4 changed files with 7 additions and 171 deletions

View file

@ -1,13 +1,3 @@
{ {
domain = "home.sbruder.de"; domain = "home.sbruder.de";
vpnBypassFwMark = 10000;
wg-upstream = {
endpoint = rec {
address = "193.32.248.71";
port = 51820;
full = "${address}:${toString port}";
};
publicKey = "eprzkkkSbXCANngQDo305DIAvkKAnZaN71IpTNaOoTk=";
addresses = [ "10.66.208.88/32" "fc00:bbbb:bbbb:bb01::3:d057/128" ];
};
} }

View file

@ -12,8 +12,8 @@
# It consists of shinobu as a router (this configuration), # It consists of shinobu as a router (this configuration),
# connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch. # connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch.
# The upstream comes (for now) from a PŸUR “WLAN-Kabelbox” (Compal CH7467CE). # The upstream comes (for now) from a PŸUR “WLAN-Kabelbox” (Compal CH7467CE).
# Sadly, I could not enable bridge mode on it, so the packets now go through (at least) four layers of NAT: # Sadly, I could not enable bridge mode on it, so the packets now go through (at least) three layers of NAT:
# device → NAT on shinobu (→ NAT on plastic router → PŸUR CGNAT) → NAT on VPN # device → NAT on shinobu → NAT on plastic router → PŸUR CGNAT
# #
# Because the switch only supports GbE, # Because the switch only supports GbE,
# the two clients I currently have with support for 2.5GbE are connected # the two clients I currently have with support for 2.5GbE are connected
@ -45,11 +45,6 @@ in
ethtool ethtool
]; ];
sops.secrets.wg-upstream-private-key = {
owner = config.users.users.systemd-network.name;
sopsFile = ../../secrets.yaml;
};
networking.useDHCP = false; networking.useDHCP = false;
systemd.network = { systemd.network = {
@ -63,24 +58,6 @@ in
Kind = "bridge"; Kind = "bridge";
}; };
}; };
wg-upstream = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-upstream";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wg-upstream-private-key.path;
FirewallMark = 51820;
};
wireguardPeers = lib.singleton {
wireguardPeerConfig = with cfg.wg-upstream; {
Endpoint = endpoint.full;
PublicKey = publicKey;
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
PersistentKeepalive = 25;
};
};
};
}; };
networks = { networks = {
wan = { wan = {
@ -115,66 +92,6 @@ in
domains = [ cfg.domain ]; domains = [ cfg.domain ];
address = [ "10.80.1.1/24" "fd00:80:1::1/64" ]; address = [ "10.80.1.1/24" "fd00:80:1::1/64" ];
}; };
wg-upstream = {
name = "wg-upstream";
address = cfg.wg-upstream.addresses;
routingPolicyRules = [
{
routingPolicyRuleConfig = {
Family = "both"; # default is only ipv4
FirewallMark = cfg.vpnBypassFwMark;
InvertRule = "yes";
Table = 51820;
Priority = 10;
#SuppressPrefixLength = 0; # cant be used here (forwarding does not work with it)
};
}
# FIXME: those two shouldnt be necessary
# It should automatically detect those routes existing and prioritise them
# LAN (v4)
{
routingPolicyRuleConfig = {
To = "10.80.1.0/24";
Priority = 9;
};
}
# LAN (v6)
{
routingPolicyRuleConfig = {
To = "fd00:80:1::/64";
Priority = 9;
};
}
# wg-home
{
routingPolicyRuleConfig = {
To = "10.80.0.0/24";
Priority = 9;
};
}
# plastic router
{
routingPolicyRuleConfig = {
To = "192.168.0.0/24";
Priority = 9;
};
}
];
routes = [
{
routeConfig = {
Gateway = "0.0.0.0"; # point-to-point connection
Table = 51820;
};
}
{
routeConfig = {
Gateway = "::";
Table = 51820;
};
}
];
};
}; };
}; };
services.resolved.enable = false; services.resolved.enable = false;

View file

@ -10,11 +10,7 @@ let
else lib.generators.mkValueStringDefault { } v; else lib.generators.mkValueStringDefault { } v;
} " = "; } " = ";
passthru = { passthru = { };
WG_UPSTREAM_ENDPOINT_ADDRESS = cfg.wg-upstream.endpoint.address;
WG_UPSTREAM_ENDPOINT_PORT = cfg.wg-upstream.endpoint.port;
VPN_BYPASS_MARK = cfg.vpnBypassFwMark;
};
defines = lib.concatStringsSep defines = lib.concatStringsSep
"\n" "\n"

View file

@ -1,76 +1,21 @@
define NAT_LAN_IFACES = { "br-lan" } define NAT_LAN_IFACES = { "br-lan" }
define NAT_WAN_IFACES = { "wg-upstream" }
define PHYSICAL_WAN = "enp1s0" define PHYSICAL_WAN = "enp1s0"
define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN } define NAT_WAN_IFACES = { $PHYSICAL_WAN }
define PLASTIC_ROUTER_V4 = 192.168.0.1
table inet filter { table inet filter {
chain forward { chain forward {
type filter hook forward priority filter; policy drop type filter hook forward priority filter; policy drop
# Use MSS clamping
# to avoid too large packets from client on the lan
# not going through the tunnel.
iifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu
oifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu
# allow traffic between lan and wan # allow traffic between lan and wan
iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept
iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept
# accept responses on physical wan
iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ct state established,related counter accept
# allow selected destinations via physical wan
# plastic router
iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 counter accept
# all destinations configured via policy based routing
oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept
} }
} }
table inet nat { table inet nat {
chain postrouting { chain postrouting {
type nat hook postrouting priority filter; policy accept type nat hook postrouting priority filter; policy accept
oifname $MASQUERADE_IFACES masquerade oifname $NAT_WAN_IFACES masquerade
}
}
# Bypass VPN by setting mark.
# This acts in two places that are handled separatly by nftables:
# Packets from the local host (output hook) and forwared packets (prerouting hook).
# To simplify the handling,
# there is a single chain that handles both,
# which is jumped to from the specific chains.
table inet vpn-bypass {
# This must be of type route, otherwise no route lookup will be performed
chain output {
type route hook output priority mangle
jump common
}
# This does not need to be of type route
chain prerouting {
type filter hook prerouting priority mangle
jump common
}
chain common {
tcp dport {
22, # SSH
443, # HTTPS
465, # SMTPS
993, # IMAPS
2022, # SSH
2222, # SSH
} mark set $VPN_BYPASS_MARK counter
udp dport {
1637, # wg
51820, # wg
64738, # mumble
} mark set $VPN_BYPASS_MARK counter
} }
} }
@ -96,20 +41,8 @@ table inet restrict-wan {
chain postrouting { chain postrouting {
type filter hook postrouting priority 0; policy accept type filter hook postrouting priority 0; policy accept
# accept connections to plastic router # accept connections over physical wan
oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 counter accept oifname $PHYSICAL_WAN counter accept
# accept icmpv6
oifname $PHYSICAL_WAN icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# accept connections to selected endpoints
# VPN (wg-upstream)
oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT_ADDRESS udp dport $WG_UPSTREAM_ENDPOINT_PORT counter accept # only this is used
# destinations configured in VPN bypass
oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept
# drop all other packets
oifname $PHYSICAL_WAN counter drop
} }
} }