shinobu/router: Disable wg-upstream
This only complicates many things and creates too much overhead on such a slow connection.
This commit is contained in:
parent
3658865ad2
commit
362243f7f6
|
@ -1,13 +1,3 @@
|
||||||
{
|
{
|
||||||
domain = "home.sbruder.de";
|
domain = "home.sbruder.de";
|
||||||
vpnBypassFwMark = 10000;
|
|
||||||
wg-upstream = {
|
|
||||||
endpoint = rec {
|
|
||||||
address = "193.32.248.71";
|
|
||||||
port = 51820;
|
|
||||||
full = "${address}:${toString port}";
|
|
||||||
};
|
|
||||||
publicKey = "eprzkkkSbXCANngQDo305DIAvkKAnZaN71IpTNaOoTk=";
|
|
||||||
addresses = [ "10.66.208.88/32" "fc00:bbbb:bbbb:bb01::3:d057/128" ];
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -12,8 +12,8 @@
|
||||||
# It consists of shinobu as a router (this configuration),
|
# It consists of shinobu as a router (this configuration),
|
||||||
# connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch.
|
# connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch.
|
||||||
# The upstream comes (for now) from a PŸUR “WLAN-Kabelbox” (Compal CH7467CE).
|
# The upstream comes (for now) from a PŸUR “WLAN-Kabelbox” (Compal CH7467CE).
|
||||||
# Sadly, I could not enable bridge mode on it, so the packets now go through (at least) four layers of NAT:
|
# Sadly, I could not enable bridge mode on it, so the packets now go through (at least) three layers of NAT:
|
||||||
# device → NAT on shinobu (→ NAT on plastic router → PŸUR CGNAT) → NAT on VPN
|
# device → NAT on shinobu → NAT on plastic router → PŸUR CGNAT
|
||||||
#
|
#
|
||||||
# Because the switch only supports GbE,
|
# Because the switch only supports GbE,
|
||||||
# the two clients I currently have with support for 2.5GbE are connected
|
# the two clients I currently have with support for 2.5GbE are connected
|
||||||
|
@ -45,11 +45,6 @@ in
|
||||||
ethtool
|
ethtool
|
||||||
];
|
];
|
||||||
|
|
||||||
sops.secrets.wg-upstream-private-key = {
|
|
||||||
owner = config.users.users.systemd-network.name;
|
|
||||||
sopsFile = ../../secrets.yaml;
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.useDHCP = false;
|
networking.useDHCP = false;
|
||||||
|
|
||||||
systemd.network = {
|
systemd.network = {
|
||||||
|
@ -63,24 +58,6 @@ in
|
||||||
Kind = "bridge";
|
Kind = "bridge";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
wg-upstream = {
|
|
||||||
netdevConfig = {
|
|
||||||
Kind = "wireguard";
|
|
||||||
Name = "wg-upstream";
|
|
||||||
};
|
|
||||||
wireguardConfig = {
|
|
||||||
PrivateKeyFile = config.sops.secrets.wg-upstream-private-key.path;
|
|
||||||
FirewallMark = 51820;
|
|
||||||
};
|
|
||||||
wireguardPeers = lib.singleton {
|
|
||||||
wireguardPeerConfig = with cfg.wg-upstream; {
|
|
||||||
Endpoint = endpoint.full;
|
|
||||||
PublicKey = publicKey;
|
|
||||||
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
|
||||||
PersistentKeepalive = 25;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
networks = {
|
networks = {
|
||||||
wan = {
|
wan = {
|
||||||
|
@ -115,66 +92,6 @@ in
|
||||||
domains = [ cfg.domain ];
|
domains = [ cfg.domain ];
|
||||||
address = [ "10.80.1.1/24" "fd00:80:1::1/64" ];
|
address = [ "10.80.1.1/24" "fd00:80:1::1/64" ];
|
||||||
};
|
};
|
||||||
wg-upstream = {
|
|
||||||
name = "wg-upstream";
|
|
||||||
address = cfg.wg-upstream.addresses;
|
|
||||||
routingPolicyRules = [
|
|
||||||
{
|
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
Family = "both"; # default is only ipv4
|
|
||||||
FirewallMark = cfg.vpnBypassFwMark;
|
|
||||||
InvertRule = "yes";
|
|
||||||
Table = 51820;
|
|
||||||
Priority = 10;
|
|
||||||
#SuppressPrefixLength = 0; # can’t be used here (forwarding does not work with it)
|
|
||||||
};
|
|
||||||
}
|
|
||||||
# FIXME: those two shouldn’t be necessary
|
|
||||||
# It should automatically detect those routes existing and prioritise them
|
|
||||||
# LAN (v4)
|
|
||||||
{
|
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
To = "10.80.1.0/24";
|
|
||||||
Priority = 9;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
# LAN (v6)
|
|
||||||
{
|
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
To = "fd00:80:1::/64";
|
|
||||||
Priority = 9;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
# wg-home
|
|
||||||
{
|
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
To = "10.80.0.0/24";
|
|
||||||
Priority = 9;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
# plastic router
|
|
||||||
{
|
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
To = "192.168.0.0/24";
|
|
||||||
Priority = 9;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
routes = [
|
|
||||||
{
|
|
||||||
routeConfig = {
|
|
||||||
Gateway = "0.0.0.0"; # point-to-point connection
|
|
||||||
Table = 51820;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
{
|
|
||||||
routeConfig = {
|
|
||||||
Gateway = "::";
|
|
||||||
Table = 51820;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.resolved.enable = false;
|
services.resolved.enable = false;
|
||||||
|
|
|
@ -10,11 +10,7 @@ let
|
||||||
else lib.generators.mkValueStringDefault { } v;
|
else lib.generators.mkValueStringDefault { } v;
|
||||||
} " = ";
|
} " = ";
|
||||||
|
|
||||||
passthru = {
|
passthru = { };
|
||||||
WG_UPSTREAM_ENDPOINT_ADDRESS = cfg.wg-upstream.endpoint.address;
|
|
||||||
WG_UPSTREAM_ENDPOINT_PORT = cfg.wg-upstream.endpoint.port;
|
|
||||||
VPN_BYPASS_MARK = cfg.vpnBypassFwMark;
|
|
||||||
};
|
|
||||||
|
|
||||||
defines = lib.concatStringsSep
|
defines = lib.concatStringsSep
|
||||||
"\n"
|
"\n"
|
||||||
|
|
|
@ -1,76 +1,21 @@
|
||||||
define NAT_LAN_IFACES = { "br-lan" }
|
define NAT_LAN_IFACES = { "br-lan" }
|
||||||
define NAT_WAN_IFACES = { "wg-upstream" }
|
|
||||||
define PHYSICAL_WAN = "enp1s0"
|
define PHYSICAL_WAN = "enp1s0"
|
||||||
define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN }
|
define NAT_WAN_IFACES = { $PHYSICAL_WAN }
|
||||||
define PLASTIC_ROUTER_V4 = 192.168.0.1
|
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
chain forward {
|
chain forward {
|
||||||
type filter hook forward priority filter; policy drop
|
type filter hook forward priority filter; policy drop
|
||||||
|
|
||||||
# Use MSS clamping
|
|
||||||
# to avoid too large packets from client on the lan
|
|
||||||
# not going through the tunnel.
|
|
||||||
iifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu
|
|
||||||
oifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu
|
|
||||||
|
|
||||||
# allow traffic between lan and wan
|
# allow traffic between lan and wan
|
||||||
iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept
|
iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept
|
||||||
iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept
|
iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept
|
||||||
|
|
||||||
# accept responses on physical wan
|
|
||||||
iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ct state established,related counter accept
|
|
||||||
|
|
||||||
# allow selected destinations via physical wan
|
|
||||||
|
|
||||||
# plastic router
|
|
||||||
iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 counter accept
|
|
||||||
|
|
||||||
# all destinations configured via policy based routing
|
|
||||||
oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
table inet nat {
|
table inet nat {
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority filter; policy accept
|
type nat hook postrouting priority filter; policy accept
|
||||||
oifname $MASQUERADE_IFACES masquerade
|
oifname $NAT_WAN_IFACES masquerade
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Bypass VPN by setting mark.
|
|
||||||
# This acts in two places that are handled separatly by nftables:
|
|
||||||
# Packets from the local host (output hook) and forwared packets (prerouting hook).
|
|
||||||
# To simplify the handling,
|
|
||||||
# there is a single chain that handles both,
|
|
||||||
# which is jumped to from the specific chains.
|
|
||||||
table inet vpn-bypass {
|
|
||||||
# This must be of type route, otherwise no route lookup will be performed
|
|
||||||
chain output {
|
|
||||||
type route hook output priority mangle
|
|
||||||
jump common
|
|
||||||
}
|
|
||||||
|
|
||||||
# This does not need to be of type route
|
|
||||||
chain prerouting {
|
|
||||||
type filter hook prerouting priority mangle
|
|
||||||
jump common
|
|
||||||
}
|
|
||||||
|
|
||||||
chain common {
|
|
||||||
tcp dport {
|
|
||||||
22, # SSH
|
|
||||||
443, # HTTPS
|
|
||||||
465, # SMTPS
|
|
||||||
993, # IMAPS
|
|
||||||
2022, # SSH
|
|
||||||
2222, # SSH
|
|
||||||
} mark set $VPN_BYPASS_MARK counter
|
|
||||||
udp dport {
|
|
||||||
1637, # wg
|
|
||||||
51820, # wg
|
|
||||||
64738, # mumble
|
|
||||||
} mark set $VPN_BYPASS_MARK counter
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -96,20 +41,8 @@ table inet restrict-wan {
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type filter hook postrouting priority 0; policy accept
|
type filter hook postrouting priority 0; policy accept
|
||||||
|
|
||||||
# accept connections to plastic router
|
# accept connections over physical wan
|
||||||
oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 counter accept
|
oifname $PHYSICAL_WAN counter accept
|
||||||
|
|
||||||
# accept icmpv6
|
|
||||||
oifname $PHYSICAL_WAN icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
|
|
||||||
|
|
||||||
# accept connections to selected endpoints
|
|
||||||
# VPN (wg-upstream)
|
|
||||||
oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT_ADDRESS udp dport $WG_UPSTREAM_ENDPOINT_PORT counter accept # only this is used
|
|
||||||
# destinations configured in VPN bypass
|
|
||||||
oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept
|
|
||||||
|
|
||||||
# drop all other packets
|
|
||||||
oifname $PHYSICAL_WAN counter drop
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue