simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity

shinobu/router: Route select protocols directly

Browse source
This commit is contained in:
Simon Bruder 2023-09-25 13:50:22 +02:00
parent ab035b2c44
commit 3658865ad2
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
3 changed files with 17 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
machines/shinobu/services/router/default.nix
View file

@ -122,7 +122,7 @@ in
{ {
routingPolicyRuleConfig = { routingPolicyRuleConfig = {
Family = "both"; # default is only ipv4 Family = "both"; # default is only ipv4
FirewallMark = 51820; FirewallMark = cfg.vpnBypassFwMark;
InvertRule = "yes"; InvertRule = "yes";
Table = 51820; Table = 51820;
Priority = 10; Priority = 10;
@ -152,14 +152,6 @@ in
Priority = 9; Priority = 9;
}; };
} }
# VPN bypass
{
routingPolicyRuleConfig = {
Family = "both"; # welcome in the year 2023, where ipv4 is the default
FirewallMark = cfg.vpnBypassFwMark;
Priority = 9;
};
}
# plastic router # plastic router
{ {
routingPolicyRuleConfig = { routingPolicyRuleConfig = {

3
machines/shinobu/services/router/nft.nix
View file

@ -11,7 +11,8 @@ let
} " = "; } " = ";
passthru = { passthru = {
WG_UPSTREAM_ENDPOINT = cfg.wg-upstream.endpoint.address; WG_UPSTREAM_ENDPOINT_ADDRESS = cfg.wg-upstream.endpoint.address;
WG_UPSTREAM_ENDPOINT_PORT = cfg.wg-upstream.endpoint.port;
VPN_BYPASS_MARK = cfg.vpnBypassFwMark; VPN_BYPASS_MARK = cfg.vpnBypassFwMark;
}; };

20
machines/shinobu/services/router/rules.nft
View file

@ -2,9 +2,6 @@ define NAT_LAN_IFACES = { "br-lan" }
define NAT_WAN_IFACES = { "wg-upstream" } define NAT_WAN_IFACES = { "wg-upstream" }
define PHYSICAL_WAN = "enp1s0" define PHYSICAL_WAN = "enp1s0"
define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN } define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN }
define VUEKO_V4 = 168.119.176.53
define VUEKO_V6 = 2a01:4f8:c012:2f4::1
define VUEKO_PORT = 51820
define PLASTIC_ROUTER_V4 = 192.168.0.1 define PLASTIC_ROUTER_V4 = 192.168.0.1
table inet filter { table inet filter {
@ -61,8 +58,19 @@ table inet vpn-bypass {
} }
chain common { chain common {
ip daddr $VUEKO_V4 udp dport $VUEKO_PORT mark set $VPN_BYPASS_MARK counter tcp dport {
ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set $VPN_BYPASS_MARK counter 22, # SSH
443, # HTTPS
465, # SMTPS
993, # IMAPS
2022, # SSH
2222, # SSH
} mark set $VPN_BYPASS_MARK counter
udp dport {
1637, # wg
51820, # wg
64738, # mumble
} mark set $VPN_BYPASS_MARK counter
} }
} }
@ -96,7 +104,7 @@ table inet restrict-wan {
# accept connections to selected endpoints # accept connections to selected endpoints
# VPN (wg-upstream) # VPN (wg-upstream)
oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT counter accept # only this is used oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT_ADDRESS udp dport $WG_UPSTREAM_ENDPOINT_PORT counter accept # only this is used
# destinations configured in VPN bypass # destinations configured in VPN bypass
oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept