shinobu/router: Disable wg-upstream

This only complicates many things and creates too much overhead on such a slow connection.
2023-09-26 15:38:02 +02:00 · 2023-09-26 15:38:02 +02:00 · 3d880316de
parent 642fea6b8e
commit 3d880316de
4 changed files with 7 additions and 171 deletions
--- a/machines/shinobu/services/router/common.nix
+++ b/machines/shinobu/services/router/common.nix
@ -1,13 +1,3 @@
 {
  domain = "home.sbruder.de";
-  vpnBypassFwMark = 10000;
-  wg-upstream = {
-    endpoint = rec {
-      address = "193.32.248.71";
-      port = 51820;
-      full = "${address}:${toString port}";
-    };
-    publicKey = "eprzkkkSbXCANngQDo305DIAvkKAnZaN71IpTNaOoTk=";
-    addresses = [ "10.66.208.88/32" "fc00:bbbb:bbbb:bb01::3:d057/128" ];
-  };
 }
--- a/machines/shinobu/services/router/default.nix
+++ b/machines/shinobu/services/router/default.nix
@ -12,8 +12,8 @@
 # It consists of shinobu as a router (this configuration),
 # connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch.
 # The upstream comes (for now) from a PŸUR “WLAN-Kabelbox” (Compal CH7467CE).
-# Sadly, I could not enable bridge mode on it, so the packets now go through (at least) four layers of NAT:
-# device → NAT on shinobu (→ NAT on plastic router → PŸUR CGNAT) → NAT on VPN
+# Sadly, I could not enable bridge mode on it, so the packets now go through (at least) three layers of NAT:
+# device → NAT on shinobu → NAT on plastic router → PŸUR CGNAT
 #
 # Because the switch only supports GbE,
 # the two clients I currently have with support for 2.5GbE are connected
@ -45,11 +45,6 @@ in
    ethtool
  ];

-  sops.secrets.wg-upstream-private-key = {
-    owner = config.users.users.systemd-network.name;
-    sopsFile = ../../secrets.yaml;
-  };
-
  networking.useDHCP = false;

  systemd.network = {
@ -63,24 +58,6 @@ in
          Kind = "bridge";
        };
      };
-      wg-upstream = {
-        netdevConfig = {
-          Kind = "wireguard";
-          Name = "wg-upstream";
-        };
-        wireguardConfig = {
-          PrivateKeyFile = config.sops.secrets.wg-upstream-private-key.path;
-          FirewallMark = 51820;
-        };
-        wireguardPeers = lib.singleton {
-          wireguardPeerConfig = with cfg.wg-upstream; {
-            Endpoint = endpoint.full;
-            PublicKey = publicKey;
-            AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
-            PersistentKeepalive = 25;
-          };
-        };
-      };
    };
    networks = {
      wan = {
@ -115,66 +92,6 @@ in
        domains = [ cfg.domain ];
        address = [ "10.80.1.1/24" "fd00:80:1::1/64" ];
      };
-      wg-upstream = {
-        name = "wg-upstream";
-        address = cfg.wg-upstream.addresses;
-        routingPolicyRules = [
-          {
-            routingPolicyRuleConfig = {
-              Family = "both"; # default is only ipv4
-              FirewallMark = cfg.vpnBypassFwMark;
-              InvertRule = "yes";
-              Table = 51820;
-              Priority = 10;
-              #SuppressPrefixLength = 0; # can’t be used here (forwarding does not work with it)
-            };
-          }
-          # FIXME: those two shouldn’t be necessary
-          # It should automatically detect those routes existing and prioritise them
-          # LAN (v4)
-          {
-            routingPolicyRuleConfig = {
-              To = "10.80.1.0/24";
-              Priority = 9;
-            };
-          }
-          # LAN (v6)
-          {
-            routingPolicyRuleConfig = {
-              To = "fd00:80:1::/64";
-              Priority = 9;
-            };
-          }
-          # wg-home
-          {
-            routingPolicyRuleConfig = {
-              To = "10.80.0.0/24";
-              Priority = 9;
-            };
-          }
-          # plastic router
-          {
-            routingPolicyRuleConfig = {
-              To = "192.168.0.0/24";
-              Priority = 9;
-            };
-          }
-        ];
-        routes = [
-          {
-            routeConfig = {
-              Gateway = "0.0.0.0"; # point-to-point connection
-              Table = 51820;
-            };
-          }
-          {
-            routeConfig = {
-              Gateway = "::";
-              Table = 51820;
-            };
-          }
-        ];
-      };
    };
  };
  services.resolved.enable = false;
--- a/machines/shinobu/services/router/nft.nix
+++ b/machines/shinobu/services/router/nft.nix
@ -10,11 +10,7 @@ let
        else lib.generators.mkValueStringDefault { } v;
    } " = ";

-  passthru = {
-    WG_UPSTREAM_ENDPOINT_ADDRESS = cfg.wg-upstream.endpoint.address;
-    WG_UPSTREAM_ENDPOINT_PORT = cfg.wg-upstream.endpoint.port;
-    VPN_BYPASS_MARK = cfg.vpnBypassFwMark;
-  };
+  passthru = { };

  defines = lib.concatStringsSep
    "\n"
--- a/machines/shinobu/services/router/rules.nft
+++ b/machines/shinobu/services/router/rules.nft
@ -1,76 +1,21 @@
 define NAT_LAN_IFACES = { "br-lan" }
-define NAT_WAN_IFACES = { "wg-upstream" }
 define PHYSICAL_WAN = "enp1s0"
-define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN }
-define PLASTIC_ROUTER_V4 = 192.168.0.1
+define NAT_WAN_IFACES = { $PHYSICAL_WAN }

 table inet filter {
 	chain forward {
 		type filter hook forward priority filter; policy drop

-		# Use MSS clamping
-		# to avoid too large packets from client on the lan
-		# not going through the tunnel.
-		iifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu
-		oifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu
-
 		# allow traffic between lan and wan
 		iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept
 		iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept
-
-		# accept responses on physical wan
-		iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ct state established,related counter accept
-
-		# allow selected destinations via physical wan
-
-		# plastic router
-		iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 counter accept
-
-		# all destinations configured via policy based routing
-		oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept
 	}
 }

 table inet nat {
 	chain postrouting {
 		type nat hook postrouting priority filter; policy accept
-		oifname $MASQUERADE_IFACES masquerade
-	}
-}
-
-# Bypass VPN by setting mark.
-# This acts in two places that are handled separatly by nftables:
-# Packets from the local host (output hook) and forwared packets (prerouting hook).
-# To simplify the handling,
-# there is a single chain that handles both,
-# which is jumped to from the specific chains.
-table inet vpn-bypass {
-	# This must be of type route, otherwise no route lookup will be performed
-	chain output {
-		type route hook output priority mangle
-		jump common
-	}
-
-	# This does not need to be of type route
-	chain prerouting {
-		type filter hook prerouting priority mangle
-		jump common
-	}
-
-	chain common {
-		tcp dport {
-			22, # SSH
-			443, # HTTPS
-			465, # SMTPS
-			993, # IMAPS
-			2022, # SSH
-			2222, # SSH
-		} mark set $VPN_BYPASS_MARK counter
-		udp dport {
-			1637, # wg
-			51820, # wg
-			64738, # mumble
-		} mark set $VPN_BYPASS_MARK counter
+		oifname $NAT_WAN_IFACES masquerade
 	}
 }

@ -96,20 +41,8 @@ table inet restrict-wan {
 	chain postrouting {
 		type filter hook postrouting priority 0; policy accept

-		# accept connections to plastic router
-		oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 counter accept
-
-		# accept icmpv6
-		oifname $PHYSICAL_WAN icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
-
-		# accept connections to selected endpoints
-		# VPN (wg-upstream)
-		oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT_ADDRESS udp dport $WG_UPSTREAM_ENDPOINT_PORT counter accept # only this is used
-		# destinations configured in VPN bypass
-		oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept
-
-		# drop all other packets
-		oifname $PHYSICAL_WAN counter drop
+		# accept connections over physical wan
+		oifname $PHYSICAL_WAN counter accept
 	}
 }