diff --git a/machines/shinobu/services/router/common.nix b/machines/shinobu/services/router/common.nix index 62dfc73..7c63909 100644 --- a/machines/shinobu/services/router/common.nix +++ b/machines/shinobu/services/router/common.nix @@ -1,13 +1,3 @@ { domain = "home.sbruder.de"; - vpnBypassFwMark = 10000; - wg-upstream = { - endpoint = rec { - address = "193.32.248.71"; - port = 51820; - full = "${address}:${toString port}"; - }; - publicKey = "eprzkkkSbXCANngQDo305DIAvkKAnZaN71IpTNaOoTk="; - addresses = [ "10.66.208.88/32" "fc00:bbbb:bbbb:bb01::3:d057/128" ]; - }; } diff --git a/machines/shinobu/services/router/default.nix b/machines/shinobu/services/router/default.nix index 830cf8c..519c710 100644 --- a/machines/shinobu/services/router/default.nix +++ b/machines/shinobu/services/router/default.nix @@ -12,8 +12,8 @@ # It consists of shinobu as a router (this configuration), # connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch. # The upstream comes (for now) from a PŸUR “WLAN-Kabelbox” (Compal CH7467CE). -# Sadly, I could not enable bridge mode on it, so the packets now go through (at least) four layers of NAT: -# device → NAT on shinobu (→ NAT on plastic router → PŸUR CGNAT) → NAT on VPN +# Sadly, I could not enable bridge mode on it, so the packets now go through (at least) three layers of NAT: +# device → NAT on shinobu → NAT on plastic router → PŸUR CGNAT # # Because the switch only supports GbE, # the two clients I currently have with support for 2.5GbE are connected @@ -45,11 +45,6 @@ in ethtool ]; - sops.secrets.wg-upstream-private-key = { - owner = config.users.users.systemd-network.name; - sopsFile = ../../secrets.yaml; - }; - networking.useDHCP = false; systemd.network = { @@ -63,24 +58,6 @@ in Kind = "bridge"; }; }; - wg-upstream = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg-upstream"; - }; - wireguardConfig = { - PrivateKeyFile = config.sops.secrets.wg-upstream-private-key.path; - FirewallMark = 51820; - }; - wireguardPeers = lib.singleton { - wireguardPeerConfig = with cfg.wg-upstream; { - Endpoint = endpoint.full; - PublicKey = publicKey; - AllowedIPs = [ "0.0.0.0/0" "::0/0" ]; - PersistentKeepalive = 25; - }; - }; - }; }; networks = { wan = { @@ -115,66 +92,6 @@ in domains = [ cfg.domain ]; address = [ "10.80.1.1/24" "fd00:80:1::1/64" ]; }; - wg-upstream = { - name = "wg-upstream"; - address = cfg.wg-upstream.addresses; - routingPolicyRules = [ - { - routingPolicyRuleConfig = { - Family = "both"; # default is only ipv4 - FirewallMark = cfg.vpnBypassFwMark; - InvertRule = "yes"; - Table = 51820; - Priority = 10; - #SuppressPrefixLength = 0; # can’t be used here (forwarding does not work with it) - }; - } - # FIXME: those two shouldn’t be necessary - # It should automatically detect those routes existing and prioritise them - # LAN (v4) - { - routingPolicyRuleConfig = { - To = "10.80.1.0/24"; - Priority = 9; - }; - } - # LAN (v6) - { - routingPolicyRuleConfig = { - To = "fd00:80:1::/64"; - Priority = 9; - }; - } - # wg-home - { - routingPolicyRuleConfig = { - To = "10.80.0.0/24"; - Priority = 9; - }; - } - # plastic router - { - routingPolicyRuleConfig = { - To = "192.168.0.0/24"; - Priority = 9; - }; - } - ]; - routes = [ - { - routeConfig = { - Gateway = "0.0.0.0"; # point-to-point connection - Table = 51820; - }; - } - { - routeConfig = { - Gateway = "::"; - Table = 51820; - }; - } - ]; - }; }; }; services.resolved.enable = false; diff --git a/machines/shinobu/services/router/nft.nix b/machines/shinobu/services/router/nft.nix index d3542cc..dce4ecf 100644 --- a/machines/shinobu/services/router/nft.nix +++ b/machines/shinobu/services/router/nft.nix @@ -10,11 +10,7 @@ let else lib.generators.mkValueStringDefault { } v; } " = "; - passthru = { - WG_UPSTREAM_ENDPOINT_ADDRESS = cfg.wg-upstream.endpoint.address; - WG_UPSTREAM_ENDPOINT_PORT = cfg.wg-upstream.endpoint.port; - VPN_BYPASS_MARK = cfg.vpnBypassFwMark; - }; + passthru = { }; defines = lib.concatStringsSep "\n" diff --git a/machines/shinobu/services/router/rules.nft b/machines/shinobu/services/router/rules.nft index eca0863..4038678 100644 --- a/machines/shinobu/services/router/rules.nft +++ b/machines/shinobu/services/router/rules.nft @@ -1,76 +1,21 @@ define NAT_LAN_IFACES = { "br-lan" } -define NAT_WAN_IFACES = { "wg-upstream" } define PHYSICAL_WAN = "enp1s0" -define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN } -define PLASTIC_ROUTER_V4 = 192.168.0.1 +define NAT_WAN_IFACES = { $PHYSICAL_WAN } table inet filter { chain forward { type filter hook forward priority filter; policy drop - # Use MSS clamping - # to avoid too large packets from client on the lan - # not going through the tunnel. - iifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu - oifname wg-upstream tcp flags syn / syn,rst tcp option maxseg size set rt mtu - # allow traffic between lan and wan iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept - - # accept responses on physical wan - iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ct state established,related counter accept - - # allow selected destinations via physical wan - - # plastic router - iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 counter accept - - # all destinations configured via policy based routing - oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept } } table inet nat { chain postrouting { type nat hook postrouting priority filter; policy accept - oifname $MASQUERADE_IFACES masquerade - } -} - -# Bypass VPN by setting mark. -# This acts in two places that are handled separatly by nftables: -# Packets from the local host (output hook) and forwared packets (prerouting hook). -# To simplify the handling, -# there is a single chain that handles both, -# which is jumped to from the specific chains. -table inet vpn-bypass { - # This must be of type route, otherwise no route lookup will be performed - chain output { - type route hook output priority mangle - jump common - } - - # This does not need to be of type route - chain prerouting { - type filter hook prerouting priority mangle - jump common - } - - chain common { - tcp dport { - 22, # SSH - 443, # HTTPS - 465, # SMTPS - 993, # IMAPS - 2022, # SSH - 2222, # SSH - } mark set $VPN_BYPASS_MARK counter - udp dport { - 1637, # wg - 51820, # wg - 64738, # mumble - } mark set $VPN_BYPASS_MARK counter + oifname $NAT_WAN_IFACES masquerade } } @@ -96,20 +41,8 @@ table inet restrict-wan { chain postrouting { type filter hook postrouting priority 0; policy accept - # accept connections to plastic router - oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 counter accept - - # accept icmpv6 - oifname $PHYSICAL_WAN icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept - - # accept connections to selected endpoints - # VPN (wg-upstream) - oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT_ADDRESS udp dport $WG_UPSTREAM_ENDPOINT_PORT counter accept # only this is used - # destinations configured in VPN bypass - oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept - - # drop all other packets - oifname $PHYSICAL_WAN counter drop + # accept connections over physical wan + oifname $PHYSICAL_WAN counter accept } }