shinobu/router: Route select protocols directly
This commit is contained in:
parent
7a7b385b44
commit
642fea6b8e
|
@ -122,7 +122,7 @@ in
|
|||
{
|
||||
routingPolicyRuleConfig = {
|
||||
Family = "both"; # default is only ipv4
|
||||
FirewallMark = 51820;
|
||||
FirewallMark = cfg.vpnBypassFwMark;
|
||||
InvertRule = "yes";
|
||||
Table = 51820;
|
||||
Priority = 10;
|
||||
|
@ -152,14 +152,6 @@ in
|
|||
Priority = 9;
|
||||
};
|
||||
}
|
||||
# VPN bypass
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
Family = "both"; # welcome in the year 2023, where ipv4 is the default
|
||||
FirewallMark = cfg.vpnBypassFwMark;
|
||||
Priority = 9;
|
||||
};
|
||||
}
|
||||
# plastic router
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
|
|
|
@ -11,7 +11,8 @@ let
|
|||
} " = ";
|
||||
|
||||
passthru = {
|
||||
WG_UPSTREAM_ENDPOINT = cfg.wg-upstream.endpoint.address;
|
||||
WG_UPSTREAM_ENDPOINT_ADDRESS = cfg.wg-upstream.endpoint.address;
|
||||
WG_UPSTREAM_ENDPOINT_PORT = cfg.wg-upstream.endpoint.port;
|
||||
VPN_BYPASS_MARK = cfg.vpnBypassFwMark;
|
||||
};
|
||||
|
||||
|
|
|
@ -2,9 +2,6 @@ define NAT_LAN_IFACES = { "br-lan" }
|
|||
define NAT_WAN_IFACES = { "wg-upstream" }
|
||||
define PHYSICAL_WAN = "enp1s0"
|
||||
define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN }
|
||||
define VUEKO_V4 = 168.119.176.53
|
||||
define VUEKO_V6 = 2a01:4f8:c012:2f4::1
|
||||
define VUEKO_PORT = 51820
|
||||
define PLASTIC_ROUTER_V4 = 192.168.0.1
|
||||
|
||||
table inet filter {
|
||||
|
@ -61,8 +58,19 @@ table inet vpn-bypass {
|
|||
}
|
||||
|
||||
chain common {
|
||||
ip daddr $VUEKO_V4 udp dport $VUEKO_PORT mark set $VPN_BYPASS_MARK counter
|
||||
ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set $VPN_BYPASS_MARK counter
|
||||
tcp dport {
|
||||
22, # SSH
|
||||
443, # HTTPS
|
||||
465, # SMTPS
|
||||
993, # IMAPS
|
||||
2022, # SSH
|
||||
2222, # SSH
|
||||
} mark set $VPN_BYPASS_MARK counter
|
||||
udp dport {
|
||||
1637, # wg
|
||||
51820, # wg
|
||||
64738, # mumble
|
||||
} mark set $VPN_BYPASS_MARK counter
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -96,7 +104,7 @@ table inet restrict-wan {
|
|||
|
||||
# accept connections to selected endpoints
|
||||
# VPN (wg-upstream)
|
||||
oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT counter accept # only this is used
|
||||
oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT_ADDRESS udp dport $WG_UPSTREAM_ENDPOINT_PORT counter accept # only this is used
|
||||
# destinations configured in VPN bypass
|
||||
oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept
|
||||
|
||||
|
|
Loading…
Reference in a new issue