shinobu/router: Route select protocols directly

2023-09-25 13:50:22 +02:00 · 2023-09-25 13:50:22 +02:00 · 642fea6b8e
parent 7a7b385b44
commit 642fea6b8e
3 changed files with 17 additions and 16 deletions
--- a/machines/shinobu/services/router/default.nix
+++ b/machines/shinobu/services/router/default.nix
@ -122,7 +122,7 @@ in
          {
            routingPolicyRuleConfig = {
              Family = "both"; # default is only ipv4
-              FirewallMark = 51820;
+              FirewallMark = cfg.vpnBypassFwMark;
              InvertRule = "yes";
              Table = 51820;
              Priority = 10;
@ -152,14 +152,6 @@ in
              Priority = 9;
            };
          }
-          # VPN bypass
-          {
-            routingPolicyRuleConfig = {
-              Family = "both"; # welcome in the year 2023, where ipv4 is the default
-              FirewallMark = cfg.vpnBypassFwMark;
-              Priority = 9;
-            };
-          }
          # plastic router
          {
            routingPolicyRuleConfig = {
--- a/machines/shinobu/services/router/nft.nix
+++ b/machines/shinobu/services/router/nft.nix
@ -11,7 +11,8 @@ let
    } " = ";

  passthru = {
-    WG_UPSTREAM_ENDPOINT = cfg.wg-upstream.endpoint.address;
+    WG_UPSTREAM_ENDPOINT_ADDRESS = cfg.wg-upstream.endpoint.address;
+    WG_UPSTREAM_ENDPOINT_PORT = cfg.wg-upstream.endpoint.port;
    VPN_BYPASS_MARK = cfg.vpnBypassFwMark;
  };

--- a/machines/shinobu/services/router/rules.nft
+++ b/machines/shinobu/services/router/rules.nft
@ -2,9 +2,6 @@ define NAT_LAN_IFACES = { "br-lan" }
 define NAT_WAN_IFACES = { "wg-upstream" }
 define PHYSICAL_WAN = "enp1s0"
 define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN }
-define VUEKO_V4 = 168.119.176.53
-define VUEKO_V6 = 2a01:4f8:c012:2f4::1
-define VUEKO_PORT = 51820
 define PLASTIC_ROUTER_V4 = 192.168.0.1

 table inet filter {
@ -61,8 +58,19 @@ table inet vpn-bypass {
 	}

 	chain common {
-		ip daddr $VUEKO_V4 udp dport $VUEKO_PORT mark set $VPN_BYPASS_MARK counter
-		ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set $VPN_BYPASS_MARK counter
+		tcp dport {
+			22, # SSH
+			443, # HTTPS
+			465, # SMTPS
+			993, # IMAPS
+			2022, # SSH
+			2222, # SSH
+		} mark set $VPN_BYPASS_MARK counter
+		udp dport {
+			1637, # wg
+			51820, # wg
+			64738, # mumble
+		} mark set $VPN_BYPASS_MARK counter
 	}
 }

@ -96,7 +104,7 @@ table inet restrict-wan {

 		# accept connections to selected endpoints
 		# VPN (wg-upstream)
-		oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT counter accept # only this is used
+		oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT_ADDRESS udp dport $WG_UPSTREAM_ENDPOINT_PORT counter accept # only this is used
 		# destinations configured in VPN bypass
 		oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept