From 642fea6b8e641f1a03a790c638a525c2313bd52c Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Mon, 25 Sep 2023 13:50:22 +0200
Subject: [PATCH] shinobu/router: Route select protocols directly

---
 machines/shinobu/services/router/default.nix | 10 +---------
 machines/shinobu/services/router/nft.nix     |  3 ++-
 machines/shinobu/services/router/rules.nft   | 20 ++++++++++++++------
 3 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/machines/shinobu/services/router/default.nix b/machines/shinobu/services/router/default.nix
index 40df7a4..830cf8c 100644
--- a/machines/shinobu/services/router/default.nix
+++ b/machines/shinobu/services/router/default.nix
@@ -122,7 +122,7 @@ in
           {
             routingPolicyRuleConfig = {
               Family = "both"; # default is only ipv4
-              FirewallMark = 51820;
+              FirewallMark = cfg.vpnBypassFwMark;
               InvertRule = "yes";
               Table = 51820;
               Priority = 10;
@@ -152,14 +152,6 @@ in
               Priority = 9;
             };
           }
-          # VPN bypass
-          {
-            routingPolicyRuleConfig = {
-              Family = "both"; # welcome in the year 2023, where ipv4 is the default
-              FirewallMark = cfg.vpnBypassFwMark;
-              Priority = 9;
-            };
-          }
           # plastic router
           {
             routingPolicyRuleConfig = {
diff --git a/machines/shinobu/services/router/nft.nix b/machines/shinobu/services/router/nft.nix
index 103aba8..d3542cc 100644
--- a/machines/shinobu/services/router/nft.nix
+++ b/machines/shinobu/services/router/nft.nix
@@ -11,7 +11,8 @@ let
     } " = ";
 
   passthru = {
-    WG_UPSTREAM_ENDPOINT = cfg.wg-upstream.endpoint.address;
+    WG_UPSTREAM_ENDPOINT_ADDRESS = cfg.wg-upstream.endpoint.address;
+    WG_UPSTREAM_ENDPOINT_PORT = cfg.wg-upstream.endpoint.port;
     VPN_BYPASS_MARK = cfg.vpnBypassFwMark;
   };
 
diff --git a/machines/shinobu/services/router/rules.nft b/machines/shinobu/services/router/rules.nft
index 0aaa42a..eca0863 100644
--- a/machines/shinobu/services/router/rules.nft
+++ b/machines/shinobu/services/router/rules.nft
@@ -2,9 +2,6 @@ define NAT_LAN_IFACES = { "br-lan" }
 define NAT_WAN_IFACES = { "wg-upstream" }
 define PHYSICAL_WAN = "enp1s0"
 define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN }
-define VUEKO_V4 = 168.119.176.53
-define VUEKO_V6 = 2a01:4f8:c012:2f4::1
-define VUEKO_PORT = 51820
 define PLASTIC_ROUTER_V4 = 192.168.0.1
 
 table inet filter {
@@ -61,8 +58,19 @@ table inet vpn-bypass {
 	}
 
 	chain common {
-		ip daddr $VUEKO_V4 udp dport $VUEKO_PORT mark set $VPN_BYPASS_MARK counter
-		ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set $VPN_BYPASS_MARK counter
+		tcp dport {
+			22, # SSH
+			443, # HTTPS
+			465, # SMTPS
+			993, # IMAPS
+			2022, # SSH
+			2222, # SSH
+		} mark set $VPN_BYPASS_MARK counter
+		udp dport {
+			1637, # wg
+			51820, # wg
+			64738, # mumble
+		} mark set $VPN_BYPASS_MARK counter
 	}
 }
 
@@ -96,7 +104,7 @@ table inet restrict-wan {
 
 		# accept connections to selected endpoints
 		# VPN (wg-upstream)
-		oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT counter accept # only this is used
+		oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT_ADDRESS udp dport $WG_UPSTREAM_ENDPOINT_PORT counter accept # only this is used
 		# destinations configured in VPN bypass
 		oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept