shinobu/router: Exclude vueko from VPN

2023-08-08 14:20:21 +02:00 · 2023-08-08 14:20:21 +02:00 · f71cbedf14
parent 826929571b
commit f71cbedf14
1 changed files with 31 additions and 1 deletions
--- a/machines/shinobu/services/router.nix
+++ b/machines/shinobu/services/router.nix
@ -26,6 +26,8 @@
 { config, lib, pkgs, ... }:
 let
  domain = "home.sbruder.de";
+
+  noVpnFwMark = 10000;
 in
 {
  sops.secrets.wg-upstream-private-key = {
@ -49,6 +51,11 @@ in
      ruleset = ''
        define NAT_LAN_IFACES = { "br-lan" }
        define NAT_WAN_IFACES = { "wg-upstream" }
+        define PHYSICAL_WAN = "enp1s0"
+        define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN }
+        define VUEKO_V4 = 168.119.176.53
+        define VUEKO_V6 = 2a01:4f8:c012:2f4::
+        define VUEKO_PORT = 51820

        table inet filter {
          chain forward {
@ -56,6 +63,11 @@ in

            iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
            iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;
+
+            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $VUEKO_V4 udp dport $VUEKO_PORT counter accept;
+            iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $VUEKO_V4 udp sport $VUEKO_PORT ct state established,related counter accept;
+            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT counter accept;
+            iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip6 saddr $VUEKO_V6 udp sport $VUEKO_PORT ct state established,related counter accept;
          }
        }

@ -66,7 +78,17 @@ in

          chain postrouting {
            type nat hook postrouting priority filter; policy accept;
-            oifname $NAT_WAN_IFACES masquerade;
+            oifname $MASQUERADE_IFACES masquerade;
+          }
+        }
+
+        table inet mangle {
+          chain output {
+            type route hook output priority mangle;
+
+            # Add fwmark noVpnMark to packets to vueko, so it will get routed correctly
+            ip daddr $VUEKO_V4 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter;
+            ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter;
          }
        }
      '';
@ -162,6 +184,14 @@ in
              Priority = 9;
            };
          }
+          {
+            routingPolicyRuleConfig = {
+              To = "168.119.176.53";
+
+              FirewallMark = noVpnFwMark;
+              Priority = 9;
+            };
+          }
        ];
        routes = [
          {