shinobu/router: Exclude vueko from VPN

This commit is contained in:
Simon Bruder 2023-08-08 14:20:21 +02:00
parent 826929571b
commit f71cbedf14
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC

View file

@ -26,6 +26,8 @@
{ config, lib, pkgs, ... }:
let
domain = "home.sbruder.de";
noVpnFwMark = 10000;
in
{
sops.secrets.wg-upstream-private-key = {
@ -49,6 +51,11 @@ in
ruleset = ''
define NAT_LAN_IFACES = { "br-lan" }
define NAT_WAN_IFACES = { "wg-upstream" }
define PHYSICAL_WAN = "enp1s0"
define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN }
define VUEKO_V4 = 168.119.176.53
define VUEKO_V6 = 2a01:4f8:c012:2f4::
define VUEKO_PORT = 51820
table inet filter {
chain forward {
@ -56,6 +63,11 @@ in
iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;
iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $VUEKO_V4 udp dport $VUEKO_PORT counter accept;
iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $VUEKO_V4 udp sport $VUEKO_PORT ct state established,related counter accept;
iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT counter accept;
iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip6 saddr $VUEKO_V6 udp sport $VUEKO_PORT ct state established,related counter accept;
}
}
@ -66,7 +78,17 @@ in
chain postrouting {
type nat hook postrouting priority filter; policy accept;
oifname $NAT_WAN_IFACES masquerade;
oifname $MASQUERADE_IFACES masquerade;
}
}
table inet mangle {
chain output {
type route hook output priority mangle;
# Add fwmark noVpnMark to packets to vueko, so it will get routed correctly
ip daddr $VUEKO_V4 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter;
ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter;
}
}
'';
@ -162,6 +184,14 @@ in
Priority = 9;
};
}
{
routingPolicyRuleConfig = {
To = "168.119.176.53";
FirewallMark = noVpnFwMark;
Priority = 9;
};
}
];
routes = [
{