shinobu/router: Exclude vueko from VPN
This commit is contained in:
parent
826929571b
commit
f71cbedf14
GPG key ID:
8D3C82F9F309F8EC
|
|
@ -26,6 +26,8 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
domain = "home.sbruder.de";
|
domain = "home.sbruder.de";
|
||||||
|
|
||||||
|
noVpnFwMark = 10000;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sops.secrets.wg-upstream-private-key = {
|
sops.secrets.wg-upstream-private-key = {
|
||||||
|
|
@ -49,6 +51,11 @@ in
|
||||||
ruleset = ''
|
ruleset = ''
|
||||||
define NAT_LAN_IFACES = { "br-lan" }
|
define NAT_LAN_IFACES = { "br-lan" }
|
||||||
define NAT_WAN_IFACES = { "wg-upstream" }
|
define NAT_WAN_IFACES = { "wg-upstream" }
|
||||||
|
define PHYSICAL_WAN = "enp1s0"
|
||||||
|
define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN }
|
||||||
|
define VUEKO_V4 = 168.119.176.53
|
||||||
|
define VUEKO_V6 = 2a01:4f8:c012:2f4::
|
||||||
|
define VUEKO_PORT = 51820
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
chain forward {
|
chain forward {
|
||||||
|
|
@ -56,6 +63,11 @@ in
|
||||||
|
|
||||||
iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
|
iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
|
||||||
iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;
|
iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;
|
||||||
|
|
||||||
|
iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $VUEKO_V4 udp dport $VUEKO_PORT counter accept;
|
||||||
|
iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $VUEKO_V4 udp sport $VUEKO_PORT ct state established,related counter accept;
|
||||||
|
iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT counter accept;
|
||||||
|
iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip6 saddr $VUEKO_V6 udp sport $VUEKO_PORT ct state established,related counter accept;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -66,7 +78,17 @@ in
|
||||||
|
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority filter; policy accept;
|
type nat hook postrouting priority filter; policy accept;
|
||||||
oifname $NAT_WAN_IFACES masquerade;
|
oifname $MASQUERADE_IFACES masquerade;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
table inet mangle {
|
||||||
|
chain output {
|
||||||
|
type route hook output priority mangle;
|
||||||
|
|
||||||
|
# Add fwmark noVpnMark to packets to vueko, so it will get routed correctly
|
||||||
|
ip daddr $VUEKO_V4 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter;
|
||||||
|
ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|
@ -162,6 +184,14 @@ in
|
||||||
Priority = 9;
|
Priority = 9;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
routingPolicyRuleConfig = {
|
||||||
|
To = "168.119.176.53";
|
||||||
|
|
||||||
|
FirewallMark = noVpnFwMark;
|
||||||
|
Priority = 9;
|
||||||
|
};
|
||||||
|
}
|
||||||
];
|
];
|
||||||
routes = [
|
routes = [
|
||||||
{
|
{
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue