wg-sigma-p2p

This commit is contained in:
Casper V. Kristensen 2024-02-28 00:49:48 +01:00
parent 6936031d57
commit 1822623bd5
6 changed files with 142 additions and 2 deletions

View file

@ -40,6 +40,43 @@
networks."wg-sigma-public" = {
name = "wg-sigma-public";
};
# The following routes traffic destined for a secret floating IP to sigma
# through wireguard. This allows the server to have a public address and
# help others sail the high seas even though it is behind NAT.
netdevs."51-wg-sigma-p2p" = {
netdevConfig = {
Name = "wg-sigma-p2p";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 51821;
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-alpha.path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
# Add to the main routing table that traffic for the address should
# be sent to sigma.
AllowedIPs = [ "a.b.c.d/32" ]; # see 51-wg-sigma-p2p.netdev.d/address.conf below
RouteTable = "main";
};
}
];
};
networks."wg-sigma-p2p" = {
name = "wg-sigma-p2p";
};
};
# To keep the address of the wg-sigma-p2p interface secret, it is not
# configured here directly but instead contained in an encrypted file which
# is decrypted and symlinked to the netdevs's "drop-in" directly, causing it
# to be merged into the configuration.
environment.etc."systemd/network/51-wg-sigma-p2p.netdev.d/address.conf" = {
source = config.age.secrets.netdev-51-wg-sigma-p2p-address.path;
};
# Enable forwarding of packets
@ -49,7 +86,7 @@
};
networking = {
firewall.allowedUDPPorts = [ 51820 ];
firewall.allowedUDPPorts = [ 51820 51821 ];
};
age.secrets.wireguard-preshared-key-file = {
@ -65,4 +102,11 @@
owner = "root";
group = "systemd-network";
};
age.secrets.netdev-51-wg-sigma-p2p-address = {
file = ../../secrets/netdev-51-wg-sigma-p2p-address.age;
mode = "644";
owner = "root";
group = "systemd-network";
};
}

View file

@ -1,4 +1,4 @@
{ ... }: {
{ pkgs, ... }: {
imports = [
../../overlays
../../modules/base
@ -9,6 +9,23 @@
./sway.nix
];
systemd.services.qbittorrent = {
description = "qBittorrent service";
documentation = [ "man:qbittorrent-nox(1)" ];
wantedBy = [ "multi-user.target" ];
wants = [ "multi-user.target" ];
after = [ "network-online.target" "nss-lookup.target" ];
serviceConfig = {
Type = "exec";
User = "caspervk";
Group = "users";
ExecStart = pkgs.writers.writeBash "asd" ''
while true; do ${pkgs.curl}/bin/curl ip.caspervk.net; echo; sleep 1; done
'';
RestrictNetworkInterfaces = "wg-sigma-public";
};
};
networking.hostName = "omega";
boot = {

View file

@ -3,8 +3,10 @@
config = {
routeTables = {
"wg-sigma-public" = 822944075;
"wg-sigma-p2p" = 2553;
};
};
# The following establishes a wireguard tunnel to alpha and configures
# receiving traffic destined for 49.13.33.75. This allows us to have a
# public address even though we are behind NAT.
@ -51,6 +53,62 @@
}
];
};
# The following establishes a wireguard tunnel to alpha and configures
# receiving traffic destined for a secret address. This allows the server
# to have a public address and help others sail the high seas even though
# it is behind NAT.
netdevs."51-wg-sigma-p2p" = {
netdevConfig = {
Name = "wg-sigma-p2p";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets.wireguard-private-key-file-omega.path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM=";
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
Endpoint = "alpha.caspervk.net:51821";
# Keep NAT mappings and stateful firewalls open at the ISP
PersistentKeepalive = 25;
# AllowedIPs is both an ACL for incoming traffic, as well as a
# routing table specifying to which peer outgoing traffic should be
# sent. We want to allow incoming traffic from any address on the
# internet (routed through alpha), but only replies to this should
# be routed back over wireguard. Unlike if we had used NAT, IP
# routes are stateless, so we have no notion of "replies". Instead,
# we add these routes to a specific routing table and configure a
# routing policy rule to only use it for packets being sent as the
# p2p IP.
AllowedIPs = [ "0.0.0.0/0" ];
RouteTable = "wg-sigma-p2p";
};
}
];
};
networks."wg-sigma-p2p" = {
name = "wg-sigma-p2p";
address = [ "a.b.c.d/32" ]; # see 51-wg-sigma-p2p.network.d/address.conf below
routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "a.b.c.d/32"; # see 51-wg-sigma-p2p.network.d/address.conf below
Table = "wg-sigma-p2p";
};
}
];
};
};
# To keep the address of the wg-sigma-p2p interface secret, it is not
# configured here directly but instead contained in an encrypted file which
# is decrypted and symlinked to the network's "drop-in" directly, causing it
# to be merged into the configuration.
environment.etc."systemd/network/wg-sigma-p2p.network.d/address.conf" = {
source = config.age.secrets.network-wg-sigma-p2p-address.path;
};
age.secrets.wireguard-preshared-key-file = {
@ -66,4 +124,11 @@
owner = "root";
group = "systemd-network";
};
age.secrets.network-wg-sigma-p2p-address = {
file = ../../secrets/network-wg-sigma-p2p-address.age;
mode = "644";
owner = "root";
group = "systemd-network";
};
}

View file

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 KjvmEQ KHs2wpoeVRMRODmNP5aXUZwPyzj+f0nDzs+QyqqdMC8
QBtN5ziC8xV6Vv67EtCd3OzIqpmHqO0rjIsewg4ZU+0
--- 2zfN2Xr9I3HU+JiZKsE5/Jd8nMcYHxaojp0SOEVxcCM
]£oUƒ¼}â"í´n‰dàÆ"§¦M {ÿä¨ðõ!ý*I<02>žŠÒ³Õ†q<E280A0>øtmªGË<¿cìo>qèPanæÉÚlúŸ

View file

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 fY+XUg 6FX0EMF2JhModB3nAZBAhmU2/BqoVGlKaqAJen8fC0o
84JMPFpGxJoTHe+zN/szYbZuVCtepzvje8I4anpE67I
--- vHjS868e8KhzDv+nD8p/+Te8LPkvbLcMEOuK36Xfngk
~suÃLQÄ6t´Ê—û4}à1—߯ò†­x3{/´ŸŠÁú"Ή5/²þbSÈ3ÜkrÑ_v 0rn5Šò ƒJÆÇÞ«Èò/ÌôÊm³3¢ÓôRäµuj2¢5Hd´

View file

@ -22,6 +22,10 @@ in
{
"users-hashed-password-file.age".publicKeys = all;
# Secret network addresses
"netdev-51-wg-sigma-p2p-address.age".publicKeys = [ alpha ];
"network-wg-sigma-p2p-address.age".publicKeys = [ omega ];
## Wireguard
# The preshared key adds an additional layer of symmetric-key crypto to be
# mixed into the already existing public-key crypto, for post-quantum