fix wg-sigma-p2p again

This commit is contained in:
Casper V. Kristensen 2024-03-03 18:01:20 +01:00
parent 1d21de1b33
commit 8314702635
5 changed files with 9 additions and 64 deletions

View file

@ -41,9 +41,9 @@
name = "wg-sigma-public";
};
# The following routes traffic destined for a secret floating IP to sigma
# through wireguard. This allows the server to have a public address and
# help others sail the high seas even though it is behind NAT.
# The following routes traffic destined for 116.203.6.156 (floating IP) to
# sigma through wireguard. This allows the server to have a public address
# and help others sail the high seas even though it is behind NAT.
netdevs."51-wg-sigma-p2p" = {
netdevConfig = {
Name = "wg-sigma-p2p";
@ -58,9 +58,7 @@
wireguardPeerConfig = {
PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
# Add to the main routing table that traffic for the address should
# be sent to sigma.
AllowedIPs = [ "a.b.c.d/32" ]; # see 51-wg-sigma-p2p.netdev.d/address.conf below
AllowedIPs = [ "116.203.6.156/32" ];
RouteTable = "main";
};
}
@ -71,14 +69,6 @@
};
};
# To keep the address of the wg-sigma-p2p interface secret, it is not
# configured here directly but instead contained in an encrypted file which
# is decrypted and symlinked to the netdevs's "drop-in" directly, causing it
# to be merged into the configuration.
environment.etc."systemd/network/51-wg-sigma-p2p.netdev.d/address.conf" = {
source = config.age.secrets.netdev-51-wg-sigma-p2p-address.path;
};
# Enable forwarding of packets
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
@ -102,11 +92,4 @@
owner = "root";
group = "systemd-network";
};
age.secrets.netdev-51-wg-sigma-p2p-address = {
file = ../../secrets/netdev-51-wg-sigma-p2p-address.age;
mode = "644";
owner = "root";
group = "systemd-network";
};
}

View file

@ -55,9 +55,9 @@
};
# The following establishes a wireguard tunnel to alpha and configures
# receiving traffic destined for a secret address. This allows the server
# to have a public address and help others sail the high seas even though
# it is behind NAT.
# receiving traffic destined for 116.203.6.156. This allows the server to
# have a public address and help others sail the high seas even though it
# is behind NAT.
netdevs."51-wg-sigma-p2p" = {
netdevConfig = {
Name = "wg-sigma-p2p";
@ -72,17 +72,7 @@
PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM=";
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
Endpoint = "alpha.caspervk.net:51821";
# Keep NAT mappings and stateful firewalls open at the ISP
PersistentKeepalive = 25;
# AllowedIPs is both an ACL for incoming traffic, as well as a
# routing table specifying to which peer outgoing traffic should be
# sent. We want to allow incoming traffic from any address on the
# internet (routed through alpha), but only replies to this should
# be routed back over wireguard. Unlike if we had used NAT, IP
# routes are stateless, so we have no notion of "replies". Instead,
# we add these routes to a specific routing table and configure a
# routing policy rule to only use it for packets being sent as the
# p2p IP.
AllowedIPs = [ "0.0.0.0/0" ];
RouteTable = "wg-sigma-p2p";
};
@ -91,11 +81,11 @@
};
networks."wg-sigma-p2p" = {
name = "wg-sigma-p2p";
address = [ "a.b.c.d/32" ]; # see 51-wg-sigma-p2p.network.d/address.conf below
address = [ "116.203.6.156/32" ];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "a.b.c.d/32"; # see 51-wg-sigma-p2p.network.d/address.conf below
From = "116.203.6.156/32";
Table = "wg-sigma-p2p";
};
}
@ -103,14 +93,6 @@
};
};
# To keep the address of the wg-sigma-p2p interface secret, it is not
# configured here directly but instead contained in an encrypted file which
# is decrypted and symlinked to the network's "drop-in" directly, causing it
# to be merged into the configuration.
environment.etc."systemd/network/wg-sigma-p2p.network.d/address.conf" = {
source = config.age.secrets.network-wg-sigma-p2p-address.path;
};
age.secrets.wireguard-preshared-key-file = {
file = ../../secrets/wireguard-preshared-key-file.age;
mode = "640";
@ -124,11 +106,4 @@
owner = "root";
group = "systemd-network";
};
age.secrets.network-wg-sigma-p2p-address = {
file = ../../secrets/network-wg-sigma-p2p-address.age;
mode = "644";
owner = "root";
group = "systemd-network";
};
}

View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 KjvmEQ o+mkItId5k1qUiWa5Q7Jk6pLXYgVZTZibF3ec+lfoX4
AnV6s7gOAxr3B3PZGZDa7FMthhdGXpGHcxFOy+15oLk
-> X25519 Ry3b2t2TNkqdGJmttprAlLKMmReBLEFjaD+/2o8fv0c
AMraYoxsvx79k+9behN3YhayyZhUCMsJHzrF9K4cRvk
--- qR5De+RcL3W/NKnzNqJ2UOlScPvNfZQ2LusPAc270ek
¹DÛ,( •<>¥ÚÅh¢ÿ~$ióŽ/LsÙe
½sÙªa\“}üW~@…Œƒâþ> Â>J­vRMY¾ðƒ´ñ_WÕðg£:,èKõ3mÅþ>Mß}trÄB‡H,•ž´q¸ôåœP"FÇá9Â9<Ó>QÃÞµ3
šXA¥¤¹$çÖ¥ŠGÜ­y¶:©AÃn8²<38>W<à ÂýŽp ¨ÏÕÿ«YµPik_‰"@G÷@'À¶Ëo|åÑ<C3A5>/[ˆáŽWþS»Âæ€4òºÁy‡N`h½Æ½¯"@h…ÌIg-†Þ

View file

@ -22,10 +22,6 @@ in
builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) {
"users-hashed-password-file.age" = all;
# Secret network addresses
"netdev-51-wg-sigma-p2p-address.age" = [ alpha ];
"network-wg-sigma-p2p-address.age" = [ omega ];
## Wireguard
# The preshared key adds an additional layer of symmetric-key crypto to be
# mixed into the already existing public-key crypto, for post-quantum