Apply tested client configuration
Adds an additional route, but doesn't enforce it so other apps will remain the same, but smtp can use tunnel for sending. Also sends replies through the tunnel if connection arrives on the tunnel. Better have something tested and working before I start doing "perfect". Signed-off-by: Egor Savkin <es@m-labs.hk>
This commit is contained in:
parent
5066b8cb9e
commit
47e3d4cb88
|
@ -273,13 +273,32 @@ in
|
||||||
};
|
};
|
||||||
wireguard.interfaces = {
|
wireguard.interfaces = {
|
||||||
intl0 = {
|
intl0 = {
|
||||||
ips = [ "10.42.0.2/32" ];
|
ips = [ "10.42.0.2/30" ];
|
||||||
listenPort = 51820;
|
listenPort = 51820;
|
||||||
privateKeyFile = "/path/to/private/key";
|
privateKeyFile = "/path/to/private/key"; # just `wg-quick genkey > /path/to/private/key`
|
||||||
|
postUp = ''
|
||||||
|
${pkgs.iproute2}/bin/ip rule add from all fwmark 1 lookup 51820
|
||||||
|
${pkgs.iproute2}/bin/ip route add default via 10.42.0.1 dev intl0 table 51820
|
||||||
|
${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -i intl0 -p tcp -j MARK --set-mark 1
|
||||||
|
${pkgs.iptables}/bin/iptables -A OUTPUT -o intl0 -m connmark --mark 1 -j ACCEPT
|
||||||
|
${pkgs.iptables}/bin/iptables -A INPUT -i intl0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW -i intl0 -p tcp -j CONNMARK --save-mark
|
||||||
|
${pkgs.iptables}/bin/iptables -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
|
||||||
|
'';
|
||||||
|
preDown = ''
|
||||||
|
${pkgs.iproute2}/bin/ip rule del from all fwmark 1 lookup 51820
|
||||||
|
${pkgs.iproute2}/bin/ip route del default via 10.42.0.1 dev intl0 table 51820
|
||||||
|
${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -i intl0 -p tcp -j MARK --set-mark 1
|
||||||
|
${pkgs.iptables}/bin/iptables -D OUTPUT -o intl0 -m connmark --mark 1 -j ACCEPT
|
||||||
|
${pkgs.iptables}/bin/iptables -D INPUT -i intl0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -m conntrack --ctstate NEW -i intl0 -p tcp -j CONNMARK --save-mark
|
||||||
|
${pkgs.iptables}/bin/iptables -t mangle -D OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
|
||||||
|
'';
|
||||||
peers = [
|
peers = [
|
||||||
{
|
{
|
||||||
publicKey = "4RozbGZ9ENCjvJXGMB5aK1oqyZfD4UCarEHjSckwVGI=";
|
publicKey = "4RozbGZ9ENCjvJXGMB5aK1oqyZfD4UCarEHjSckwVGI=";
|
||||||
allowedIPs = [ "0.0.0.0/0" ];
|
allowedIPs = [ "0.0.0.0/0" ];
|
||||||
|
allowedIPsAsRoutes = false;
|
||||||
endpoint = "5.78.86.156:51820";
|
endpoint = "5.78.86.156:51820";
|
||||||
persistentKeepalive = 25;
|
persistentKeepalive = 25;
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,7 +23,6 @@ ns A 94.190.212.123
|
||||||
ns AAAA 2001:470:18:390::2
|
ns AAAA 2001:470:18:390::2
|
||||||
|
|
||||||
mail A 5.78.86.156
|
mail A 5.78.86.156
|
||||||
mail AAAA 2a01:4ff:1f0:83de::1
|
|
||||||
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
|
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
|
||||||
_dmarc TXT "v=DMARC1; p=none"
|
_dmarc TXT "v=DMARC1; p=none"
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue