From 5e13fc0bc22059e76ebceca5cf3924b1bf3b8a16 Mon Sep 17 00:00:00 2001 From: Egor Savkin Date: Wed, 11 Sep 2024 11:04:36 +0800 Subject: [PATCH] Apply tested client configuration Adds an additional route, but doesn't enforce it so other apps will remain the same, but smtp can use tunnel for sending. Also sends replies through the tunnel if connection arrives on the tunnel. Better have something tested and working before I start doing "perfect". Signed-off-by: Egor Savkin --- nixbld-etc-nixos/configuration.nix | 23 +++++++++++++++++++++-- nixbld-etc-nixos/named/m-labs-intl.com | 1 - 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix index 7d6b9cf..68831b7 100644 --- a/nixbld-etc-nixos/configuration.nix +++ b/nixbld-etc-nixos/configuration.nix @@ -248,13 +248,32 @@ in }; wireguard.interfaces = { intl0 = { - ips = [ "10.42.0.2/32" ]; + ips = [ "10.42.0.2/30" ]; listenPort = 51820; - privateKeyFile = "/path/to/private/key"; + privateKeyFile = "/path/to/private/key"; # just `wg-quick genkey > /path/to/private/key` + postUp = '' + ${pkgs.iproute2}/bin/ip rule add from all fwmark 1 lookup 51820 + ${pkgs.iproute2}/bin/ip route add default via 10.42.0.1 dev intl0 table 51820 + ${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -i intl0 -p tcp -j MARK --set-mark 1 + ${pkgs.iptables}/bin/iptables -A OUTPUT -o intl0 -m connmark --mark 1 -j ACCEPT + ${pkgs.iptables}/bin/iptables -A INPUT -i intl0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + ${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW -i intl0 -p tcp -j CONNMARK --save-mark + ${pkgs.iptables}/bin/iptables -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark + ''; + preDown = '' + ${pkgs.iproute2}/bin/ip rule del from all fwmark 1 lookup 51820 + ${pkgs.iproute2}/bin/ip route del default via 10.42.0.1 dev intl0 table 51820 + ${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -i intl0 -p tcp -j MARK --set-mark 1 + ${pkgs.iptables}/bin/iptables -D OUTPUT -o intl0 -m connmark --mark 1 -j ACCEPT + ${pkgs.iptables}/bin/iptables -D INPUT -i intl0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + ${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -m conntrack --ctstate NEW -i intl0 -p tcp -j CONNMARK --save-mark + ${pkgs.iptables}/bin/iptables -t mangle -D OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark + ''; peers = [ { publicKey = "4RozbGZ9ENCjvJXGMB5aK1oqyZfD4UCarEHjSckwVGI="; allowedIPs = [ "0.0.0.0/0" ]; + allowedIPsAsRoutes = false; endpoint = "5.78.86.156:51820"; persistentKeepalive = 25; } diff --git a/nixbld-etc-nixos/named/m-labs-intl.com b/nixbld-etc-nixos/named/m-labs-intl.com index 0b01275..edd6063 100644 --- a/nixbld-etc-nixos/named/m-labs-intl.com +++ b/nixbld-etc-nixos/named/m-labs-intl.com @@ -23,7 +23,6 @@ ns A 94.190.212.123 ns AAAA 2001:470:18:390::2 mail A 5.78.86.156 -mail AAAA 2a01:4ff:1f0:83de::1 mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB" _dmarc TXT "v=DMARC1; p=none"