Compare commits

...

9 Commits

Author SHA1 Message Date
Egor Savkin 6382326316 Use IPv6 for WG transport to decrease latency by 20%
Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-09-13 15:06:34 +08:00
Egor Savkin 2f1c11d779 Ip rules instead of iptables tracking
Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-09-11 11:28:03 +08:00
Egor Savkin 5e13fc0bc2 Apply tested client configuration
Adds an additional route, but doesn't enforce it so other apps will remain the same, but smtp can use tunnel for sending. Also sends replies through the tunnel if connection arrives on the tunnel.
Better have something tested and working before I start doing "perfect".

Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-09-11 11:04:36 +08:00
Egor Savkin 4ae7af98b2 Use wireguard instead of strongswan since its in the kernel
Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-09-09 15:12:34 +08:00
Egor Savkin ebe55e2fa6 WIP: Use gre/ipsec instead of proxy
Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-09-06 17:31:17 +08:00
Egor Savkin a6f30cff27 Use proxychains-ng instead of tsocks
Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-09-03 17:11:24 +08:00
Egor Savkin f083672e66 Use tsocks to wrap socks and add sock transport type
Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-09-03 17:11:24 +08:00
Egor Savkin f46adfd8d3 Use wildcard instead of explicit specification
As in example at https://www.postfix.org/transport.5.html

Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-09-03 17:11:24 +08:00
Egor Savkin 694d908339 Use postfix options for routing mails through ssh tunnel
Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-09-03 17:11:24 +08:00
2 changed files with 47 additions and 3 deletions

View File

@ -90,7 +90,7 @@ in
hostId = "e423f012";
firewall = {
allowedTCPPorts = [ 53 80 443 2222 7402 ];
allowedUDPPorts = [ 53 67 500 4500 ];
allowedUDPPorts = [ 53 67 500 4500 51820 ];
trustedInterfaces = [ netifLan ];
};
useDHCP = false;
@ -246,6 +246,30 @@ in
}
];
};
wireguard.interfaces = {
intl0 = {
ips = [ "10.42.0.2/30" ];
listenPort = 51820;
privateKeyFile = "/path/to/private/key"; # just `wg-quick genkey > /path/to/private/key`
postUp = ''
${pkgs.iproute2}/bin/ip rule add from 10.42.0.0/30 lookup 51820
${pkgs.iproute2}/bin/ip route add default via 10.42.0.1 dev intl0 table 51820
'';
preDown = ''
${pkgs.iproute2}/bin/ip rule del from 10.42.0.0/30 lookup 51820
${pkgs.iproute2}/bin/ip route del default via 10.42.0.1 dev intl0 table 51820
'';
peers = [
{
publicKey = "4RozbGZ9ENCjvJXGMB5aK1oqyZfD4UCarEHjSckwVGI=";
allowedIPs = [ "0.0.0.0/0" ];
allowedIPsAsRoutes = false;
endpoint = "2a01:4ff:1f0:83de::1:51820";
persistentKeepalive = 25;
}
];
};
};
};
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1";
@ -1178,6 +1202,18 @@ in
};
};
environment.etc."postfix/sender_relay".text = ''
m-labs-intl.com smtptun:
* :
'';
systemd.services.postfix-rebuild-sender-relay = {
description = "Postfix Rebuild Sender Dependent Relayhost Maps";
serviceConfig = {
ExecStart = "${pkgs.postfix}/sbin/postmap /etc/postfix/sender_relay";
};
wantedBy = [ "multi-user.target" ];
};
mailserver = {
enable = true;
localDnsResolver = false; # conflicts with dnsmasq
@ -1186,8 +1222,17 @@ in
enablePop3 = true;
enablePop3Ssl = true;
certificateScheme = "acme-nginx";
policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
} // (import /etc/nixos/secret/email_settings.nix);
services.postfix = {
config = {
sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
masterConfig.smtptun = {
type = "smtp";
command = "smtp";
args = "-o smtp_bind_address=10.42.0.2";
};
};
};
services.roundcube = {
enable = true;
hostName = "mail.m-labs.hk";

View File

@ -23,7 +23,6 @@ ns A 94.190.212.123
ns AAAA 2001:470:18:390::2
mail A 5.78.86.156
mail AAAA 2a01:4ff:1f0:83de::1
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
_dmarc TXT "v=DMARC1; p=none"