WIP: Use postfix options for routing mails through tunnel #45
|
@ -248,13 +248,32 @@ in
|
||||||
};
|
};
|
||||||
wireguard.interfaces = {
|
wireguard.interfaces = {
|
||||||
intl0 = {
|
intl0 = {
|
||||||
ips = [ "10.42.0.2/32" ];
|
ips = [ "10.42.0.2/30" ];
|
||||||
esavkin marked this conversation as resolved
Outdated
|
|||||||
listenPort = 51820;
|
listenPort = 51820;
|
||||||
privateKeyFile = "/path/to/private/key";
|
privateKeyFile = "/path/to/private/key"; # just `wg-quick genkey > /path/to/private/key`
|
||||||
|
postUp = ''
|
||||||
|
${pkgs.iproute2}/bin/ip rule add from all fwmark 1 lookup 51820
|
||||||
|
${pkgs.iproute2}/bin/ip route add default via 10.42.0.1 dev intl0 table 51820
|
||||||
|
${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -i intl0 -p tcp -j MARK --set-mark 1
|
||||||
|
${pkgs.iptables}/bin/iptables -A OUTPUT -o intl0 -m connmark --mark 1 -j ACCEPT
|
||||||
|
${pkgs.iptables}/bin/iptables -A INPUT -i intl0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
esavkin marked this conversation as resolved
Outdated
esavkin
commented
TODO: needs disabling routing tables ( TODO: needs disabling routing tables (`Table = off` in wg conf file), so it will open interface and let apps choose to use interface instead of forwarding all the traffic
sb10q
commented
You need to set up the policy-based routing for the interface choosing part. As has been done before with existing altnet and HKBN connections. You need to set up the policy-based routing for the interface choosing part. As has been done before with existing altnet and HKBN connections.
|
|||||||
|
${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW -i intl0 -p tcp -j CONNMARK --save-mark
|
||||||
|
${pkgs.iptables}/bin/iptables -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
|
||||||
|
'';
|
||||||
|
preDown = ''
|
||||||
|
${pkgs.iproute2}/bin/ip rule del from all fwmark 1 lookup 51820
|
||||||
|
${pkgs.iproute2}/bin/ip route del default via 10.42.0.1 dev intl0 table 51820
|
||||||
|
${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -i intl0 -p tcp -j MARK --set-mark 1
|
||||||
|
${pkgs.iptables}/bin/iptables -D OUTPUT -o intl0 -m connmark --mark 1 -j ACCEPT
|
||||||
|
${pkgs.iptables}/bin/iptables -D INPUT -i intl0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -m conntrack --ctstate NEW -i intl0 -p tcp -j CONNMARK --save-mark
|
||||||
|
${pkgs.iptables}/bin/iptables -t mangle -D OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
|
||||||
|
'';
|
||||||
peers = [
|
peers = [
|
||||||
{
|
{
|
||||||
publicKey = "4RozbGZ9ENCjvJXGMB5aK1oqyZfD4UCarEHjSckwVGI=";
|
publicKey = "4RozbGZ9ENCjvJXGMB5aK1oqyZfD4UCarEHjSckwVGI=";
|
||||||
allowedIPs = [ "0.0.0.0/0" ];
|
allowedIPs = [ "0.0.0.0/0" ];
|
||||||
|
allowedIPsAsRoutes = false;
|
||||||
endpoint = "5.78.86.156:51820";
|
endpoint = "5.78.86.156:51820";
|
||||||
persistentKeepalive = 25;
|
persistentKeepalive = 25;
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,7 +23,6 @@ ns A 94.190.212.123
|
||||||
ns AAAA 2001:470:18:390::2
|
ns AAAA 2001:470:18:390::2
|
||||||
|
|
||||||
mail A 5.78.86.156
|
mail A 5.78.86.156
|
||||||
mail AAAA 2a01:4ff:1f0:83de::1
|
|
||||||
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
|
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
|
||||||
_dmarc TXT "v=DMARC1; p=none"
|
_dmarc TXT "v=DMARC1; p=none"
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
I think you'd want /31 and then route the default traffic on table 3 through 10.42.0.1 (which would be the VPS)?
I suppose you are then using a regular NAT on the VPS to forward that to the internet and also do the port redirections? Sounds hacky but should work.
This IP is to acquire.
But for now its a draft anyway, I'll test and update.
If you use /32 then you can't reach any other hosts.
Also with a /31 the last digits should be .0 and .1, .2 is not going to work.
What does that mean anyway?
It corresponds to Interface.Address in the wg.conf, which results in
ip -4 address add 10.42.0.2/32 dev intl0
. Routes are done separately.And to where will you route? I repeat: with a /32 address you cannot reach any other host.
For example
ip route add 10.42.0.0/30 dev wg0
.The current problem with nix configuration is to ensure that it doesn't route too much by default, as it happens wg.conf (but it can be disabled by disabling tables).
And why not just set the correct netmask in the first place?
Regarding the routing tables: You complain about strongswan (despite having been provided with fully working configuration files where you just had to change the IP addresses), but you should note that it doesn't mess up the routing tables. Your private network/NAT hack would also work with strongswan.