diff options
| author | Ben Sima <ben@bsima.me> | 2023-10-09 15:12:06 -0400 |
|---|---|---|
| committer | Ben Sima <ben@bsima.me> | 2023-10-10 13:16:49 -0400 |
| commit | 39481b42c19f91ee714987176937c089d2c170cb (patch) | |
| tree | d526d0e850ed94310cd566e3ac6917753b90bc5d /Biz/Dev/Wireguard.nix | |
| parent | 6baad9c5fae4a7b8ea07376a0be52443eaa488fa (diff) | |
Add beryllium and connect via VPN
I finally got everything setup for the new dev machine, but I ran into a
networking problem: I can't tell my home router to expose the ssh port 22 to
multiple hosts. I could have made beryllium use a different port, but instead I
decided to use tailscale, and this seems to work well. I still don't have
hostname routing working, but maybe that's a simple config in tailscale
somewhere.
Eventually I will get all intra-networking stuff to use a vpn, but for now just
using it for beryllium is fine.
Diffstat (limited to 'Biz/Dev/Wireguard.nix')
| -rw-r--r-- | Biz/Dev/Wireguard.nix | 72 |
1 files changed, 0 insertions, 72 deletions
diff --git a/Biz/Dev/Wireguard.nix b/Biz/Dev/Wireguard.nix deleted file mode 100644 index 90f425e..0000000 --- a/Biz/Dev/Wireguard.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ lib, pkgs, ... }: - -/* -Wireguard VPN server - -References: - -- https://nixos.wiki/wiki/WireGuard -- https://wireguard.how/client/ios/ -*/ - -let - ports = import ../Cloud/Ports.nix; - ips = "10.100.0.1/24"; - - # a micro-library for creating iptables rules - iptables = rec { - bin = "${pkgs.iptables/bin/iptables}"; - append = {source}: lib.concatSep " " [ - bin - "--table" "nat" - "--append" "POSTROUTING" - "--source" source - "--out-interface" "eth0" - "--jump" "MASQUERADE" - ]; - delete = {source}: lib.concatSep " " [ - bin - "--table" "nat" - "--delete" "POSTROUTING" - "--source" source - "--out-interface" "eth0" - "--jump" "MASQUERADE" - ]; - - }; -in { - networking.nat.enable = true; - networking.nat.externalInterface = "eth0"; - networking.nat.internalInterfaces = [ "wg0" ]; - networking.firewall.allowedUDPPorts = [ ports.wireguard ]; - - networking.wireguard-tools.enable = true; - - networking.wireguard-tools.interfaces = { - wg0 = { - ips = [ ips ]; - allowedIPsAsRoutes = true; - listenPort = ports.wireguard; - postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${ips} -o eth0 -j MASQUERADE - ''; - - postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${ips} -o eth0 -j MASQUERADE - ''; - - privateKeyFile = "/var/wireguard/private"; - - peers = [ - #{ # helium - # publicKey = ""; - # allowedIPs = [ "10.100.0.2/32" ]; - #} - { # ben's iPhone - publicKey = "SIBIfPLhzuV1S1FZtm5JQtDbl0ehnH+Y3CpoZ2eZ3gc="; - allowedIPs = [ "10.100.0.3/32" ]; - } - ]; - }; - }; -} |