From afc18704d02571b865bd42db7764d54d065fe003 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Sat, 7 Oct 2023 09:33:26 -0700 Subject: [PATCH] Add wireguard client to Kestrel --- home/private_dot_wireguard/kestrel.pub | 1 + home/private_dot_wireguard/kestrel.tmpl | 1 + .../nixos/hosts/kestrel/configuration.nix | 7 +++- .../nixos/hosts/kestrel/wireguard-client.nix | 42 +++++++++++++++++++ .../nixos/hosts/torus/wireguard-server.nix | 5 +++ 5 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 home/private_dot_wireguard/kestrel.pub create mode 100644 home/private_dot_wireguard/kestrel.tmpl create mode 100644 provision/nixos/hosts/kestrel/wireguard-client.nix diff --git a/home/private_dot_wireguard/kestrel.pub b/home/private_dot_wireguard/kestrel.pub new file mode 100644 index 00000000..d4d0402e --- /dev/null +++ b/home/private_dot_wireguard/kestrel.pub @@ -0,0 +1 @@ +hPso657fppLYvBU31Rtqqg792JEoPv7r82JgLoF8S2Y= diff --git a/home/private_dot_wireguard/kestrel.tmpl b/home/private_dot_wireguard/kestrel.tmpl new file mode 100644 index 00000000..400eef8b --- /dev/null +++ b/home/private_dot_wireguard/kestrel.tmpl @@ -0,0 +1 @@ +{{ (secret "Wireguard - Kestrel Secret" "NOTES") }} diff --git a/provision/nixos/hosts/kestrel/configuration.nix b/provision/nixos/hosts/kestrel/configuration.nix index 59d45c57..7ce1e3f3 100644 --- a/provision/nixos/hosts/kestrel/configuration.nix +++ b/provision/nixos/hosts/kestrel/configuration.nix @@ -1,5 +1,10 @@ { config, pkgs, user, lib, ... }: { + imports = [ + ./wireguard-client.nix + ../../modules + ]; + nix = { package = pkgs.nixFlakes; extraOptions = "experimental-features = nix-command flakes"; @@ -32,7 +37,6 @@ # Set networking options networking.hostName = "kestrel"; - networking.networkmanager.enable = true; networking.firewall.checkReversePath = "loose"; networking.firewall.enable = false; @@ -63,7 +67,6 @@ ]; # Enable modules - imports = [ ../../modules ]; modules = { desktop = { sway.enable = true; diff --git a/provision/nixos/hosts/kestrel/wireguard-client.nix b/provision/nixos/hosts/kestrel/wireguard-client.nix new file mode 100644 index 00000000..0c23b6e8 --- /dev/null +++ b/provision/nixos/hosts/kestrel/wireguard-client.nix @@ -0,0 +1,42 @@ +{ config, pkgs, user, lib, ... }: +{ + networking.firewall = { + allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport + }; + # Enable WireGuard + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = [ "192.168.2.3/32" ]; + listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/home/${user}/.wireguard/kestrel"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # Public key of the server (not a file path). + publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ="; + + # Forward all the traffic via VPN. + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + # Or forward only particular subnets + #allowedIPs = [ "10.100.0.1" "91.108.12.0/22" ]; + + # Set this to the server IP and port. + endpoint = "192.168.1.175:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + }; + }; +} diff --git a/provision/nixos/hosts/torus/wireguard-server.nix b/provision/nixos/hosts/torus/wireguard-server.nix index f039a55d..7c88f1c8 100644 --- a/provision/nixos/hosts/torus/wireguard-server.nix +++ b/provision/nixos/hosts/torus/wireguard-server.nix @@ -45,6 +45,11 @@ publicKey = "r2/IeYCO1T+l248387wUBoNnc2DK9O8pHcIr/NQqezM="; allowedIPs = [ "192.168.2.2/32" ]; } + { + # Kestrel + publicKey = "hPso657fppLYvBU31Rtqqg792JEoPv7r82JgLoF8S2Y="; + allowedIPs = [ "192.168.2.3/32" ]; + } # More peers can be added here. ]; };