Switch from gre tunnel to wireguard for heimnetz transport

2021-05-12 10:04:04 +02:00 · 2021-05-12 10:04:04 +02:00 · 1caff12782
parent a3002d2455
commit 1caff12782
2 changed files with 26 additions and 36 deletions
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@ -75,25 +75,21 @@
      allowedIPsAsRoutes = false;
      privateKeyFile = "/var/src/secrets/wireguard/wg-porter4";
    };
+    wg-heimnetz = {
+      ips = [ "fd00:153:153:201::2/64" ];
+      peers = [ {
+        allowedIPs = [ "::/0" ];
+        endpoint = "[fd00:152:152:101::1]:60001";
+        publicKey = "j/XAIOJGgLieg0jry4AGSkxQySuDdwhJShqC5SCgsWw=";
+      } ];
+      listenPort = 60001;
+      allowedIPsAsRoutes = false;
+      privateKeyFile = "/var/src/secrets/wireguard/wg-heimnetz";
+      postSetup = "ip link set wg-heimnetz mtu 1340";
+    };
  };

-  clerie.gre-tunnel = {
-    enable = true;
-    ipv6= {
-      gre-gatekeeper6 = {
-        remote = "fd00:152:152:101::1";
-        local = (lib.head config.networking.interfaces.lo.ipv6.addresses).address;
-        address = "fd00:153:153:201::2/64";
-      };
-    };
-    ipv4 = {
-      gre-gatekeeper4 = {
-        remote = "10.152.101.1";
-        local = (lib.head config.networking.interfaces.lo.ipv4.addresses).address;
-        address = "10.153.201.2/24";
-      };
-    };
-  };
+  networking.firewall.allowedUDPPorts = [ 60001 ];

  # Routing tables
  # Table: 10000
--- a/hosts/gatekeeper/configuration.nix
+++ b/hosts/gatekeeper/configuration.nix
@ -72,6 +72,18 @@
      allowedIPsAsRoutes = false;
      privateKeyFile = "/var/src/secrets/wireguard/wg-nonat6";
    };
+    wg-heimnetz = {
+      ips = [ "fd00:153:153:201::1/64" ];
+      peers = [ {
+          allowedIPs = [ "::/0" ];
+          endpoint = "[fd00:152:152:104::1]:60001";
+          publicKey = "x44tpGt+uqIWTEl4qwZE7iPRjEHkYSZGKOQ7EuwLzX8=";
+      } ];
+      listenPort = 60001;
+      allowedIPsAsRoutes = false;
+      privateKeyFile = "/var/src/secrets/wireguard/wg-heimnetz";
+      postSetup = "ip link set wg-heimnetz mtu 1340";
+    };
    wg-vpn = {
      ips = [ "2a01:4f8:c0c:15f1::8001/113" "10.20.30.1/24" ];
      peers = [
@ -111,7 +123,7 @@
    };
  };

-  networking.firewall.allowedUDPPorts = [ 50101 50127 50128 51820 ];
+  networking.firewall.allowedUDPPorts = [ 50101 50127 50128 51820 60001 ];

  clerie.nginx-port-forward = {
    enable = true;
@ -140,24 +152,6 @@
    };
  };

-  clerie.gre-tunnel = {
-    enable = true;
-    ipv6= {
-      gre-carbon6 = {
-        remote = "fd00:152:152:104::1";
-        local = (lib.head config.networking.interfaces.lo.ipv6.addresses).address;
-        address = "fd00:153:153:201::1/64";
-      };
-    };
-    ipv4 = {
-      gre-carbon4 = {
-        remote = "10.152.104.1";
-        local = (lib.head config.networking.interfaces.lo.ipv4.addresses).address;
-        address = "10.153.201.1/24";
-      };
-    };
-  };
-
  services.bird2.enable = true;
  services.bird2.config = ''
  router id ${ (lib.head config.networking.interfaces.lo.ipv4.addresses).address };