grimm-nixos-laptop/modules/wireguard.nix

43 lines
1.4 KiB
Nix
Raw Normal View History

2024-11-26 19:20:10 +01:00
{ pkgs, ... }:
{
2024-09-28 22:09:24 +02:00
# enable NAT
2024-11-26 19:20:10 +01:00
networking.nat.enable = true;
networking.nat.externalInterface = "eth0";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall = {
2024-09-28 22:09:24 +02:00
allowedUDPPorts = [ 51820 ];
};
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface
# arbitrarily.}
wg0 = {
privateKeyFile = "/home/grimmauld/wireguard.priv";
# Determines the IP address and subnet of the server's end of the tunnel
# interface.
ips = [ "10.100.0.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and
# hence be like a VPN For this to work you have to set the dnsserver IP of
# your router (or dnsserver of choice) in your clients
2024-11-26 19:20:10 +01:00
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
2024-09-28 22:09:24 +02:00
'';
# This undoes the above command
2024-11-26 19:20:10 +01:00
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens18 -j MASQUERADE
2024-09-28 22:09:24 +02:00
'';
2024-11-26 19:20:10 +01:00
2024-09-28 22:09:24 +02:00
generatePrivateKeyFile = true;
peers = [
{
2024-11-26 19:20:10 +01:00
publicKey = "2aANdnPYtf78iXfwNVAtYjIlE5k/yDWvbdXZ2jw0hXk=";
allowedIPs = [ "10.100.0.2/32" ];
}
];
2024-09-28 22:09:24 +02:00
};
};
environment.systemPackages = with pkgs; [ wireguard-tools ];
}