From 3056e9f2818533ecdab7aea4f84af8885a257887 Mon Sep 17 00:00:00 2001 From: Charlotte Van Petegem Date: Thu, 24 Nov 2022 15:51:53 +0100 Subject: [PATCH] Use udp2raw to traverse UPD-blocking networks --- flake.nix | 4 + machines/kharbranth/default.nix | 13 +-- modules/base/network/wireguard.nix | 130 ++++++++++++++++++----------- packages/udp2raw/default.nix | 26 ++++++ 4 files changed, 117 insertions(+), 56 deletions(-) create mode 100644 packages/udp2raw/default.nix diff --git a/flake.nix b/flake.nix index 734d269b..0a380df9 100644 --- a/flake.nix +++ b/flake.nix @@ -99,6 +99,7 @@ emacs-overlay.overlay (self: super: { tetris = tetris.packages.${self.system}.default; + udp2raw = self.callPackage ./packages/udp2raw { }; }) nur.overlay www-chvp-be.overlay @@ -131,6 +132,9 @@ nameToValue = name: import (./shells + "/${name}.nix") { inherit pkgs inputs; }; in builtins.listToAttrs (builtins.map (name: { inherit name; value = nameToValue name; }) shellNames); + packages = { + udp2raw = pkgs.callPackage ./packages/udp2raw { }; + }; }; }; } diff --git a/machines/kharbranth/default.nix b/machines/kharbranth/default.nix index 0921114e..dd2f774b 100644 --- a/machines/kharbranth/default.nix +++ b/machines/kharbranth/default.nix @@ -12,12 +12,15 @@ stateVersion = "20.09"; base = { bluetooth.enable = true; - network.mobile = { - enable = true; - wireless-interface = "wlp0s20f3"; - wired-interfaces = { - "enp0s13f0u2u2" = { }; + network = { + mobile = { + enable = true; + wireless-interface = "wlp0s20f3"; + wired-interfaces = { + "enp0s13f0u2u2" = { }; + }; }; + wireguard.onCorporate = true; }; zfs = { encrypted = true; diff --git a/modules/base/network/wireguard.nix b/modules/base/network/wireguard.nix index a25f9363..2951a40f 100644 --- a/modules/base/network/wireguard.nix +++ b/modules/base/network/wireguard.nix @@ -36,10 +36,17 @@ in default = false; example = true; }; + onCorporate = lib.mkOption { + default = false; + example = true; + }; }; config = { - networking.firewall.allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820; - networking.firewall.trustedInterfaces = [ "wg0" ]; + networking.firewall = { + allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820; + allowedTCPPorts = lib.optional config.chvp.base.network.wireguard.server 8080; + trustedInterfaces = [ "wg0" ]; + }; boot.kernel.sysctl = lib.mkIf config.chvp.base.network.wireguard.server { "net.ipv4.ip_forward" = 1; }; services.unbound = lib.mkIf config.chvp.base.network.wireguard.server { enable = true; @@ -68,59 +75,80 @@ in }; }; }; - systemd.network = { - netdevs.wg0 = { - enable = true; - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = - if config.chvp.base.network.wireguard.server then { - PrivateKeyFile = data.${config.networking.hostName}.privkeyFile; - ListenPort = 51820; - } else { - PrivateKeyFile = data.${config.networking.hostName}.privkeyFile; + systemd = { + network = { + netdevs.wg0 = { + enable = true; + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + MTUBytes = "1342"; }; - wireguardPeers = - if config.chvp.base.network.wireguard.server then - (builtins.map - (name: { - wireguardPeerConfig = { - PublicKey = data.${name}.pubkey; - AllowedIPs = "${data.${name}.ip}/32"; - PresharedKeyFile = pskFile; - }; - }) - (builtins.filter (name: name != config.networking.hostName) (builtins.attrNames data))) - else - ([{ - wireguardPeerConfig = { - PublicKey = data.lasting-integrity.pubkey; - AllowedIPs = subnet; - Endpoint = "lasting-integrity.vanpetegem.me:51820"; - PresharedKeyFile = pskFile; - PersistentKeepalive = 25; - }; - }]); - }; - networks.wg0 = { - enable = true; - name = "wg0"; - address = [ "${data.${config.networking.hostName}.ip}/32" ]; - domains = [ "local" ]; - dns = [ data.lasting-integrity.ip ]; - routes = [{ - routeConfig = + wireguardConfig = if config.chvp.base.network.wireguard.server then { - Gateway = "${data.${config.networking.hostName}.ip}"; - Destination = subnet; + PrivateKeyFile = data.${config.networking.hostName}.privkeyFile; + ListenPort = 51820; } else { - Gateway = "${data.lasting-integrity.ip}"; - Destination = subnet; - GatewayOnLink = true; + PrivateKeyFile = data.${config.networking.hostName}.privkeyFile; }; - }]; + wireguardPeers = + if config.chvp.base.network.wireguard.server then + (builtins.map + (name: { + wireguardPeerConfig = { + PublicKey = data.${name}.pubkey; + AllowedIPs = "${data.${name}.ip}/32"; + PresharedKeyFile = pskFile; + }; + }) + (builtins.filter (name: name != config.networking.hostName) (builtins.attrNames data))) + else + ([{ + wireguardPeerConfig = { + PublicKey = data.lasting-integrity.pubkey; + AllowedIPs = subnet; + Endpoint = + if config.chvp.base.network.wireguard.onCorporate + then "127.0.0.1:51820" + else "lasting-integrity.vanpetegem.me:51820"; + PresharedKeyFile = pskFile; + PersistentKeepalive = 25; + }; + }]); + }; + networks.wg0 = { + enable = true; + name = "wg0"; + address = [ "${data.${config.networking.hostName}.ip}/32" ]; + domains = [ "local" ]; + dns = [ data.lasting-integrity.ip ]; + linkConfig.MTUBytes = "1342"; + routes = [{ + routeConfig = + if config.chvp.base.network.wireguard.server then { + Gateway = "${data.${config.networking.hostName}.ip}"; + Destination = subnet; + } else { + Gateway = "${data.lasting-integrity.ip}"; + Destination = subnet; + GatewayOnLink = true; + }; + }]; + }; + }; + services = { + udp2raw-server = lib.mkIf config.chvp.base.network.wireguard.server { + description = "UDP tunnel over TCP for wireguard"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + script = "${pkgs.udp2raw}/bin/udp2raw -s -l 0.0.0.0:8080 -r 127.0.0.1:51820 -k 'secret'"; + }; + udp2raw-client = lib.mkIf config.chvp.base.network.wireguard.onCorporate { + description = "UDP tunnel over TCP for wireguard"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + script = "${pkgs.udp2raw}/bin/udp2raw -c -l 127.0.0.1:51820 -r 54.38.222.69:8080 -k 'secret'"; + }; }; }; age.secrets."files/wireguard/psk" = { diff --git a/packages/udp2raw/default.nix b/packages/udp2raw/default.nix new file mode 100644 index 00000000..b5c26a3f --- /dev/null +++ b/packages/udp2raw/default.nix @@ -0,0 +1,26 @@ +{ lib +, stdenv +, fetchFromGitHub +, makeWrapper +, iptables +}: + +stdenv.mkDerivation rec { + pname = "udp2raw"; + version = "20200818.0"; + src = fetchFromGitHub { + owner = "wangyu-"; + repo = "udp2raw"; + rev = version; + hash = "sha256-TkTOfF1RfHJzt80q0mN4Fek3XSFY/8jdeAVtyluZBt8="; + }; + + nativeBuildInputs = [ makeWrapper ]; + + buildPhase = "make dynamic"; + installPhase = '' + mkdir -p $out/bin + cp udp2raw_dynamic $out/bin/udp2raw + wrapProgram $out/bin/udp2raw --prefix PATH : "${lib.makeBinPath [ iptables ]}" + ''; +}