chvp/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use udp2raw to traverse UPD-blocking networks

Browse source
This commit is contained in:
Charlotte Van Petegem 2022-11-24 15:51:53 +01:00
parent 9d610059e5
commit 3056e9f281
No known key found for this signature in database
GPG key ID: 019E764B7184435A
4 changed files with 117 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

4
flake.nix
View file

@ -99,6 +99,7 @@
emacs-overlay.overlay emacs-overlay.overlay
(self: super: { (self: super: {
tetris = tetris.packages.${self.system}.default; tetris = tetris.packages.${self.system}.default;
udp2raw = self.callPackage ./packages/udp2raw { };
}) })
nur.overlay nur.overlay
www-chvp-be.overlay www-chvp-be.overlay
@ -131,6 +132,9 @@
nameToValue = name: import (./shells + "/${name}.nix") { inherit pkgs inputs; }; nameToValue = name: import (./shells + "/${name}.nix") { inherit pkgs inputs; };
in in
builtins.listToAttrs (builtins.map (name: { inherit name; value = nameToValue name; }) shellNames); builtins.listToAttrs (builtins.map (name: { inherit name; value = nameToValue name; }) shellNames);
packages = {
udp2raw = pkgs.callPackage ./packages/udp2raw { };
};
}; };
}; };
} }

5
machines/kharbranth/default.nix
View file

@ -12,13 +12,16 @@
stateVersion = "20.09"; stateVersion = "20.09";
base = { base = {
bluetooth.enable = true; bluetooth.enable = true;
network.mobile = { network = {
mobile = {
enable = true; enable = true;
wireless-interface = "wlp0s20f3"; wireless-interface = "wlp0s20f3";
wired-interfaces = { wired-interfaces = {
"enp0s13f0u2u2" = { }; "enp0s13f0u2u2" = { };
}; };
}; };
wireguard.onCorporate = true;
};
zfs = { zfs = {
encrypted = true; encrypted = true;
backups = [ backups = [

36
modules/base/network/wireguard.nix
View file

@ -36,10 +36,17 @@ in
default = false; default = false;
example = true; example = true;
}; };
onCorporate = lib.mkOption {
default = false;
example = true;
};
}; };
config = { config = {
networking.firewall.allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820; networking.firewall = {
networking.firewall.trustedInterfaces = [ "wg0" ]; allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820;
allowedTCPPorts = lib.optional config.chvp.base.network.wireguard.server 8080;
trustedInterfaces = [ "wg0" ];
};
boot.kernel.sysctl = lib.mkIf config.chvp.base.network.wireguard.server { "net.ipv4.ip_forward" = 1; }; boot.kernel.sysctl = lib.mkIf config.chvp.base.network.wireguard.server { "net.ipv4.ip_forward" = 1; };
services.unbound = lib.mkIf config.chvp.base.network.wireguard.server { services.unbound = lib.mkIf config.chvp.base.network.wireguard.server {
enable = true; enable = true;
@ -68,12 +75,14 @@ in
}; };
}; };
}; };
systemd.network = { systemd = {
network = {
netdevs.wg0 = { netdevs.wg0 = {
enable = true; enable = true;
netdevConfig = { netdevConfig = {
Name = "wg0"; Name = "wg0";
Kind = "wireguard"; Kind = "wireguard";
MTUBytes = "1342";
}; };
wireguardConfig = wireguardConfig =
if config.chvp.base.network.wireguard.server then { if config.chvp.base.network.wireguard.server then {
@ -98,7 +107,10 @@ in
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = data.lasting-integrity.pubkey; PublicKey = data.lasting-integrity.pubkey;
AllowedIPs = subnet; AllowedIPs = subnet;
Endpoint = "lasting-integrity.vanpetegem.me:51820"; Endpoint =
if config.chvp.base.network.wireguard.onCorporate
then "127.0.0.1:51820"
else "lasting-integrity.vanpetegem.me:51820";
PresharedKeyFile = pskFile; PresharedKeyFile = pskFile;
PersistentKeepalive = 25; PersistentKeepalive = 25;
}; };
@ -110,6 +122,7 @@ in
address = [ "${data.${config.networking.hostName}.ip}/32" ]; address = [ "${data.${config.networking.hostName}.ip}/32" ];
domains = [ "local" ]; domains = [ "local" ];
dns = [ data.lasting-integrity.ip ]; dns = [ data.lasting-integrity.ip ];
linkConfig.MTUBytes = "1342";
routes = [{ routes = [{
routeConfig = routeConfig =
if config.chvp.base.network.wireguard.server then { if config.chvp.base.network.wireguard.server then {
@ -123,6 +136,21 @@ in
}]; }];
}; };
}; };
services = {
udp2raw-server = lib.mkIf config.chvp.base.network.wireguard.server {
description = "UDP tunnel over TCP for wireguard";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
script = "${pkgs.udp2raw}/bin/udp2raw -s -l 0.0.0.0:8080 -r 127.0.0.1:51820 -k 'secret'";
};
udp2raw-client = lib.mkIf config.chvp.base.network.wireguard.onCorporate {
description = "UDP tunnel over TCP for wireguard";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
script = "${pkgs.udp2raw}/bin/udp2raw -c -l 127.0.0.1:51820 -r 54.38.222.69:8080 -k 'secret'";
};
};
};
age.secrets."files/wireguard/psk" = { age.secrets."files/wireguard/psk" = {
file = ../../../secrets/files/wireguard/psk.age; file = ../../../secrets/files/wireguard/psk.age;
owner = "systemd-network"; owner = "systemd-network";

26
packages/udp2raw/default.nix Normal file
View file

@ -0,0 +1,26 @@
{ lib
, stdenv
, fetchFromGitHub
, makeWrapper
, iptables
}:
stdenv.mkDerivation rec {
pname = "udp2raw";
version = "20200818.0";
src = fetchFromGitHub {
owner = "wangyu-";
repo = "udp2raw";
rev = version;
hash = "sha256-TkTOfF1RfHJzt80q0mN4Fek3XSFY/8jdeAVtyluZBt8=";
};
nativeBuildInputs = [ makeWrapper ];
buildPhase = "make dynamic";
installPhase = ''
mkdir -p $out/bin
cp udp2raw_dynamic $out/bin/udp2raw
wrapProgram $out/bin/udp2raw --prefix PATH : "${lib.makeBinPath [ iptables ]}"
'';
}