Use udp2raw to traverse UPD-blocking networks

flake.nix

@@ -99,6 +99,7 @@
           emacs-overlay.overlay
           (self: super: {
             tetris = tetris.packages.${self.system}.default;
+            udp2raw = self.callPackage ./packages/udp2raw { };
           })
           nur.overlay
           www-chvp-be.overlay
@@ -131,6 +132,9 @@
               nameToValue = name: import (./shells + "/${name}.nix") { inherit pkgs inputs; };
             in
             builtins.listToAttrs (builtins.map (name: { inherit name; value = nameToValue name; }) shellNames);
+          packages = {
+            udp2raw = pkgs.callPackage ./packages/udp2raw { };
+          };
         };
     };
 }

machines/kharbranth/default.nix

@@ -12,12 +12,15 @@
     stateVersion = "20.09";
     base = {
       bluetooth.enable = true;
-      network.mobile = {
+      network = {
-        enable = true;
+        mobile = {
-        wireless-interface = "wlp0s20f3";
+          enable = true;
-        wired-interfaces = {
+          wireless-interface = "wlp0s20f3";
-          "enp0s13f0u2u2" = { };
+          wired-interfaces = {
+            "enp0s13f0u2u2" = { };
+          };
         };
+        wireguard.onCorporate = true;
       };
       zfs = {
         encrypted = true;

modules/base/network/wireguard.nix

@@ -36,10 +36,17 @@ in
       default = false;
       example = true;
     };
+    onCorporate = lib.mkOption {
+      default = false;
+      example = true;
+    };
   };
   config = {
-    networking.firewall.allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820;
+    networking.firewall = {
-    networking.firewall.trustedInterfaces = [ "wg0" ];
+      allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820;
+      allowedTCPPorts = lib.optional config.chvp.base.network.wireguard.server 8080;
+      trustedInterfaces = [ "wg0" ];
+    };
     boot.kernel.sysctl = lib.mkIf config.chvp.base.network.wireguard.server { "net.ipv4.ip_forward" = 1; };
     services.unbound = lib.mkIf config.chvp.base.network.wireguard.server {
       enable = true;
@@ -68,59 +75,80 @@ in
         };
       };
     };
-    systemd.network = {
+    systemd = {
-      netdevs.wg0 = {
+      network = {
-        enable = true;
+        netdevs.wg0 = {
-        netdevConfig = {
+          enable = true;
-          Name = "wg0";
+          netdevConfig = {
-          Kind = "wireguard";
+            Name = "wg0";
-        };
+            Kind = "wireguard";
-        wireguardConfig =
+            MTUBytes = "1342";
-          if config.chvp.base.network.wireguard.server then {
-            PrivateKeyFile = data.${config.networking.hostName}.privkeyFile;
-            ListenPort = 51820;
-          } else {
-            PrivateKeyFile = data.${config.networking.hostName}.privkeyFile;
           };
-        wireguardPeers =
+          wireguardConfig =
-          if config.chvp.base.network.wireguard.server then
-            (builtins.map
-              (name: {
-                wireguardPeerConfig = {
-                  PublicKey = data.${name}.pubkey;
-                  AllowedIPs = "${data.${name}.ip}/32";
-                  PresharedKeyFile = pskFile;
-                };
-              })
-              (builtins.filter (name: name != config.networking.hostName) (builtins.attrNames data)))
-          else
-            ([{
-              wireguardPeerConfig = {
-                PublicKey = data.lasting-integrity.pubkey;
-                AllowedIPs = subnet;
-                Endpoint = "lasting-integrity.vanpetegem.me:51820";
-                PresharedKeyFile = pskFile;
-                PersistentKeepalive = 25;
-              };
-            }]);
-      };
-      networks.wg0 = {
-        enable = true;
-        name = "wg0";
-        address = [ "${data.${config.networking.hostName}.ip}/32" ];
-        domains = [ "local" ];
-        dns = [ data.lasting-integrity.ip ];
-        routes = [{
-          routeConfig =
             if config.chvp.base.network.wireguard.server then {
-              Gateway = "${data.${config.networking.hostName}.ip}";
+              PrivateKeyFile = data.${config.networking.hostName}.privkeyFile;
-              Destination = subnet;
+              ListenPort = 51820;
             } else {
-              Gateway = "${data.lasting-integrity.ip}";
+              PrivateKeyFile = data.${config.networking.hostName}.privkeyFile;
-              Destination = subnet;
-              GatewayOnLink = true;
             };
-        }];
+          wireguardPeers =
+            if config.chvp.base.network.wireguard.server then
+              (builtins.map
+                (name: {
+                  wireguardPeerConfig = {
+                    PublicKey = data.${name}.pubkey;
+                    AllowedIPs = "${data.${name}.ip}/32";
+                    PresharedKeyFile = pskFile;
+                  };
+                })
+                (builtins.filter (name: name != config.networking.hostName) (builtins.attrNames data)))
+            else
+              ([{
+                wireguardPeerConfig = {
+                  PublicKey = data.lasting-integrity.pubkey;
+                  AllowedIPs = subnet;
+                  Endpoint =
+                    if config.chvp.base.network.wireguard.onCorporate
+                    then "127.0.0.1:51820"
+                    else "lasting-integrity.vanpetegem.me:51820";
+                  PresharedKeyFile = pskFile;
+                  PersistentKeepalive = 25;
+                };
+              }]);
+        };
+        networks.wg0 = {
+          enable = true;
+          name = "wg0";
+          address = [ "${data.${config.networking.hostName}.ip}/32" ];
+          domains = [ "local" ];
+          dns = [ data.lasting-integrity.ip ];
+          linkConfig.MTUBytes = "1342";
+          routes = [{
+            routeConfig =
+              if config.chvp.base.network.wireguard.server then {
+                Gateway = "${data.${config.networking.hostName}.ip}";
+                Destination = subnet;
+              } else {
+                Gateway = "${data.lasting-integrity.ip}";
+                Destination = subnet;
+                GatewayOnLink = true;
+              };
+          }];
+        };
+      };
+      services = {
+        udp2raw-server = lib.mkIf config.chvp.base.network.wireguard.server {
+          description = "UDP tunnel over TCP for wireguard";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          script = "${pkgs.udp2raw}/bin/udp2raw -s -l 0.0.0.0:8080 -r 127.0.0.1:51820 -k 'secret'";
+        };
+        udp2raw-client = lib.mkIf config.chvp.base.network.wireguard.onCorporate {
+          description = "UDP tunnel over TCP for wireguard";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          script = "${pkgs.udp2raw}/bin/udp2raw -c -l 127.0.0.1:51820 -r 54.38.222.69:8080 -k 'secret'";
+        };
       };
     };
     age.secrets."files/wireguard/psk" = {

packages/udp2raw/default.nix

@@ -0,0 +1,26 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, makeWrapper
+, iptables
+}:
+
+stdenv.mkDerivation rec {
+  pname = "udp2raw";
+  version = "20200818.0";
+  src = fetchFromGitHub {
+    owner = "wangyu-";
+    repo = "udp2raw";
+    rev = version;
+    hash = "sha256-TkTOfF1RfHJzt80q0mN4Fek3XSFY/8jdeAVtyluZBt8=";
+  };
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  buildPhase = "make dynamic";
+  installPhase = ''
+    mkdir -p $out/bin
+    cp udp2raw_dynamic $out/bin/udp2raw
+    wrapProgram $out/bin/udp2raw --prefix PATH : "${lib.makeBinPath [ iptables ]}"
+  '';
+}