chvp/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Set up local VPN on wireguard network

Browse source
This commit is contained in:
Charlotte Van Petegem 2022-11-19 00:56:37 +01:00
parent d6619a35fa
commit 6ea7bced38
No known key found for this signature in database
GPG key ID: 019E764B7184435A
2 changed files with 29 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

28
modules/base/network/wireguard.nix
View file

@ -41,6 +41,32 @@ in
networking.firewall.allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820;
networking.firewall.trustedInterfaces = [ "wg0" ];
boot.kernel.sysctl = lib.mkIf config.chvp.base.network.wireguard.server { "net.ipv4.ip_forward" = 1; };
services.unbound = lib.mkIf config.chvp.base.network.wireguard.server {
enable = true;
resolveLocalQueries = true;
settings = {
server = {
interface = [ "wg0" "127.0.0.1" "::1" ];
access-control = [
"127.0.0.0/8 allow"
"10.240.0.0/24 allow"
];
private-domain = "vpn";
local-zone = builtins.map (name: ''"${name}.vpn" redirect'') (builtins.attrNames data);
local-data = builtins.map (name: ''"${name}.vpn IN A ${data.${name}.ip}"'') (builtins.attrNames data);
};
forward-zone = {
name = ''"."'';
forward-addr = [
"1.1.1.1@853"
"1.0.0.1@853"
"2606:4700:4700::1111@853"
"2606:4700:4700::1001@853"
];
forward-tls-upstream = "yes";
};
};
};
systemd.network = {
netdevs.wg0 = {
enable = true;
@ -81,6 +107,8 @@ in
enable = true;
name = "wg0";
address = [ "${data.${config.networking.hostName}.ip}/32" ];
domains = [ "vpn" ];
dns = [ data.lasting-integrity.ip ];
routes = [{
routeConfig =
if config.chvp.base.network.wireguard.server then {