set up wireguard

author: Mathias Magnusson <mathias@magnusson.space> 2025-12-01 16:21:50 +0100
committer: Mathias Magnusson <mathias@magnusson.space> 2025-12-01 16:21:50 +0100
commit: eb32e98e962e9d17d0343e4921e9775dfbbc58af (patch)
tree: 1b779d98a679dd3afaee8abe1d9cc09472fd97d0 /router.nix
parent: 7dcc7a6da509266330ae20eb912c0e045290c7af (diff)
download: oden-eb32e98e962e9d17d0343e4921e9775dfbbc58af.tar.gz
1 files changed, 41 insertions, 6 deletions
diff --git a/router.nix b/router.nix
index 3cc17bc..79c4f7b 100644
--- a/router.nix
+++ b/router.nix
@@ -10,29 +10,32 @@
       allowedUDPPorts = [
         53
         67
+        51829
       ];
       extraForwardRules = ''
         iifname "ethlan"     oifname "wlan-staff" accept
         iifname "ethlan"     oifname "wlan-guest" accept
+        iifname "ethlan"     oifname "wglan"      accept
 
         iifname "wlan-staff" oifname "ethlan"     accept
         iifname "wlan-staff" oifname "wlan-guest" accept
+        iifname "wlan-staff" oifname "wglan"      accept
 
         iifname "wlan-guest" oifname "ethlan"     accept
         iifname "wlan-guest" oifname "wlan-staff" accept
+        iifname "wlan-guest" oifname "wglan"      accept
+
+        iifname "wglan"      oifname "ethlan"     accept
+        iifname "wglan"      oifname "wlan-staff" accept
+        iifname "wglan"      oifname "wlan-guest" accept
       '';
     };
     nat = {
       enable = true;
       externalInterface = "wan";
-      internalInterfaces = [ "ethlan" "wlan" "docker0" ];
+      internalInterfaces = [ "ethlan" "wlan" "docker0" "wglan" ];
       forwardPorts = [
         {
-          sourcePort = 51801;
-          destination = "10.69.0.3:51801";
-          proto = "udp";
-        }
-        {
           sourcePort = 80;
           destination = "10.69.0.3:80";
         }
@@ -85,6 +88,32 @@
       linkConfig.RequiredForOnline = "routable";
     };
 
+    netdevs."20-wglan" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wglan";
+      };
+      wireguardConfig = {
+        ListenPort = 51829;
+        PrivateKeyFile = config.age.secrets."wg-key.txt".path;
+        RouteTable = "main";
+      };
+      wireguardPeers = [
+        {
+          # sleipner
+          PublicKey = "FqwkR+gKe/0JfFn3oXyyNDK8qh3LGMQw/t1pvGEHTBk=";
+          AllowedIPs = [ "10.69.3.2" ];
+        }
+      ];
+    };
+    networks."20-wglan" = {
+      matchConfig.Name = "wglan";
+      networkConfig = {
+        Address = "10.69.3.1/24";
+        IPv4Forwarding = true;
+      };
+    };
+
     # netdevs."10-vlan-staff" = {
     #   netdevConfig = {
     #     Kind = "vlan";
@@ -207,4 +236,10 @@
   age.secrets."wifi-password-staff.txt".file = ./secrets/wifi-password-staff.txt.age;
   age.secrets."wifi-password-guest.txt".file = ./secrets/wifi-password-guest.txt.age;
   age.secrets."hcloud-token.txt".file = ./secrets/hcloud-token.txt.age;
+  age.secrets."wg-key.txt" = {
+    file = ./secrets/wg-key.txt;
+    mode = "640";
+    owner = "systemd-network";
+    group = "systemd-network";
+  };
 }
author	Mathias Magnusson <mathias@magnusson.space>	2025-12-01 16:21:50 +0100
committer	Mathias Magnusson <mathias@magnusson.space>	2025-12-01 16:21:50 +0100
commit	eb32e98e962e9d17d0343e4921e9775dfbbc58af (patch)
tree	1b779d98a679dd3afaee8abe1d9cc09472fd97d0 /router.nix
parent	7dcc7a6da509266330ae20eb912c0e045290c7af (diff)
download	oden-eb32e98e962e9d17d0343e4921e9775dfbbc58af.tar.gz