Rodrigo Arias Mallo
1007de7c84
We only need apex to reach the intranet so it will be raccoon the only peer that uses intranet IPs as source. All other peers must accept them from raccoon, but not the other way around.
48 lines
1.1 KiB
Nix
48 lines
1.1 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
networking.nat = {
|
|
enable = true;
|
|
enableIPv6 = false;
|
|
externalInterface = "eno0";
|
|
internalInterfaces = [ "wg0" ];
|
|
};
|
|
|
|
networking.firewall = {
|
|
allowedUDPPorts = [ 666 ];
|
|
};
|
|
|
|
age.secrets.wgRaccoon.file = ../../secrets/wg-raccoon.age;
|
|
|
|
# Enable WireGuard
|
|
networking.wireguard.enable = true;
|
|
networking.wireguard.interfaces = {
|
|
wg0 = {
|
|
ips = [ "10.106.0.236/24" ];
|
|
listenPort = 666;
|
|
privateKeyFile = config.age.secrets.wgRaccoon.path;
|
|
# Public key: QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI=
|
|
peers = [
|
|
{
|
|
name = "fox";
|
|
publicKey = "VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y=";
|
|
allowedIPs = [ "10.106.0.1/32" ];
|
|
endpoint = "fox.ac.upc.edu:666";
|
|
}
|
|
{
|
|
name = "apex";
|
|
publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=";
|
|
allowedIPs = [ "10.106.0.30/32" ];
|
|
endpoint = "ssfhead.bsc.es:666";
|
|
persistentKeepalive = 25;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
networking.hosts = {
|
|
"10.106.0.1" = [ "fox.wg" ];
|
|
"10.106.0.30" = [ "apex.wg" ];
|
|
};
|
|
}
|