fixed wireguard

configs/containers/cube/wireguard_cube_container.nix

@@ -1,6 +1,6 @@
 { lib, pkgs, config, ... }: {
   deployment = {
-    targetHost = "192.168.178.123";
+    targetHost = "10.10.0.4";
     targetPort = 22;
     targetUser = "root";
     tags = [ "cube" ];
@@ -8,6 +8,6 @@
   networking.hostName = "wireguard";
   imports = [
     ../../container_config.nix
-    ../../services/wireguard.nix
+    ../../services/wireguard_cube.nix
   ];
 }

configs/containers/netcup_pve/wireguard_netcup_container.nix

@@ -10,6 +10,6 @@
 
   imports = [
     ../../container_config.nix
-    ../../services/wg_server.nix
+    ../../services/wireguard_netcup.nix
   ];
 }

configs/services/wireguard.nix

@@ -1,60 +0,0 @@
-{ lib, pkgs, config, ... }:
-let wg_port = 51820;
-in {
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = lib.mkDefault true;
-    "net.ipv6.conf.all.forwarding" = lib.mkDefault true;
-  };
-
-  # set up secret key
-  sops = {
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    secrets.wg_private_key = {
-      sopsFile = ../../secrets/wireguard/cube.yaml;
-    };
-  };
-
-  networking = {
-    firewall.allowedUDPPorts = [ wg_port ];
-    firewall.rejectPackets = true;
-    firewall.trustedInterfaces = [ "wgbr" "wg0" ];
-    interfaces.wgbr.ipv4 = {
-      routes = [ ];
-      addresses = [
-        {
-          address = "10.8.1.1";
-          prefixLength = 24;
-        }
-      ];
-    };
-
-    wg-quick.interfaces = {
-      wg0 = {
-        # Determines the IP address and subnet of the client's end of the tunnel interface.
-        address = [ "10.8.1.1/16" ];
-        listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-
-        # Path to the private key file (see sops).
-        privateKeyFile = "/run/secrets/wg_private_key";
-
-        peers = [
-          # For a client configuration, one peer entry for the server will suffice.
-
-          {
-            # Public key of the server (not a file path).
-            publicKey = "AJ1nr0/w8OvsNq5Ju//m4856u7yY0hlPGMEGeZtlhlY=";
-
-            # Forward all the traffic via VPN.
-            allowedIPs = [ "10.8.0.0/16" ];
-
-            # Set this to the server IP and port.
-            endpoint = "202.61.230.52:51820";
-
-            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
-            persistentKeepalive = 25;
-          }
-        ];
-      };
-    };
-  };
-}

configs/services/wireguard_cube.nix

@@ -0,0 +1,72 @@
+{ lib, pkgs, config, ... }:
+let wg_port = 51820;
+in {
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = lib.mkDefault true;
+    "net.ipv6.conf.all.forwarding" = lib.mkDefault true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    mtr
+  ];
+
+
+  # set up secret key
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets.wg_private_key = {
+      sopsFile = ../../secrets/wireguard/cube.yaml;
+    };
+  };
+
+  networking = {
+    # Enable NAT
+    nat = {
+      enable = true;
+      enableIPv6 = true;
+      externalInterface = "eth0";
+      internalInterfaces = [ "wg0" ];
+    };
+    # Open ports in the firewall
+    firewall = {
+      rejectPackets = true;
+      trustedInterfaces = [ "wg0" ];
+      allowedTCPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 wg_port ];
+    };
+
+    wg-quick.interfaces = {
+      wg0 = {
+        # Determines the IP address and subnet of the client's end of the tunnel interface.
+        address = [ "10.8.0.1/16" ];
+        listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+        # Path to the private key file (see sops).
+        privateKeyFile = "/run/secrets/wg_private_key";
+
+
+        # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+        postUp = ''
+          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.1.1/24 -o eth0 -j MASQUERADE
+        '';
+
+        # Undo the above
+        preDown = ''
+          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.1.1/24 -o eth0 -j MASQUERADE
+        '';
+
+        peers = [
+          # List of allowed peers.
+          {
+            # Laptop Psi
+            publicKey = "msJJwTPHuxLd1KddbNeLscGgiY7r9sQ3vkUnDtb2Fh4=";
+            # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+            allowedIPs = [ "10.8.0.2/32" ];
+          }
+        ];
+      };
+    };
+  };
+}

flake.nix

@@ -7,7 +7,7 @@
     colmena = {
       meta = {
         nixpkgs = import nixpkgs {
-          system = "x86_64-linux";
+          stdenv.hostPlatform.system = "x86_64-linux";
         };
         specialArgs = { inherit inputs; };
       };
@@ -23,6 +23,8 @@
       nginx-netcup = import ./configs/containers/netcup_pve/nginx_container.nix;
 
       nginx-cube = import ./configs/containers/cube/nginx_container.nix;
+
+      wireguard-cube = import ./configs/containers/cube/wireguard_cube_container.nix;
     };
   };
 }