{ lib, pkgs, config, ... }: let wg_port = 51820; in { boot.kernel.sysctl = { "net.ipv4.ip_forward" = lib.mkDefault true; "net.ipv6.conf.all.forwarding" = lib.mkDefault true; }; # set up secret key sops = { age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets.wg_private_key = { sopsFile = ../../secrets/wireguard/cube.yaml; }; }; networking = { # Enable NAT nat = { enable = true; enableIPv6 = true; externalInterface = "eth0"; internalInterfaces = [ "wg0" ]; }; # Open ports in the firewall firewall = { rejectPackets = true; trustedInterfaces = [ "wgbr" "wg0" ]; allowedTCPPorts = [ 53 ]; allowedUDPPorts = [ 53 wg_port ]; }; interfaces.wgbr.ipv4 = { routes = [ ]; addresses = [ { address = "10.8.2.1"; prefixLength = 24; } ]; }; defaultGateway = { address = "10.10.0.254"; interface = "eth0"; }; interfaces.eth0.ipv4 = { routes = [ { address = "10.10.0.0"; prefixLength = 16; via = "10.10.0.254"; } ]; addresses = [ { address = "10.10.0.4"; prefixLength = 24; } ]; }; wg-quick.interfaces = { wg0 = { # Determines the IP address and subnet of the client's end of the tunnel interface. address = [ "10.8.0.1/24" ]; listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers) # Path to the private key file (see sops). privateKeyFile = "/run/secrets/wg_private_key"; # This allows the wireguard server to route your traffic to the internet and hence be like a VPN postUp = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.1.1/24 -o wgbr -j MASQUERADE ''; # Undo the above preDown = '' ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.1.1/24 -o wgbr -j MASQUERADE ''; peers = [ # List of allowed peers. { # Laptop Psi publicKey = "msJJwTPHuxLd1KddbNeLscGgiY7r9sQ3vkUnDtb2Fh4="; # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. allowedIPs = [ "10.8.0.2/32" ]; } ]; }; }; }; }