47 lines
1023 B
Nix
47 lines
1023 B
Nix
|
{ config, ...}:
|
||
|
|
|
||
|
|
let
|
||
|
|
wg_if = "wg0";
|
||
|
|
wan_if = "ens3";
|
||
|
|
in {
|
||
|
|
networking = {
|
||
|
|
firewall.allowedUDPPorts = [ 1195 ];
|
||
|
|
|
||
|
|
nat = {
|
||
|
|
enable = true;
|
||
|
|
externalInterface = wan_if;
|
||
|
|
internalInterfaces = [ wg_if ];
|
||
|
|
forwardPorts = [
|
||
|
|
{
|
||
|
|
destination = "10.4.0.2:1194";
|
||
|
|
proto = "udp";
|
||
|
|
sourcePort = 1194;
|
||
|
|
}
|
||
|
|
];
|
||
|
|
};
|
||
|
|
|
||
|
|
wireguard = {
|
||
|
|
interfaces.${wg_if} = {
|
||
|
|
listenPort = 1195;
|
||
|
|
ips = [ "10.4.0.1/24" ];
|
||
|
|
privateKeyFile = "/secrets/wireguard/server.key";
|
||
|
|
|
||
|
|
postSetup = ''
|
||
|
|
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE
|
||
|
|
'';
|
||
|
|
|
||
|
|
postShutdown = ''
|
||
|
|
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
|
||
|
|
'';
|
||
|
|
|
||
|
|
peers = [
|
||
|
|
{
|
||
|
|
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
|
||
|
|
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
|
||
|
|
}
|
||
|
|
];
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
}
|