WIP: router: wireguard: change wg0 subnets to not conflict with opnsense

WIP: router: wireguard: slighly more successful conversion of peers to attrset
WIP: router: wireguard: someone forgot to add the network config for the wireguard interface
2025-05-29 22:02:39 -07:00 · 2025-05-29 22:02:38 -07:00 · 2025-05-29 22:02:37 -07:00 · 2025-05-29 22:02:37 -07:00 · 2025-05-29 22:02:36 -07:00 · 2025-05-29 22:02:35 -07:00
12 changed files with 122 additions and 16 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,5 @@
+### Nix template
+# Ignore build outputs from performing a nix-build or `nix build` command
+result
+result-*
+
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1747793476,
-        "narHash": "sha256-2qAOSixSrbb9l6MI+SI4zGineOzDcc2dgOOFK9Dx+IY=",
+        "lastModified": 1748529677,
+        "narHash": "sha256-MJEX3Skt5EAIs/aGHD8/aXXZPcceMMHheyIGSjvxZN0=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "2468b2d35512d093aeb04972a1d8c20a0735793f",
+        "rev": "da282034f4d30e787b8a10722431e8b650a907ef",
        "type": "github"
      },
      "original": {
@ -58,11 +58,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1747744144,
-        "narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=",
+        "lastModified": 1748370509,
+        "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f",
+        "rev": "4faa5f5321320e49a78ae7848582f684d64783e9",
        "type": "github"
      },
      "original": {
@ -82,11 +82,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1742765550,
-        "narHash": "sha256-2vVIh2JrL6GAGfgCeY9e6iNKrBjs0Hw3bGQEAbwVs68=",
+        "lastModified": 1748196248,
+        "narHash": "sha256-1iHjsH6/5UOerJEoZKE+Gx1BgAoge/YcnUsOA4wQ/BU=",
        "owner": "nix-community",
        "repo": "plasma-manager",
-        "rev": "b70be387276e632fe51232887f9e04e2b6ef8c16",
+        "rev": "b7697abe89967839b273a863a3805345ea54ab56",
        "type": "github"
      },
      "original": {
--- a/hosts/router/default.nix
+++ b/hosts/router/default.nix
@ -8,6 +8,7 @@ in
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./ifconfig.nix
+      ./wireguard.nix
      ./firewall.nix
      ./dns.nix
      ./kea.nix
--- a/hosts/router/firewall.nix
+++ b/hosts/router/firewall.nix
@ -13,6 +13,7 @@ let
        ${ifs.lan30.name},
        ${ifs.lan40.name},
        ${ifs.lan50.name},
+        wg0,
    }
    define OPNSENSE_NET6 = ${vars.extra.opnsense.net6}
    define ZONE_LAN_EXTRA_NET6 = {
@ -85,8 +86,10 @@ in
    family = "inet";
    content = ''
      ${nftIdentifiers}
-      define ALLOWED_TCP_PORTS = { ssh, https }
-      define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain, https }
+      define ALLOWED_TCP_PORTS = { ssh }
+      define ALLOWED_UDP_PORTS = { 18596 }
+      define ALLOWED_TCP_LAN_PORTS = { ssh, https }
+      define ALLOWED_UDP_LAN_PORTS = { bootps, dhcpv6-server, domain, https }
      set port_forward_v6 {
          type inet_proto . ipv6_addr . inet_service
          elements = {
@ -133,6 +136,10 @@ in
          # but apparently not.
          ip6 daddr { fe80::/10, ff02::/16 } th dport { dhcpv6-client, dhcpv6-server } accept

+          # Global input rules
+          tcp dport $ALLOWED_TCP_PORTS accept
+          udp dport $ALLOWED_UDP_PORTS accept
+
          # WAN zone input rules
          iifname $ZONE_WAN_IFS jump zone_wan_input
          # LAN zone input rules
@ -157,8 +164,7 @@ in
      }

      chain zone_wan_input {
-          # Allow SSH from WAN (if needed)
-          tcp dport ssh accept
+          # Allow specific stuff from WAN
      }

      chain zone_wan_forward {
@ -180,8 +186,8 @@ in
          ip protocol icmp accept

          # Allow specific services from LAN
-          tcp dport $ALLOWED_TCP_PORTS accept
-          udp dport $ALLOWED_UDP_PORTS accept
+          tcp dport $ALLOWED_TCP_LAN_PORTS accept
+          udp dport $ALLOWED_UDP_LAN_PORTS accept
      }

      chain zone_lan_forward {
--- a/hosts/router/secrets/cf-api-key.age
+++ b/hosts/router/secrets/cf-api-key.age
--- a/hosts/router/secrets/wireguard/wg0-peer-AsusS513-psk.age
+++ b/hosts/router/secrets/wireguard/wg0-peer-AsusS513-psk.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A YAk0egMScFdPo0uAZzITtgQyPAifDcVUfb957Zhz9Ec
+pAEM+7sbPE8rHBhRV7mTmH1w4mbfKFopMWbwu/3KHCw
+--- ykshsqEqKvCCE2kWIPAJPA/DFW7mu6+0x4MQhHgi1yU
+'ÈzÆ€{gÈid\{çEâ•Ätp¢U×g2QC3gßÈJGªV1Ð6·WG_E&»vŽó)°&òüñÞ‘N"§ƒ¯n©_TÍ’¸
--- a/hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age
+++ b/hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age
--- a/hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age
+++ b/hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A P88M0uj4ZphVo3WrRYDu+c7B0Dl7ncctbYkByYmU2wg
+DV3Gn6TQ6iByAlNt0gg8kSZ2r0Gie/wcznZx9M+CC2g
+--- KhwGM50BVql02Jq0do2uhXMfgWPPDfbodzDRmZ9n0O4
+r<EFBFBD>¸›Ô¶aõyY/C¡£JæB®Xº!ñ"F
+¿h‹Ò(ñL>Œ()Üó»û<C2BB>òS;·}}2ÐžO.¯óhoqYðK"cˆEÛÕJM?-ËO
--- a/hosts/router/secrets/wireguard/wg0-private-key.age
+++ b/hosts/router/secrets/wireguard/wg0-private-key.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 D2MY/A tvRtTGWnaB0zxqZRba4/XpzwPa61RrnHCk4tT8OfnGQ
+IX85Q5VKxQTl+MnhzwiuTnNMVkR9QrYo/1njrbZeBnQ
+--- dmlPIL2T+RFhbO2iLDRa4BxxYSSUQdedV3TK83ooFdA
+萭E	7搸0`d鑆(o赪饱籗@傐瓩渿p瓥樼豘羳袃T砬枉禪堺+*齖Q嵗[龘巷xё29瞚5錵
--- a/hosts/router/services.nix
+++ b/hosts/router/services.nix
@ -52,7 +52,7 @@ in
    };
  };

-  secrix.system.secrets.cf-api-key.encrypted.file = ../../secrets/cf_api_key.age;
+  secrix.system.secrets.cf-api-key.encrypted.file = ./secrets/cf-api-key.age;
  systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path;
  services.caddy = {
    enable = true;
--- a/hosts/router/vars.nix
+++ b/hosts/router/vars.nix
@ -99,6 +99,17 @@ rec {
    };
  };

+  wg = {
+    wg0 = rec {
+      name = "wg0";
+      p4 = "10.18.16";  # .0/24
+      addr4 = "${p4}.1";
+      addr4Sized = "${addr4}/24";
+      p6 = "${pdFromWan}f::6";  # :0:0/96
+      addr6 = "${p6}:0:1";
+      addr6Sized = "${addr6}/96";
+  };
+
  extra = {
    opnsense = rec {
      addr4 = "${ifs.lan.p4}.250";
--- a/hosts/router/wireguard.nix
+++ b/hosts/router/wireguard.nix
@ -0,0 +1,67 @@
+{ config, lib, pkgs, ... }:
+let
+  vars = import ./vars.nix;
+  wg0 = vars.wg.wg0;
+
+  wg0Peers = {
+    "Yura-TPX13" = {
+      allowedIPs = [ "${wg0.p4}.3/32" "${wg0.p6}:3:0/112" ];
+      publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=";
+      pskEnabled = true;
+    };
+    "Yura-Pixel7Pro" = {
+      allowedIPs = [ "${wg0.p4}.4/32" "${wg0.p6}:4:0/112" ];
+      publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4=";
+      pskEnabled = true;
+    };
+    "AsusS513" = {
+      allowedIPs = [ "${wg0.p4}.100/32" ];
+      publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38=";
+      pskEnabled = false;
+    };
+  };
+  peerSecretName = name: "wg0-peer-${name}-psk";
+  secrets = config.secrix.services.systemd-networkd.secrets;
+in
+{
+  secrix.services.systemd-networkd.secrets = let
+    pskPeers = lib.attrsets.filterAttrs (name: peer: peer.pskEnabled) wg0Peers;
+    mapPeer = name: peer: {
+      name = peerSecretName name;
+      value.encrypted.file = ./secrets/wireguard/${peerSecretName name}.age;
+    };
+    peerSecrets = lib.attrsets.mapAttrs' mapPeer pskPeers;
+  in
+  {
+    wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
+  } // peerSecrets;
+
+  systemd.network.netdevs = {
+    "10-wg0" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg0";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = secrets.wg0-private-key.decrypted.path;
+        ListenPort = 18596;
+      };
+      wireguardPeers = map (peer: {
+        AllowedIPs = lib.strings.concatStringsSep "," peer.value.allowedIPs;
+        PublicKey = peer.value.publicKey;
+        PresharedKeyFile = if peer.value.pskEnabled then secrets."${peerSecretName peer.name}".decrypted.path else null;
+      }) (lib.attrsToList wg0Peers);
+    };
+  };
+
+  systemd.network.networks = {
+    "10-wg0" = {
+      matchConfig.Name = "wg0";
+      networkConfig = {
+        IPv4Forwarding = true;
+        IPv6SendRA = false;
+        Address = [ wg0.addr4Sized wg0.addr6Sized ];
+      };
+    };
+  };
+}
Author	SHA1	Message	Date
Yuri Tatishchev	19a7fbf181	WIP: router: wireguard: change wg0 subnets to not conflict with opnsense	2025-05-29 22:02:39 -07:00
Yuri Tatishchev	2ca40aa2f9	WIP: router: wireguard: slighly more successful conversion of peers to attrset	2025-05-29 22:02:38 -07:00
Yuri Tatishchev	9c02c5b611	WIP: router: wireguard: someone forgot to add the network config for the wireguard interface	2025-05-29 22:02:37 -07:00
Yuri Tatishchev	77df850248	WIP: router: wireguard: attempt to convert wg0Peers from list to attrset (gone not well)	2025-05-29 22:02:37 -07:00
Yuri Tatishchev	beaf8ae2bd	router: firewall: add wireguard interface to lan zone (stupidity moment)	2025-05-29 22:02:36 -07:00
Yuri Tatishchev	e8f37f3245	router: firewall: allow ssh, wireguard input globally	2025-05-29 22:02:35 -07:00
Yuri Tatishchev	2ba1412280	router: firewall: add entries for wireguard	2025-05-29 22:02:34 -07:00
Yuri Tatishchev	1b7395c392	router: wireguard: add wg0 interface with some peers for testing	2025-05-29 22:02:32 -07:00
Yuri Tatishchev	eae016b50c	updates: nixpkgs, home-manager, plasma-manager	2025-05-29 13:47:11 -07:00