tunnel munin node traffic on lan through wireguard

2024-03-23 18:37:56 +01:00 · 2024-03-23 18:37:56 +01:00 · 7d1047e5fe
commit 7d1047e5fe
parent 017725d2cf
7 changed files with 87 additions and 26 deletions
--- a/nixos/agares/configuration.nix
+++ b/nixos/agares/configuration.nix
@ -86,7 +86,7 @@
    enable = true;
    extraConfig = ''
      host_name ${config.networking.hostName}
-      cidr_allow 192.168.101.184/32
+      cidr_allow 10.3.3.3/32
    '';
  };

--- a/nixos/agares/network.nix
+++ b/nixos/agares/network.nix
@ -63,6 +63,26 @@ in
            };
        }];
      };
+      "20-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.age.secrets."wg-privkey-wg0".path;
+          ListenPort = 51235;
+        };
+        wireguardPeers = lib.singleton {
+          wireguardPeerConfig = {
+            PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE=";
+            AllowedIPs = [
+              "10.3.3.3/32"
+              "fd42:9c3b:f96d:121::3/128"
+              "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128"
+            ];
+          };
+        };
+      };
    };
    networks =
      let
@ -126,6 +146,17 @@ in
            }
          ];
        };
+        "30-wg0" = {
+          matchConfig.Name = "wg0";
+          address = [ "10.3.3.2/32" "fd42:9c3b:f96d:121::2/128" ];
+          DHCP = "no";
+          networkConfig.IPv6AcceptRA = false;
+          linkConfig.RequiredForOnline = false;
+          routes = [
+            { routeConfig = { Destination = "10.3.3.1/24"; }; }
+            { routeConfig = { Destination = "fd42:9c3b:f96d:121::1/64"; }; }
+          ];
+        };
        "30-lan" = subnet "lan.10" "101" // {
          dhcpServerStaticLeases = [
            {
@ -237,6 +268,11 @@ in
    owner = "systemd-network";
  };

+  age.secrets."wg-privkey-wg0" = {
+    file = "${config.dadada.secrets.path}/agares-wg0-key.age";
+    owner = "systemd-network";
+  };
+
  boot.kernel.sysctl = {
    # Enable forwarding for interface
    "net.ipv4.conf.all.forwarding" = "1";
--- a/nixos/agares/rules.nft
+++ b/nixos/agares/rules.nft
@ -64,13 +64,17 @@ table inet filter {
    udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk"
  }

+  chain input_wg0 {
+    tcp dport 4949 accept comment "Munin node"
+  }
+
  chain input {
    type filter hook input priority filter; policy drop;

    ct state {established, related} counter accept comment "Accept packets from established and related connections"
    ct state invalid counter drop comment "Early drop of invalid packets"

-    iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt }
+    iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt, wg0 : jump input_wg0 }
  }

 # Only works if hardware flow offloading is available