working wireguard including forwarding

2023-01-19 13:08:12 +01:00 · 2023-01-19 13:08:12 +01:00 · 14b49443f8
parent 64c5d577e8
commit 14b49443f8
4 changed files with 13 additions and 11 deletions
--- a/nixos/machines/pepe/hass.nix
+++ b/nixos/machines/pepe/hass.nix
@ -13,7 +13,6 @@

  backup.dirs = [ "/var/lib/home-assistant" ];

-
  networking.firewall.allowedTCPPorts = [ 8123 ];
  networking.firewall.allowedUDPPorts = [ 8123 ];

--- a/nixos/machines/pepe/wireguard.nix
+++ b/nixos/machines/pepe/wireguard.nix
@ -13,12 +13,14 @@
      address = [ "10.100.0.2/32" ];
      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
      privateKeyFile = config.sops.secrets.wireguard_private.path;
+      mtu = 1280;
+
      # server
      peers = [
        {
          # robi
          publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
-          allowedIPs = [ "10.100.0.1/32" ];
+          allowedIPs = [ "10.100.0.1/24" ];
          endpoint = "ingolf-wagner.de:51820";
          persistentKeepalive = 25;
        }
--- a/nixos/machines/robi/wireguard.nix
+++ b/nixos/machines/robi/wireguard.nix
@ -13,15 +13,14 @@
      address = [ "10.100.0.1/32" ];
      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
      privateKeyFile = config.sops.secrets.wireguard_private.path;
+      mtu = 1280;

-      #postUp = ''
-      #  ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
-      #  ${pkgs.iptables}/bin/iptables -A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-      #'';
-      #postDown = ''
-      #  ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
-      #  ${pkgs.iptables}/bin/iptables -D INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-      #'';
+      postUp = ''
+        ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+      '';
+      postDown = ''
+        ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+      '';

      # clients
      peers = [
--- a/nixos/machines/sterni/wireguard.nix
+++ b/nixos/machines/sterni/wireguard.nix
@ -11,11 +11,13 @@
      address = [ "10.100.0.3/32" ];
      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
      privateKeyFile = config.sops.secrets.wireguard_private.path;
+      mtu = 1280;
+
      peers = [
        {
          # robi
          publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
-          allowedIPs = [ "10.100.0.1/32" ];
+          allowedIPs = [ "10.100.0.1/24" ];
          endpoint = "ingolf-wagner.de:51820";
        }
      ];