working wireguard including forwarding
parent
64c5d577e8
commit
14b49443f8
|
@ -13,7 +13,6 @@
|
||||||
|
|
||||||
backup.dirs = [ "/var/lib/home-assistant" ];
|
backup.dirs = [ "/var/lib/home-assistant" ];
|
||||||
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 8123 ];
|
networking.firewall.allowedTCPPorts = [ 8123 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 8123 ];
|
networking.firewall.allowedUDPPorts = [ 8123 ];
|
||||||
|
|
||||||
|
|
|
@ -13,12 +13,14 @@
|
||||||
address = [ "10.100.0.2/32" ];
|
address = [ "10.100.0.2/32" ];
|
||||||
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||||
privateKeyFile = config.sops.secrets.wireguard_private.path;
|
privateKeyFile = config.sops.secrets.wireguard_private.path;
|
||||||
|
mtu = 1280;
|
||||||
|
|
||||||
# server
|
# server
|
||||||
peers = [
|
peers = [
|
||||||
{
|
{
|
||||||
# robi
|
# robi
|
||||||
publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
|
publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
|
||||||
allowedIPs = [ "10.100.0.1/32" ];
|
allowedIPs = [ "10.100.0.1/24" ];
|
||||||
endpoint = "ingolf-wagner.de:51820";
|
endpoint = "ingolf-wagner.de:51820";
|
||||||
persistentKeepalive = 25;
|
persistentKeepalive = 25;
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,15 +13,14 @@
|
||||||
address = [ "10.100.0.1/32" ];
|
address = [ "10.100.0.1/32" ];
|
||||||
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||||
privateKeyFile = config.sops.secrets.wireguard_private.path;
|
privateKeyFile = config.sops.secrets.wireguard_private.path;
|
||||||
|
mtu = 1280;
|
||||||
|
|
||||||
#postUp = ''
|
postUp = ''
|
||||||
# ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
|
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
|
||||||
# ${pkgs.iptables}/bin/iptables -A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
'';
|
||||||
#'';
|
postDown = ''
|
||||||
#postDown = ''
|
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
|
||||||
# ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
|
'';
|
||||||
# ${pkgs.iptables}/bin/iptables -D INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
#'';
|
|
||||||
|
|
||||||
# clients
|
# clients
|
||||||
peers = [
|
peers = [
|
||||||
|
|
|
@ -11,11 +11,13 @@
|
||||||
address = [ "10.100.0.3/32" ];
|
address = [ "10.100.0.3/32" ];
|
||||||
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||||
privateKeyFile = config.sops.secrets.wireguard_private.path;
|
privateKeyFile = config.sops.secrets.wireguard_private.path;
|
||||||
|
mtu = 1280;
|
||||||
|
|
||||||
peers = [
|
peers = [
|
||||||
{
|
{
|
||||||
# robi
|
# robi
|
||||||
publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
|
publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
|
||||||
allowedIPs = [ "10.100.0.1/32" ];
|
allowedIPs = [ "10.100.0.1/24" ];
|
||||||
endpoint = "ingolf-wagner.de:51820";
|
endpoint = "ingolf-wagner.de:51820";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
Loading…
Reference in New Issue