jan-leila/nix-config
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: fixed vpn on defiant

Browse source
This commit is contained in:
Leyla Becker 2025-10-02 15:45:21 -05:00
parent 21edda5fe6
commit c9bb9380b5
1 changed files with 70 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

108
configurations/nixos/defiant/configuration.nix
View file

@ -132,23 +132,24 @@
}; };
}; };
# "20-wg0" = { "20-wg0" = {
# netdevConfig = { netdevConfig = {
# Kind = "wireguard"; Kind = "wireguard";
# Name = "wg0"; Name = "wg0";
# }; };
# wireguardConfig = { wireguardConfig = {
# PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path; PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path;
# ListenPort = 51820; ListenPort = 51820;
# }; };
# wireguardPeers = [ wireguardPeers = [
# { {
# PublicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0="; PublicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0=";
# Endpoint = "185.230.126.146:51820"; Endpoint = "185.230.126.146:51820";
# AllowedIPs = ["0.0.0.0/0"]; # Allow all traffic but use policy routing to prevent system-wide VPN
# } AllowedIPs = ["0.0.0.0/0"];
# ]; }
# }; ];
};
}; };
networks = { networks = {
"40-bond0" = { "40-bond0" = {
@ -163,36 +164,67 @@
"192.168.1.10/32" "192.168.1.10/32"
]; ];
gateway = ["192.168.1.1"]; # Set lower priority for default gateway to allow WireGuard interface binding
routes = [
{
Destination = "0.0.0.0/0";
Gateway = "192.168.1.1";
Metric = 100;
}
];
dns = ["192.168.1.1"]; dns = ["192.168.1.1"];
}; };
# For some reason this isn't working. It looks like traffic goes out and comes back but doesn't get correctly routed back to the wg interface on the return trip "50-wg0" = {
# debugging steps: matchConfig.Name = "wg0";
# try sending data on the interface `ping -I wg0 8.8.8.8` networkConfig = {
# view all traffic on the interface `sudo tshark -i wg0` DHCP = "no";
# see what applications are listening to port 14666 (thats what we currently have qbittorent set up to use) `ss -tuln | grep 14666` };
# "50-wg0" = { address = [
# matchConfig.Name = "wg0"; "10.2.0.2/32"
# networkConfig = { ];
# DHCP = "no"; # Configure routing for application binding
# }; routingPolicyRules = [
# address = [ {
# "10.2.0.2/32" # Route traffic from VPN interface through VPN table
# ]; From = "10.2.0.2/32";
# # routes = [ Table = 200;
# # { Priority = 100;
# # Destination = "10.2.0.2/32"; }
# # Gateway = "10.2.0.1"; ];
# # } routes = [
# # ]; {
# }; # Direct route to VPN gateway
Destination = "10.2.0.1/32";
Scope = "link";
}
{
# Route VPN subnet through VPN gateway in custom table
Destination = "10.2.0.0/16";
Gateway = "10.2.0.1";
Table = 200;
}
{
# Route all traffic through VPN gateway in custom table
Destination = "0.0.0.0/0";
Gateway = "10.2.0.1";
Table = 200;
}
];
};
}; };
}; };
# limit arc usage to 50gb because ollama doesn't play nice with zfs using up all of the memory # limit arc usage to 50gb because ollama doesn't play nice with zfs using up all of the memory
boot.kernelParams = ["zfs.zfs_arc_max=53687091200"]; boot.kernelParams = ["zfs.zfs_arc_max=53687091200"];
# Enable policy routing and source routing for application-specific VPN binding
boot.kernel.sysctl = {
"net.ipv4.conf.all.rp_filter" = 2;
"net.ipv4.conf.default.rp_filter" = 2;
"net.ipv4.conf.wg0.rp_filter" = 2;
};
services = { services = {
# temp enable desktop environment for setup # temp enable desktop environment for setup
# Enable the X11 windowing system. # Enable the X11 windowing system.