feat(vpn): add dgnum vpn & firewall

2025-01-10 15:49:51 +01:00 · 2025-01-10 15:49:51 +01:00 · ae9b3c7c44
commit ae9b3c7c44
parent eabd9ad19c
4 changed files with 160 additions and 10 deletions
--- a/machines/kat-manah/configuration.nix
+++ b/machines/kat-manah/configuration.nix
@ -126,14 +126,48 @@
  };
  networking = {
-    nftables.tables.nat = {
+    nftables.tables = {
-      family = "ip";
+      nat = {
-      content = ''
+        family = "ip";
-        chain postrouting {
+        content = ''
-          type nat hook postrouting priority 100;
+          chain postrouting {
-          ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 masquerade
+            type nat hook postrouting priority 100;
-        };
+            ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 masquerade
-      '';
+          };
        '';
      };
      filter = {
        family = "inet";
        content = ''
          chain forward {
            type filter hook forward priority filter; policy accept;
            ct state vmap {
              invalid: drop,
              established: accept,
              related: accept,
              new: jump forward_decide,
              untracked: jump forward_decide,
            };
          }
          chain forward_decide {
            # Allow samba access
            ip saddr 192.168.1.0/24 ip daddr 192.168.1.0/24 accept;
            # Block access to vpn
            ip saddr {
              192.168.1.0/24,
              192.168.122.0/24,
            } ip daddr {
              100.80.0.0/16,
              192.168.0.0/16,
              10.42.0.0/16,
            } jump forward_reject;
          }
          chain forward_reject {
            reject with icmpx type admin-prohibited;
          }
        '';
      };
    };
    firewall = {
      allowedTCPPorts = [
--- a/machines/kat-probook/configuration.nix
+++ b/machines/kat-probook/configuration.nix
@ -67,6 +67,12 @@ in
        address = [
          "10.42.1.1/16"
        ];
        networkConfig = {
          DNS = [
            "100.80.129.176"
          ];
          Domains = "dgnum";
        };
      };
      "50-wg1" = {
        name = "wg1";
--- a/machines/kat-watcher/configuration.nix
+++ b/machines/kat-watcher/configuration.nix
@ -1,6 +1,11 @@
 {
  pkgs,
  lib,
  meta,
  kat-path,
  ssh-keys,
  sources,
  self-meta,
  ...
 }:
 {
@ -27,8 +32,53 @@
  networking = {
    useDHCP = false;
    firewall.allowedUDPPorts = [ 1194 ];
-    nftables = {
+    nftables.tables = {
-      enable = true;
+      nat = {
        family = "ip";
        content = ''
          chain postrouting {
            type nat hook postrouting priority 100;
            ip saddr 192.168.121.2 masquerade
          };
        '';
      };
      filter = {
        family = "inet";
        content = ''
          set vpn {
            type ipv4_addr
            flags interval
            auto-merge
            elements = {
              100.80.0.0/16,
              10.42.0.0/16,
              192.168.1.0/24,
              192.168.122.0/24,
            }
          };
          chain forward {
            type filter hook forward priority filter; policy accept;
            ct state vmap {
              invalid: drop,
              established: accept,
              related: accept,
              new: jump forward_decide,
              untracked: jump forward_decide,
            };
          }
          chain forward_decide {
            # Allow vpn inside
            ip saddr @vpn ip daddr @vpn accept;
            ip saddr 192.168.121.2 ip daddr != @vpn accept;
            jump forward_reject;
          }
          chain forward_reject {
            reject with icmpx type admin-prohibited;
          }
        '';
      };
    };
  };
  systemd.network = {
@ -55,6 +105,15 @@
        name = "wg0";
        address = [ "10.42.0.2/16" ];
      };
      "25-netbird" = {
        name = "ve-dgnum-neoKM9";
        routes = [
          {
            Destination = "100.80.0.0/16";
            Gateway = "192.168.121.2";
          }
        ];
      };
    };
    netdevs = {
      "50-wg0" = {
@ -73,6 +132,54 @@
      };
    };
  };
  containers.dgnum-netbird = {
    privateNetwork = true;
    hostAddress = "192.168.121.1";
    localAddress = "192.168.121.2";
    autoStart = true;
    specialArgs = {
      inherit
        kat-path
        ssh-keys
        sources
        self-meta
        ;
    };
    config = {
      imports = [ kat-path ];
      kat.addArgs = false;
      boot.kernel = {
        enable = false;
        sysctl."net.ipv4.ip_forward" = true;
      };
      systemd.network.networks."10-eth0" = {
        name = "eth0";
        dns = [
          "8.8.8.8"
          "1.1.1.1"
        ];
      };
      networking = {
        useHostResolvConf = false;
        firewall.allowedUDPPorts = [ 53 ];
        nftables.tables.nat = {
          family = "ip";
          content = ''
            chain postrouting {
              type nat hook postrouting priority 100;
              ip daddr 100.80.0.0/16 masquerade
            };
          '';
        };
      };
      services = {
        resolved.enable = lib.mkForce true;
        openssh.enable = true;
        netbird.enable = true;
      };
      system.stateVersion = "24.11";
    };
  };
  security.acme = {
    acceptTerms = true;
--- a/machines/kat-watcher/default.nix
+++ b/machines/kat-watcher/default.nix
@ -3,6 +3,9 @@
    version = "unstable";
    wg-key = "BgLBrWG7DRj2Gwoyj+vHZTjiB3gPEnwVcDFEQH/BYgg=";
    fqdn = "watcher.katvayor.net";
    subnets = [
      "100.80.0.0/16"
    ];
    vpn-ip4 = "10.42.0.2";
    vpn-hub = true;
  };