nicks-nix-config/hosts/Alaska/modules/protonvpn.nix

80 lines
2.1 KiB
Nix
Raw Normal View History

2024-01-02 19:03:24 -08:00
{ config, pkgs, ...}:
let
in
{
2024-01-02 19:03:24 -08:00
networking.firewall = {
allowedUDPPorts = [
53
];
allowedTCPPorts = [
53
];
};
networking.wg-quick.interfaces."protonvpn" = {
autostart = false;
2024-01-02 19:03:24 -08:00
privateKeyFile = "/home/nixolas/.passfiles/protonvpn";
address = [ "10.2.0.2/32" ];
listenPort = 51820;
peers = [
{
publicKey = "yB6ySO0kjqbgVWanDYKDgWoAMwM3X//nBiKXwaqmiwU=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "89.187.180.55:51820";
}
];
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
postUp = ''
${pkgs.nftables}/bin/nft -f - <<EOF
add table ip tailscale-wg;
add chain ip tailscale-wg preraw;
flush chain ip tailscale-wg preraw;
delete chain ip tailscale-wg preraw;
table ip tailscale-wg {
chain preraw {
type filter hook prerouting priority raw; policy accept;
# ip daddr 100.64.0.1 dport != 22 nftrace set 1;
# iifname "tailscale0" ip daddr != 100.64.0.1 nftrace set 1;
iifname "tailscale0" ip daddr != 100.64.0.0/16 mark set 51820;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
iifname "tailscale0" oifname "protonvpn" ip daddr != 100.64.0.1 masquerade;
}
}
EOF
${pkgs.wireguard-tools}/bin/wg set protonvpn fwmark off
# ${pkgs.iproute2}/bin/ip route add default via 10.2.0.2 dev tailscale0 table 51820
# table inet tailscale-wg { for ipv4 + ipv6
${pkgs.iproute2}/bin/ip -4 rule del not fwmark 51820 table 51820
# ${pkgs.iproute2}/bin/ip -6 rule del not fwmark 51820 table 51820
${pkgs.iproute2}/bin/ip -4 rule add fwmark 51820 table 51820
# ${pkgs.iproute2}/bin/ip -6 rule add fwmark 51820 table 51820
2024-01-02 19:03:24 -08:00
'';
# Undo the above
preDown = ''
${pkgs.nftables}/bin/nft -f - <<EOF
add table ip tailscale-wg;
add chain ip tailscale-wg preraw;
flush chain ip tailscale-wg preraw;
delete chain ip tailscale-wg preraw;
delete table ip tailscale-wg;
EOF
2024-01-02 19:03:24 -08:00
'';
};
}