got tailscale -> proton but not the other idea

2024-11-22 12:49:32 -08:00 · 2024-01-06 19:59:12 -08:00 · 2024-01-06 19:59:12 -08:00 · 97a530c61c
commit 97a530c61c
parent 6a0768985c
5 changed files with 43 additions and 51 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,26 +1,5 @@
 {
  "nodes": {
-    "erosanix": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1704240213,
-        "narHash": "sha256-77L3ABF6aA94/1dEEABwgtWJ/q5PJ7U0DX6daFhOpOw=",
-        "owner": "emmanuelrosa",
-        "repo": "erosanix",
-        "rev": "9b42da22ad64502690e57fedadf3155150daafbd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "emmanuelrosa",
-        "repo": "erosanix",
-        "type": "github"
-      }
-    },
    "ewwtilities": {
      "inputs": {
        "nixpkgs": "nixpkgs",
@ -56,22 +35,6 @@
        "type": "github"
      }
    },
-    "flake-compat_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
@ -415,7 +378,7 @@
    },
    "pre-commit-hooks": {
      "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
        "flake-utils": "flake-utils_4",
        "gitignore": "gitignore",
        "nixpkgs": [
@ -440,7 +403,6 @@
    },
    "root": {
      "inputs": {
-        "erosanix": "erosanix",
        "ewwtilities": "ewwtilities",
        "headscale": "headscale",
        "home-manager": "home-manager",
--- a/flake.nix
+++ b/flake.nix
@ -65,7 +65,6 @@
            {
              networking.hostName = "Alaska";
            }
-            inputs.erosanix.nixosModules.protonvpn
            inputs.nicks_nextcloud_integrations.nixosModules.default
            ./hosts/Alaska
            home-manager.nixosModules.home-manager {
@ -128,7 +127,6 @@
            {
              networking.hostName = "NicksNixDesktop";
            }
-            inputs.erosanix.nixosModules.protonvpn
            kmonad.nixosModules.default
            ./hosts/desktop
            ./hosts/configuration.nix
--- a/home.nix
+++ b/home.nix
@ -38,6 +38,7 @@ let
      fd
      fortune
      neofetch
+      nftables
      pfetch
      rmtrash
      testdisk # file recovery https://itsfoss.com/recover-deleted-files-linux/
--- a/hosts/Alaska/modules/headscale.nix
+++ b/hosts/Alaska/modules/headscale.nix
@ -5,6 +5,9 @@ let
  baseDomain = "nickiel.net";
  domain = "headscale.${baseDomain}";
 in {
+  # headscale routes list
+  # headscale routes enable -r NUMBER
+  # to enable exit node to be used
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;

--- a/hosts/Alaska/modules/protonvpn.nix
+++ b/hosts/Alaska/modules/protonvpn.nix
@ -6,7 +6,6 @@ in
  networking.firewall = {
    allowedUDPPorts = [
      53
-      config.services.protonvpn.interface.port
    ];
    allowedTCPPorts = [
      53
@ -15,7 +14,6 @@ in

  networking.wg-quick.interfaces."protonvpn" = {
    autostart = false;
-    #dns = [ 10.2.0.1 ];
    privateKeyFile = "/home/nixolas/.passfiles/protonvpn";
    address = [ "10.2.0.2/32" ];
    listenPort = 51820;
@ -30,18 +28,48 @@ in

    # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
    postUp = ''
-      # ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
-      # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
-      # ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
-      # ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
+      ${pkgs.nftables}/bin/nft -f - <<EOF 
+      add table ip tailscale-wg;
+      add chain ip tailscale-wg preraw;
+      flush chain ip tailscale-wg preraw;
+      delete chain ip tailscale-wg preraw;
+
+      table ip tailscale-wg {
+        chain preraw {
+          type filter hook prerouting priority raw; policy accept;
+
+          # ip daddr 100.64.0.1 dport != 22 nftrace set 1;
+          iifname "tailscale0" ip daddr != 100.64.0.1 nftrace set 1;
+          iifname "tailscale0" ip daddr != 100.64.0.0/16 mark set 51820;
+          iifname "protonvpn" mark set 51820;
+        }
+        chain postrouting {
+          type nat hook postrouting priority srcnat; policy accept;
+          iifname "tailscale0" ip daddr != 100.64.0.1 masquerade;
+        }
+      }
+      EOF
+      # table inet tailscale-wg { for ipv4 + ipv6
+      ${pkgs.iproute2}/bin/ip -4 rule del not fwmark 51820 table 51820
+      # ${pkgs.iproute2}/bin/ip -6 rule del not fwmark 51820 table 51820
+
+      ${pkgs.iproute2}/bin/ip -4 rule add fwmark 51820 table 51820
+      # ${pkgs.iproute2}/bin/ip -6 rule add fwmark 51820 table 51820
+
    '';

    # Undo the above
    preDown = ''
-      # ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
-      # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
-      # ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
-      # ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
+      ${pkgs.nftables}/bin/nft -f - <<EOF
+      add table ip tailscale-wg;
+
+      add chain ip tailscale-wg preraw;
+      flush chain ip tailscale-wg preraw;
+      delete chain ip tailscale-wg preraw;
+
+      delete table ip tailscale-wg;
+      EOF
+
    '';
  };