From a425290cc894491c49c1c0469e672be84916f139 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Sun, 27 Jun 2021 20:45:03 +0300 Subject: [PATCH] move to mullvad app --- modules/wireguard.nix | 90 +++++++++++++++++++++++-------------------- 1 file changed, 48 insertions(+), 42 deletions(-) diff --git a/modules/wireguard.nix b/modules/wireguard.nix index e385982..5f27a04 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -4,49 +4,55 @@ let cfg = config.deviceSpecific.wireguard; kernel = config.boot.kernelPackages; in { + # config = mkIf cfg.enable { + # boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard; + # environment.systemPackages = [ pkgs.wireguard-tools ]; + # networking.firewall.checkReversePath = false; + + # systemd.services."wg-quick-wg0" = { + # description = "wg-quick WireGuard Tunnel - wg0"; + # requires = [ "network-online.target" ]; + # after = [ "network.target" "network-online.target" ]; + # wantedBy = [ "multi-user.target" ]; + # environment.DEVICE = "wg0"; + # path = [ pkgs.kmod pkgs.wireguard-tools pkgs.iptables pkgs.iproute ]; + + # serviceConfig = { + # Type = "oneshot"; + # RemainAfterExit = true; + # }; + + # unitConfig = { + # ConditionPathExists = "/root/wg0.conf"; + # }; + + # script = '' + # ${strings.optionalString (!config.boot.isContainer) "modprobe wireguard"} + # wg-quick up /root/wg0.conf + # ''; + + # postStart = mkIf cfg.killswitch '' + # iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT + # # Allow IPv4 private ip addresses + # iptables -I OUTPUT -s 192.168.0.0/16 -j ACCEPT && iptables -I OUTPUT -s 172.16.0.0/12 -j ACCEPT + # ''; + + # preStop = '' + # ${strings.optionalString (cfg.killswitch) "iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT"} + # # Delete rule thats allow IPv4 private ip addresses + # ${strings.optionalString (cfg.killswitch) "iptables -D OUTPUT -s 192.168.0.0/16 && iptables -D OUTPUT -s 172.16.0.0/12"} + # wg-quick down /root/wg0.conf + # ''; + + # postStop = '' + # ip link delete wg0 + # ''; + # }; + # }; config = mkIf cfg.enable { boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard; - environment.systemPackages = [ pkgs.wireguard-tools ]; - networking.firewall.checkReversePath = false; - - systemd.services."wg-quick-wg0" = { - description = "wg-quick WireGuard Tunnel - wg0"; - requires = [ "network-online.target" ]; - after = [ "network.target" "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; - environment.DEVICE = "wg0"; - path = [ pkgs.kmod pkgs.wireguard-tools pkgs.iptables pkgs.iproute ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - - unitConfig = { - ConditionPathExists = "/root/wg0.conf"; - }; - - script = '' - ${strings.optionalString (!config.boot.isContainer) "modprobe wireguard"} - wg-quick up /root/wg0.conf - ''; - - postStart = mkIf cfg.killswitch '' - iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT - # Allow IPv4 private ip addresses - iptables -I OUTPUT -s 192.168.0.0/16 -j ACCEPT && iptables -I OUTPUT -s 172.16.0.0/12 -j ACCEPT - ''; - - preStop = '' - ${strings.optionalString (cfg.killswitch) "iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT"} - # Delete rule thats allow IPv4 private ip addresses - ${strings.optionalString (cfg.killswitch) "iptables -D OUTPUT -s 192.168.0.0/16 && iptables -D OUTPUT -s 172.16.0.0/12"} - wg-quick down /root/wg0.conf - ''; - - postStop = '' - ip link delete wg0 - ''; - }; + networking.firewall.checkReversePath = "loose"; + environment.systemPackages = [ pkgs.wireguard-tools pkgs.mullvad-vpn ]; + services.mullvad-vpn.enable = true; }; } \ No newline at end of file