move to mullvad app
This commit is contained in:
Dmitriy Kholkin
parent
32c30aae88
commit
a425290cc8
@ -4,49 +4,55 @@ let
|
|||||||
cfg = config.deviceSpecific.wireguard;
|
cfg = config.deviceSpecific.wireguard;
|
||||||
kernel = config.boot.kernelPackages;
|
kernel = config.boot.kernelPackages;
|
||||||
in {
|
in {
|
||||||
|
# config = mkIf cfg.enable {
|
||||||
|
# boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;
|
||||||
|
# environment.systemPackages = [ pkgs.wireguard-tools ];
|
||||||
|
# networking.firewall.checkReversePath = false;
|
||||||
|
|
||||||
|
# systemd.services."wg-quick-wg0" = {
|
||||||
|
# description = "wg-quick WireGuard Tunnel - wg0";
|
||||||
|
# requires = [ "network-online.target" ];
|
||||||
|
# after = [ "network.target" "network-online.target" ];
|
||||||
|
# wantedBy = [ "multi-user.target" ];
|
||||||
|
# environment.DEVICE = "wg0";
|
||||||
|
# path = [ pkgs.kmod pkgs.wireguard-tools pkgs.iptables pkgs.iproute ];
|
||||||
|
|
||||||
|
# serviceConfig = {
|
||||||
|
# Type = "oneshot";
|
||||||
|
# RemainAfterExit = true;
|
||||||
|
# };
|
||||||
|
|
||||||
|
# unitConfig = {
|
||||||
|
# ConditionPathExists = "/root/wg0.conf";
|
||||||
|
# };
|
||||||
|
|
||||||
|
# script = ''
|
||||||
|
# ${strings.optionalString (!config.boot.isContainer) "modprobe wireguard"}
|
||||||
|
# wg-quick up /root/wg0.conf
|
||||||
|
# '';
|
||||||
|
|
||||||
|
# postStart = mkIf cfg.killswitch ''
|
||||||
|
# iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
|
||||||
|
# # Allow IPv4 private ip addresses
|
||||||
|
# iptables -I OUTPUT -s 192.168.0.0/16 -j ACCEPT && iptables -I OUTPUT -s 172.16.0.0/12 -j ACCEPT
|
||||||
|
# '';
|
||||||
|
|
||||||
|
# preStop = ''
|
||||||
|
# ${strings.optionalString (cfg.killswitch) "iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT"}
|
||||||
|
# # Delete rule thats allow IPv4 private ip addresses
|
||||||
|
# ${strings.optionalString (cfg.killswitch) "iptables -D OUTPUT -s 192.168.0.0/16 && iptables -D OUTPUT -s 172.16.0.0/12"}
|
||||||
|
# wg-quick down /root/wg0.conf
|
||||||
|
# '';
|
||||||
|
|
||||||
|
# postStop = ''
|
||||||
|
# ip link delete wg0
|
||||||
|
# '';
|
||||||
|
# };
|
||||||
|
# };
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;
|
boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;
|
||||||
environment.systemPackages = [ pkgs.wireguard-tools ];
|
networking.firewall.checkReversePath = "loose";
|
||||||
networking.firewall.checkReversePath = false;
|
environment.systemPackages = [ pkgs.wireguard-tools pkgs.mullvad-vpn ];
|
||||||
|
services.mullvad-vpn.enable = true;
|
||||||
systemd.services."wg-quick-wg0" = {
|
|
||||||
description = "wg-quick WireGuard Tunnel - wg0";
|
|
||||||
requires = [ "network-online.target" ];
|
|
||||||
after = [ "network.target" "network-online.target" ];
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
environment.DEVICE = "wg0";
|
|
||||||
path = [ pkgs.kmod pkgs.wireguard-tools pkgs.iptables pkgs.iproute ];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
RemainAfterExit = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
unitConfig = {
|
|
||||||
ConditionPathExists = "/root/wg0.conf";
|
|
||||||
};
|
|
||||||
|
|
||||||
script = ''
|
|
||||||
${strings.optionalString (!config.boot.isContainer) "modprobe wireguard"}
|
|
||||||
wg-quick up /root/wg0.conf
|
|
||||||
'';
|
|
||||||
|
|
||||||
postStart = mkIf cfg.killswitch ''
|
|
||||||
iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
|
|
||||||
# Allow IPv4 private ip addresses
|
|
||||||
iptables -I OUTPUT -s 192.168.0.0/16 -j ACCEPT && iptables -I OUTPUT -s 172.16.0.0/12 -j ACCEPT
|
|
||||||
'';
|
|
||||||
|
|
||||||
preStop = ''
|
|
||||||
${strings.optionalString (cfg.killswitch) "iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT"}
|
|
||||||
# Delete rule thats allow IPv4 private ip addresses
|
|
||||||
${strings.optionalString (cfg.killswitch) "iptables -D OUTPUT -s 192.168.0.0/16 && iptables -D OUTPUT -s 172.16.0.0/12"}
|
|
||||||
wg-quick down /root/wg0.conf
|
|
||||||
'';
|
|
||||||
|
|
||||||
postStop = ''
|
|
||||||
ip link delete wg0
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
Loading…
x
Reference in New Issue
Block a user