{ lib, config, pkgs, ... }: /* Wireguard VPN server References: - https://nixos.wiki/wiki/WireGuard - https://wireguard.how/client/ios/ */ let ports = import ../Cloud/Ports.nix; ips = "10.100.0.1/24"; # a micro-library for creating iptables rules iptables = rec { bin = "${pkgs.iptables/bin/iptables}"; append = {source}: lib.concatSep " " [ bin "--table" "nat" "--append" "POSTROUTING" "--source" source "--out-interface" "eth0" "--jump" "MASQUERADE" ]; delete = {source}: lib.concatSep " " [ bin "--table" "nat" "--delete" "POSTROUTING" "--source" source "--out-interface" "eth0" "--jump" "MASQUERADE" ]; }; in { networking.nat.enable = true; networking.nat.externalInterface = "eth0"; networking.nat.internalInterfaces = [ "wg0" ]; networking.firewall.allowedUDPPorts = [ ports.wireguard ]; networking.wireguard.enable = true; networking.wireguard.interfaces = { wg0 = { ips = [ ips ]; allowedIPsAsRoutes = true; listenPort = ports.wireguard; postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${ips} -o eth0 -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${ips} -o eth0 -j MASQUERADE ''; privateKeyFile = "/var/wireguard/private"; peers = [ #{ # helium # publicKey = "TODO"; # allowedIPs = [ "10.100.0.2/32" ]; #} { # ben's iPhone publicKey = "SIBIfPLhzuV1S1FZtm5JQtDbl0ehnH+Y3CpoZ2eZ3gc="; allowedIPs = [ "10.100.0.3/32" ]; } ]; }; }; }