-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
70 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| { config, lib, pkgs, ... }: | ||
|
|
||
| with lib; | ||
|
|
||
| let | ||
|
|
||
| cfg = config.custom.programs.wireguard; | ||
|
|
||
| wgPort = 51820; | ||
|
|
||
| in | ||
|
|
||
| { | ||
| options = { | ||
| custom.programs.wireguard = { | ||
| enable = mkEnableOption "WireGuard"; | ||
|
|
||
| ip = mkOption { | ||
| type = types.str; | ||
| description = "Ip with subnet of the client"; | ||
| example = "10.0.0.42/32"; | ||
| }; | ||
| }; | ||
| }; | ||
|
|
||
| config = mkIf cfg.enable | ||
| { | ||
| { | ||
| networking.firewall = { | ||
| allowedUDPPorts = [ 51820 ]; | ||
| }; | ||
|
|
||
| networking.wireguard.interfaces = { | ||
| # "wg0" is the network interface name. You can name the interface arbitrarily. | ||
| wg0 = { | ||
| # Determines the IP address and subnet of the client's end of the tunnel interface. | ||
| ips = [ cfg.ip ]; | ||
| listenPort = wgPort; # to match firewall allowedUDPPorts (without this wg uses random port numbers) | ||
|
|
||
| # Path to the private key file. | ||
| # | ||
| # Note: The private key can also be included inline via the privateKey option, | ||
| # but this makes the private key world-readable; thus, using privateKeyFile is | ||
| # recommended. | ||
| privateKeyFile = "path to private key file"; | ||
|
|
||
| peers = [ | ||
| # For a client configuration, one peer entry for the server will suffice. | ||
|
|
||
| { | ||
| # Public key of the server (not a file path). | ||
| publicKey = "{server public key}"; | ||
|
|
||
| # Forward all the traffic via VPN. | ||
| allowedIPs = [ "0.0.0.0/0" ]; | ||
| # Or forward only particular subnets | ||
| #allowedIPs = [ "10.100.0.1" "91.108.12.0/22" ]; | ||
|
|
||
| # Set this to the server IP and port. | ||
| endpoint = "{server ip}:${wgPort}"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 | ||
|
|
||
| # Send keepalives every 25 seconds. Important to keep NAT tables alive. | ||
| persistentKeepalive = 25; | ||
| } | ||
| ]; | ||
| }; | ||
| }; | ||
| } | ||
| }; | ||
| } |