From e4e7651887bca1179348c4303a319f2f3e339942 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 22 Jun 2024 21:09:58 +0200 Subject: surtr: fix vpn --- hosts/surtr/vpn/default.nix | 59 ++++++++++++++++----------------------------- 1 file changed, 21 insertions(+), 38 deletions(-) diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 74a9fb22..636dab1a 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix @@ -12,12 +12,21 @@ in { "net.netfilter.nf_log_all_netns" = true; }; - networking.namespaces = { - enable = true; - containers."vpn".config = { + containers."vpn" = { + autoStart = true; + ephemeral = true; + extraFlags = [ + "--network-ipvlan=ens3:upstream" + "--load-credential=surtr.priv:${config.sops.secrets.vpn.path}" + ]; + + config = { boot.kernel.sysctl = { "net.core.rmem_max" = 4194304; "net.core.wmem_max" = 4194304; + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.conf.default.forwarding"= 1; + "net.ipv4.conf.all.forwarding" = 1; }; environment = { @@ -53,6 +62,15 @@ in { systemd.network = { netdevs = { + upstream = { + netdevConfig = { + Name = "upstream"; + Kind = "ipvlan"; + }; + ipvlanConfig = { + Mode = "L2"; + }; + }; vpn = { netdevConfig = { Name = "vpn"; @@ -136,41 +154,6 @@ in { }; }; - systemd.services = { - "vpn-upstream" = { - bindsTo = ["netns@vpn.service"]; - after = ["netns@vpn.service"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "${pkgs.iproute2}/bin/ip netns exec vpn ip link delete upstream"; - }; - path = with pkgs; [ iproute2 procps ]; - script = '' - ip netns exec vpn sysctl \ - net.ipv6.conf.all.forwarding=1 \ - net.ipv6.conf.default.forwarding=1 \ - net.ipv4.conf.all.forwarding=1 \ - net.ipv4.conf.default.forwarding=1 - - ip link add link ens3 name upstream type ipvlan mode l2 - ip link set upstream netns vpn - ''; - }; - - "netns-container@vpn" = { - wantedBy = ["multi-user.target" "network-online.target"]; - after = ["vpn-upstream.service"]; - bindsTo = ["vpn-upstream.service"]; - - serviceConfig = { - LoadCredential = [ - "surtr.priv:${config.sops.secrets.vpn.path}" - ]; - }; - }; - }; - sops.secrets.vpn = { format = "binary"; sopsFile = ./surtr.priv; -- cgit v1.2.3