vpn: allow disabling vpn config
This commit is contained in:
parent
10380a53b5
commit
2dd9bea706
3 changed files with 83 additions and 72 deletions
146
system/vpn.nix
146
system/vpn.nix
|
|
@ -1,83 +1,93 @@
|
|||
{ pkgs, ... }: {
|
||||
networking.firewall.enable = false;
|
||||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.services.vpn;
|
||||
in
|
||||
{
|
||||
options.services.vpn = {
|
||||
enable = lib.mkEnableOption "Whether vpn should be enabled";
|
||||
};
|
||||
|
||||
services.mullvad-vpn.enable = true;
|
||||
services.mullvad-vpn.package = pkgs.mullvad-vpn;
|
||||
config = lib.mkIf cfg.enable {
|
||||
networking.firewall.enable = false;
|
||||
|
||||
networking.nftables = {
|
||||
enable = true;
|
||||
ruleset = ''
|
||||
table inet allowAll {
|
||||
chain allowIncoming {
|
||||
type filter hook input priority -100; policy accept;
|
||||
tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
||||
}
|
||||
chain allowOutgoing {
|
||||
type route hook output priority -100; policy accept;
|
||||
tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
||||
}
|
||||
}
|
||||
services.mullvad-vpn.enable = true;
|
||||
services.mullvad-vpn.package = pkgs.mullvad-vpn;
|
||||
|
||||
######################################
|
||||
# _ _ #
|
||||
# __| | ___ ___| | _____ _ __ #
|
||||
# / _` |/ _ \ / __| |/ / _ \ '__| #
|
||||
# | (_| | (_) | (__| < __/ | #
|
||||
# \__,_|\___/ \___|_|\_\___|_| #
|
||||
# #
|
||||
######################################
|
||||
networking.nftables = {
|
||||
enable = true;
|
||||
ruleset = ''
|
||||
table inet allowAll {
|
||||
chain allowIncoming {
|
||||
type filter hook input priority -100; policy accept;
|
||||
tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
||||
}
|
||||
chain allowOutgoing {
|
||||
type route hook output priority -100; policy accept;
|
||||
tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
||||
}
|
||||
}
|
||||
|
||||
# This gets sent to the vpn so it's safe
|
||||
######################################
|
||||
# _ _ #
|
||||
# __| | ___ ___| | _____ _ __ #
|
||||
# / _` |/ _ \ / __| |/ / _ \ '__| #
|
||||
# | (_| | (_) | (__| < __/ | #
|
||||
# \__,_|\___/ \___|_|\_\___|_| #
|
||||
# #
|
||||
######################################
|
||||
|
||||
table ip nat {
|
||||
chain DOCKER {
|
||||
iifname "docker0" counter packets 0 bytes 0 return
|
||||
}
|
||||
# This gets sent to the vpn so it's safe
|
||||
|
||||
chain POSTROUTING {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
|
||||
}
|
||||
table ip nat {
|
||||
chain DOCKER {
|
||||
iifname "docker0" counter packets 0 bytes 0 return
|
||||
}
|
||||
|
||||
chain PREROUTING {
|
||||
type nat hook prerouting priority dstnat; policy accept;
|
||||
fib daddr type local counter packets 5 bytes 252 jump DOCKER
|
||||
}
|
||||
chain POSTROUTING {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
|
||||
}
|
||||
|
||||
chain OUTPUT {
|
||||
type nat hook output priority -100; policy accept;
|
||||
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
|
||||
}
|
||||
}
|
||||
table ip filter {
|
||||
chain DOCKER {
|
||||
}
|
||||
chain PREROUTING {
|
||||
type nat hook prerouting priority dstnat; policy accept;
|
||||
fib daddr type local counter packets 5 bytes 252 jump DOCKER
|
||||
}
|
||||
|
||||
chain DOCKER-ISOLATION-STAGE-1 {
|
||||
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
|
||||
counter packets 0 bytes 0 return
|
||||
}
|
||||
chain OUTPUT {
|
||||
type nat hook output priority -100; policy accept;
|
||||
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
|
||||
}
|
||||
}
|
||||
table ip filter {
|
||||
chain DOCKER {
|
||||
}
|
||||
|
||||
chain DOCKER-ISOLATION-STAGE-2 {
|
||||
oifname "docker0" counter packets 0 bytes 0 drop
|
||||
counter packets 0 bytes 0 return
|
||||
}
|
||||
chain DOCKER-ISOLATION-STAGE-1 {
|
||||
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
|
||||
counter packets 0 bytes 0 return
|
||||
}
|
||||
|
||||
chain FORWARD {
|
||||
type filter hook forward priority filter; policy accept;
|
||||
counter packets 0 bytes 0 jump DOCKER-USER
|
||||
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
|
||||
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
|
||||
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
|
||||
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
|
||||
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
|
||||
}
|
||||
chain DOCKER-ISOLATION-STAGE-2 {
|
||||
oifname "docker0" counter packets 0 bytes 0 drop
|
||||
counter packets 0 bytes 0 return
|
||||
}
|
||||
|
||||
chain DOCKER-USER {
|
||||
counter packets 0 bytes 0 return
|
||||
}
|
||||
}
|
||||
chain FORWARD {
|
||||
type filter hook forward priority filter; policy accept;
|
||||
counter packets 0 bytes 0 jump DOCKER-USER
|
||||
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
|
||||
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
|
||||
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
|
||||
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
|
||||
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
|
||||
}
|
||||
|
||||
'';
|
||||
chain DOCKER-USER {
|
||||
counter packets 0 bytes 0 return
|
||||
}
|
||||
}
|
||||
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue