let allowedIPs = [ "10.100.0.1/24" ]; port = 51820; publicIp = "37.27.207.39"; in { serverModule = { pkgs, config, ... }: { # enable NAT networking.nat.enable = true; networking.nat.externalInterface = "eth0"; networking.nat.internalInterfaces = [ "wg0" ]; networking.firewall = { allowedUDPPorts = [ port ]; }; age.secrets.wg-selene = { file = ../../../keys/wg-selene; owner = "selene"; }; networking.wireguard.interfaces = { # "wg0" is the network interface name. You can name the interface arbitrarily. wg0 = { # Determines the IP address and subnet of the server's end of the tunnel interface. ips = allowedIPs; # The port that WireGuard listens to. Must be accessible by the client. listenPort = port; # This allows the wireguard server to route your traffic to the internet and hence be like a VPN # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients # postSetup = '' # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE # ''; # # This undoes the above command # postShutdown = '' # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE # ''; # Path to the private key file. # # Note: The private key can also be included inline via the privateKey option, # but this makes the private key world-readable; thus, using privateKeyFile is # recommended. privateKeyFile = config.age.secrets.wg-selene.path; peers = [ # List of allowed peers. (import ../../../systems/macbook/wireguard.nix).peerConfig { publicKey = (builtins.readFile ../../../keys/wg-ren.pub); allowedIPs = [ "10.100.0.3/32" ]; } ]; }; }; }; infoForClients = { endpoint = "${publicIp}:${builtins.toString port}"; allowedIPs = allowedIPs; publicKey = builtins.readFile ../../../keys/wg-selene.pub; persistentKeepalive = 25; }; }