From 6c6cfb6da8317055c3ce83e4ef27ece26b6d4ace Mon Sep 17 00:00:00 2001 From: yuri Date: Tue, 19 Sep 2023 15:58:42 +0200 Subject: [PATCH] Use snat rule instead if masquerade for wireguard nat --- config/hosts/valkyrie/configuration.nix | 2 +- config/hosts/valkyrie/services.nix | 1 + .../src/wireguard-nat-nftables.py | 20 +++++-------------- 3 files changed, 7 insertions(+), 16 deletions(-) diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index 116e57d..f4e2db5 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -8,7 +8,7 @@ firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 51820 51821 51822 51827 51828 ]; + allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ]; }; wireguard = { enable = true; diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix index c9b65f2..602c80c 100644 --- a/config/hosts/valkyrie/services.nix +++ b/config/hosts/valkyrie/services.nix @@ -3,6 +3,7 @@ let wireguard-nat-nftables = import ../../../pkgs/wireguard-nat-nftables pkgs; config = pkgs.writeText "wireguard-nat-nftables-config" (builtins.toJSON { interface = "ens3"; + interface_address = "172.16.4.180"; wg_interface = "wg0"; pubkey_port_mapping = { "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=" = [ 51827 51829 ]; diff --git a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py index c72869d..c49b4b7 100644 --- a/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py +++ b/pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py @@ -12,6 +12,7 @@ def main(): f.close() interface = config["interface"] + interface_address = config["interface_address"] wg_interface = config["wg_interface"] pubkey_port_mapping = config["pubkey_port_mapping"] @@ -19,30 +20,19 @@ def main(): nft.set_json_output(True) nft.set_handle_output(True) - # add nat table rules for dnat and snat masquerade + # add nat table rules for dnat and snat nft.cmd("add table wireguard-nat") + nft.cmd("flush table wireguard-nat") nft.cmd("add chain wireguard-nat prerouting { type nat hook prerouting priority -100; }") nft.cmd("add chain wireguard-nat postrouting { type nat hook postrouting priority 100; }") - + nft.cmd("add rule wireguard-nat postrouting oifname {} snat to {}".format(interface, interface_address)) + # load current nftables rules rc, output, error = nft.cmd("list ruleset") if error: print(error, file=sys.stderr) nftables_output = json.loads(output) - add_masquerade = True - for item in nftables_output["nftables"]: - if ("rule" in item - and item["rule"]["family"] == "ip" - and item["rule"]["table"] == "wireguard-nat" - and item["rule"]["chain"] == "postrouting" - and "masquerade" in item["rule"]["expr"][0] - ): - add_masquerade = False - break - if add_masquerade: - nft.cmd("add rule wireguard-nat postrouting masquerade") - while True: # list WireGuard peer endpoint addresses of WireGuard VPN connection process = subprocess.Popen(["wg", "show", wg_interface, "endpoints"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)