Add initial VPN support @arrakis

3 files changed, 131 insertions, 3 deletions

diff --git a/home/root/arrakis.nix b/home/root/arrakis.nix
index 83c92cd..d23549a 100644
--- a/home/root/arrakis.nix
+++ b/home/root/arrakis.nix
@@ -1,6 +1,75 @@
-{ inputs, lib, pkgs, config, outputs, ... }:
+{ config, inputs, lib, outputs, pkgs, ... }:
 {
   imports = [
     common/core
   ];
+
+  home.file = {
+    "bin/vpnctl" = {
+      executable = true;
+      text = ''
+        #!/usr/bin/env zsh
+        
+        function status_vpn {
+        
+        	ip netns exec vpn su -c 'curl -m 10 -s https://bitgnome.net/ip/ | grep REMOTE_ADDR' nipsy
+        	ip netns exec vpn su -c 'curl -m 10 -s https://www.cloudflarestatus.com | grep "Cloudflare Status"' nipsy
+        
+        }
+        
+        function start_vpn {
+        
+        	ip netns add vpn
+        	ip link add veth.host type veth peer veth.vpn
+        	ip link set dev veth.host up
+        	ip link set veth.vpn netns vpn up
+        	ip -n vpn address add 192.168.1.3/24 dev veth.vpn
+        	ip route add 192.168.1.3/32 dev veth.host
+        	ip link add wg1 type wireguard
+        	ip link set wg1 netns vpn
+        	ip -n vpn -4 address add $(grep ^#Address /run/secrets/wireguard/wg1_conf | cut -d= -f2 | cut -d, -f1 | xargs) dev wg1
+        	ip netns exec vpn wg setconf wg1 /run/secrets/wireguard/wg1_conf
+        	ip -n vpn link set wg1 up
+        	ip -n vpn route add default dev wg1
+        	ip netns exec vpn nft -f /etc/nftables-vpn.conf
+        
+        }
+        
+        function stop_vpn {
+        
+        	#systemctl stop qbittorrent-nox@nipsy.service prowlarr.service
+        	ip netns del vpn
+        	ip link del veth.host
+        
+        }
+        
+        if [[ -z "${1}" || "${1}" == "status" ]]; then
+        
+        	status_vpn
+        
+        elif [[ "${1}" == "restart" ]]; then
+        
+        	stop_vpn
+        	sleep 2
+        	start_vpn
+        	#systemctl start qbittorrent-nox@nipsy.service prowlarr.service
+        
+        elif [[ "${1}" == "restart_firewall" ]]; then
+        
+        	ip netns exec vpn nft -f /etc/nftables-vpn.conf
+        
+        elif [[ "${1}" == "start" ]]; then
+        
+        	start_vpn
+        
+        elif [[ "${1}" == "stop" ]]; then
+        
+        	stop_vpn
+        
+        fi
+        
+        exit 0
+    '';
+    };
+  }:
 }
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix
index b8aa5e6..1e9641f 100644
--- a/hosts/arrakis/default.nix
+++ b/hosts/arrakis/default.nix
@@ -1,6 +1,10 @@
 { config, pkgs, ... }: {
   boot = {
     initrd.kernelModules = [ "zfs" ];
+    kernel.sysctl = {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv4.conf.all.proxy_arp" = 1;
+    };
     kernelPackages = pkgs.linuxPackages_6_10;
     loader = {
       efi = {
@@ -18,6 +22,59 @@
     supportedFilesystems = [ "zfs" ];
   };
 
+  environment.etc."nftables-vpn.conf".text = ''
+    # VPN firewall
+    
+    flush ruleset
+    
+    table inet filter {
+    	chain input {
+    		type filter hook input priority filter; policy drop;
+    
+    		# established/related connections
+    		ct state established,related accept
+    
+    		# invalid connections
+    		ct state invalid drop
+    
+    		# loopback interface
+    		iif lo accept
+    
+    		# ICMP (routers may also want: mld-listener-query, nd-router-solicit)
+    		#ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept
+    		ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept
+    
+    		# services
+    		iif veth.vpn tcp dport 8080 accept # qBittorrent
+    		iif veth.vpn tcp dport 9696 accept # Prowlarr
+    		iifname wg1 tcp dport { 49152-65535 } accept # Transmission
+    	}
+    
+    	chain output {
+    		type filter hook output priority filter; policy drop;
+    
+    		# explicitly allow my DNS traffic without VPN
+    		skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept
+    		skuid nipsy ip daddr 192.168.1.1 udp dport domain accept
+    
+    		# explicitly allow my traffic without VPN
+    		oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent
+    		oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr
+    		oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr }
+    
+    		# allow any traffic out through VPN
+    		oifname wg1 accept
+    
+    		# drop everything else
+    		counter drop
+    	}
+    
+    	chain forward {
+    		type filter hook forward priority filter; policy drop;
+    	}
+    }
+  '';
+
   environment.systemPackages = with pkgs; [
     signal-desktop
     wpa_supplicant
@@ -143,6 +200,7 @@
       "wireguard/ramped_psk" = {};
       "wireguard/timetrad_psk" = {};
       "wireguard/treebeard_psk" = {};
+      "wireguard/wg1_conf" = {};
       "wpa_supplicant" = {};
     };
   };
diff --git a/hosts/secrets/arrakis.yaml b/hosts/secrets/arrakis.yaml
index 57cb20d..60677e1 100644
--- a/hosts/secrets/arrakis.yaml
+++ b/hosts/secrets/arrakis.yaml
@@ -10,6 +10,7 @@ wireguard:
     ramped_psk: ENC[AES256_GCM,data:TCeXW9SWFEq7H7YdEE4E7gLoMC8F4GwSPBtvh8Zv6OQ3Ni0LdZBH9IHmPT4=,iv:U33J1eusuCiC41zla2ieIFKzmmgL/TlkLmH/5El3u4s=,tag:Z4QzImR0T2XzdI26nlX+/Q==,type:str]
     timetrad_psk: ENC[AES256_GCM,data:zAOHUlk6VJd+w6ePcDAPhpmPmlogwqUh5zhDpnW7cbXflIdLtFN9YQbOYtc=,iv:DpqIP+uTxRY7Dl0WwOvAr/dDFeARCVZKNKKKCrgOkYA=,tag:IP+nUZS3klUvHNzbgS4IjQ==,type:str]
     treebeard_psk: ENC[AES256_GCM,data:EjzdD4siZfCkwd6pX82C2HP8I0avKjStv6fleURD2cPkGmBFDH//MLYcY/k=,iv:yCc+U3+kAzOroOxO04EKVrbuqr85Y8cZ343UN4s3nBg=,tag:r5piVnM+Q5+0HRRMpVwmSA==,type:str]
+    wg1_conf: ENC[AES256_GCM,data:F1WdY74FFVkNcEiPDZkqDRWmzD61qzs46+J14d3WEenZSPLpQ0TYcDDOaN0zdy4Vm06Keyj/0r4LN8aYVLEkFAmx8n652q1m/XqeCMeavPBl+FsX67JtTuHo8R85CZoieF6XV74YYriqCLk/Iz8NV1oDQrC2SuCYMb1pO/P0hXgR63glSmjrM94klt9+Bte1aQYRLXlZe1Lou1Ifju5qnTa6VY6fOra6UYGjUpMP+HW0VzMVT8P4Yvmi4VhFOYeKJCdSGS3TBELv3jOdY/txrJRThe33FAWQfA/l6btKhV2iyyF7tPKdROSXgmJBd3kTYbyBWEWWICLIel3aChRElSazksRprF8TF7NDS2kYlA==,iv:xHk0ZceFzeSKHHdpRU6unquetUfdkJCzIC29HnQf3Fo=,tag:i/dvZsVkUUl0gmLyIRpSIA==,type:str]
 wpa_supplicant: ENC[AES256_GCM,data:HHs6g3qaaeinVGgteExQvhE0CEC94WjJ0tV7pyI=,iv:6F+DYHieaWWo+V1F9yjwWT7PcdiIpH48nv1SUrFHePk=,tag:cpimCP+YNmCI+t+wpuXwHg==,type:str]
 sops:
     kms: []
@@ -35,8 +36,8 @@ sops:
             ejRLb2Vkd1B3QmxLSE1wUzgrazZJT0UKz1IQxYm7hagYtBsWTpk+f6/79ArRUgNL
             MfhHMQAwuuXjBSmuFolyU3UoWnDYK6uGAv5nlTJxESqj5eQBafItSw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-13T08:39:41Z"
-    mac: ENC[AES256_GCM,data:+MnJGp0Oi3eXCDgFa6Jl7v+U1X8iSvBTiZT/Et2O3Z5YKKSpjSyuOUp4wxvUKC1w7lwLCPil3TuanEmB5j9fCPFLd4vRqb1bwPy4x9AoJGCut1jDIT+ywSVjhN2jV4Mg1RbCXHRJN/QhSylXuBhDYIVF9mriGamY2ZiRra+Z7Is=,iv:STqOryc9DWJETRLYy6A1Z6DRdxK6/cDRurpmUYml3JU=,tag:rH+NLwBOiIoHc9HmzXthvA==,type:str]
+    lastmodified: "2024-10-13T09:11:08Z"
+    mac: ENC[AES256_GCM,data:WT5dVkvOFd8VH0s8INFIR6LBlxRFcTV34clbiYXZDziBXsffqOM6zABBEMM+a5frDtH3GRNVNPtX7mgYqUAtkTmAz/Nfhg1jSKbaA7bKTBJX3uqWn+03hojC0+whaji4nH5St70QY9rOOHzQ0J7prQZKvpBC1iBUJoRkqXnfqpo=,iv:qi1wliYqv1doBRqRj9vA8w3MxLF436qSK17OwqbCkUk=,tag:qiW8uXA8mW5u/lm1aaYuog==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1