Compare commits

..

2 commits

Author SHA1 Message Date
chayleaf 39bb1f8750
router: add ping-ipv6 hack 2024-07-14 06:56:22 +07:00
chayleaf a6a9b5be12
router: enable ipv6 forwarding in wan netns 2024-07-14 06:41:26 +07:00
2 changed files with 20 additions and 3 deletions

View file

@ -510,11 +510,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720021052, "lastModified": 1720913908,
"narHash": "sha256-tu8IQn8Kj7S0xRg0L2ej7S65FzXqSX7LI7M2pbLdQJU=", "narHash": "sha256-AZ0AcL1ze6gS8EmwRpuR04MXCLb/NDLjp9n+Gs4IhFQ=",
"owner": "chayleaf", "owner": "chayleaf",
"repo": "nixos-router", "repo": "nixos-router",
"rev": "4c132c4c5fc09b3c3317b960ec1533c4a5ebe41f", "rev": "38088dc1745350db709e9f2cf777979b5217f671",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -718,6 +718,10 @@ in {
]; ];
}; };
router.networkNamespaces.wan = { router.networkNamespaces.wan = {
sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
# this is the even more boring nftables config # this is the even more boring nftables config
nftables.jsonRules = let nftables.jsonRules = let
wans = [ "wan" ] ++ lib.optional (cfg.vpn.tunnel.mode == "sit") "sittun0"; wans = [ "wan" ] ++ lib.optional (cfg.vpn.tunnel.mode == "sit") "sittun0";
@ -788,6 +792,19 @@ in {
interfaceNamespace = "init"; interfaceNamespace = "init";
}); });
# see https://pavluk.org/blog/2022/01/26/nixos_router.html
# (ipv6 doesn't work without this, for whatever reason)
systemd.services.ping-ipv6 = {
after = [ "network.target" "netns-wan.service" ];
wants = [ "netns-wan.service" ];
wantedBy = [ "default.target" ];
serviceConfig = {
ExecStart = "${pkgs.iputils}/bin/ping -q ${netAddresses.netnsWan6}";
Restart = "on-failure";
RestartSec = "30s";
};
};
systemd.services.vpn-tunnel = lib.mkIf (cfg.vpn.tunnel.mode == "ssh") { systemd.services.vpn-tunnel = lib.mkIf (cfg.vpn.tunnel.mode == "ssh") {
description = "VPN Tunnel"; description = "VPN Tunnel";
wantedBy = [ wantedBy = [