2020-05-22 18:16:21 +02:00
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
|
|
|
|
|
{
|
2022-08-26 21:36:21 +02:00
|
|
|
age.secrets.mullvad.file = ../secrets/mullvad.age;
|
|
|
|
|
|
2020-11-14 11:20:59 +01:00
|
|
|
networking.wireguard.enable = true;
|
2021-06-10 12:14:30 +02:00
|
|
|
|
2023-12-27 04:32:40 +01:00
|
|
|
services.tailscale.enable = true;
|
2020-05-22 18:16:21 +02:00
|
|
|
services.mullvad-vpn.enable = true;
|
2022-08-08 22:58:02 +02:00
|
|
|
|
2023-12-27 04:32:40 +01:00
|
|
|
networking.firewall.trustedInterfaces = [ "tailscale0" ];
|
|
|
|
|
|
2022-08-08 22:58:02 +02:00
|
|
|
# set some options after every daemon start
|
|
|
|
|
# to avoid accidentally leaving unsafe settings
|
2022-08-26 21:36:21 +02:00
|
|
|
systemd.services."mullvad-daemon" = {
|
|
|
|
|
serviceConfig.LoadCredential =
|
|
|
|
|
[ "account:${config.age.secrets.mullvad.path}" ];
|
|
|
|
|
postStart = ''
|
|
|
|
|
while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done
|
|
|
|
|
|
2023-05-31 17:25:46 +02:00
|
|
|
${pkgs.mullvad}/bin/mullvad lockdown-mode set on
|
2023-03-14 13:53:12 +01:00
|
|
|
${pkgs.mullvad}/bin/mullvad auto-connect set on
|
2023-11-27 23:01:26 +01:00
|
|
|
${pkgs.mullvad}/bin/mullvad dns set default
|
2022-08-26 21:36:21 +02:00
|
|
|
${pkgs.mullvad}/bin/mullvad lan set allow
|
2023-11-28 00:08:27 +01:00
|
|
|
${pkgs.mullvad}/bin/mullvad tunnel set ipv6 on
|
|
|
|
|
${pkgs.mullvad}/bin/mullvad tunnel set wireguard --quantum-resistant=on
|
2022-08-26 21:36:21 +02:00
|
|
|
${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard
|
2023-06-12 15:32:59 +02:00
|
|
|
${pkgs.mullvad}/bin/mullvad relay set location de ber
|
2023-03-14 13:53:12 +01:00
|
|
|
|
|
|
|
|
account="$(<"$CREDENTIALS_DIRECTORY/account")"
|
|
|
|
|
current_account="$(${pkgs.mullvad}/bin/mullvad account get | grep "account:" | sed 's/.* //')"
|
|
|
|
|
if [[ "$current_account" != "$account" ]]; then
|
|
|
|
|
${pkgs.mullvad}/bin/mullvad account login "$account"
|
|
|
|
|
fi
|
2022-08-26 21:36:21 +02:00
|
|
|
'';
|
|
|
|
|
};
|
2023-12-27 15:50:17 +01:00
|
|
|
|
|
|
|
|
# Exclude Tailscale from Mullvad VPN
|
|
|
|
|
networking.firewall.extraCommands = ''
|
|
|
|
|
${pkgs.nftables}/bin/nft -f ${
|
|
|
|
|
pkgs.writeText "mullvad-incoming" ''
|
|
|
|
|
table inet allow-tailscale {
|
|
|
|
|
chain exclude-dns {
|
|
|
|
|
type filter hook output priority -10; policy accept;
|
|
|
|
|
ip daddr 100.00.100.100 udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
|
|
|
|
|
ip daddr 100.00.100.100 tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
|
|
|
|
|
}
|
|
|
|
|
chain exclude-outgoing {
|
|
|
|
|
type route hook output priority 0; policy accept;
|
|
|
|
|
ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
|
|
|
|
|
ip6 daddr fd7a:115c:a1e0::/48 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
|
|
|
|
|
}
|
|
|
|
|
chain allow-incoming {
|
|
|
|
|
type filter hook input priority -100; policy accept;
|
|
|
|
|
iifname "tailscale0" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
''
|
|
|
|
|
}
|
|
|
|
|
'';
|
2020-05-22 18:16:21 +02:00
|
|
|
}
|
