feat(vpn): fully replace Mullvad VPN with Tailscale

2024-01-06 03:06:53 +01:00 · 2024-01-06 03:06:53 +01:00 · 4c32137982
parent 5fe226434d
commit 4c32137982
9 changed files with 28 additions and 88 deletions
--- a/home/desktop/gnome.nix
+++ b/home/desktop/gnome.nix
@ -103,5 +103,10 @@ in {
      schedule-start-hours = 23;
      schedule-end-hours = 6;
    };
    "org/gnome/shell/extensions/tailscale-status" = {
      # TODO 0 should disable refresh, but it doesn't work in this version
      # refresh-interval = 0;
      refresh-interval = 120;
    };
  };
 }
--- a/home/felschr-work.nix
+++ b/home/felschr-work.nix
@ -5,7 +5,6 @@ with pkgs; {
    ./shell
    ./editors
    ./desktop
    ./vpn.nix
    ./git.nix
    ./keybase.nix
    ./element.nix
--- a/home/felschr.nix
+++ b/home/felschr.nix
@ -6,7 +6,6 @@
    ./editors
    ./desktop
    ./desktop/monitors.nix
    ./vpn.nix
    ./git.nix
    ./keybase.nix
    ./element.nix
--- a/home/vpn.nix
+++ b/home/vpn.nix
@ -1,9 +0,0 @@
 { pkgs, ... }:
 with pkgs; {
  home.packages = with pkgs; [ mullvad-vpn ];
  # autostart
  xdg.configFile."autostart/mullvad-vpn.desktop".source =
    "${mullvad-vpn}/share/applications/mullvad-vpn.desktop";
 }
--- a/hosts/home-server.nix
+++ b/hosts/home-server.nix
@ -50,6 +50,11 @@ in {
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "dev@felschr.com";
  security.acme.certs = builtins.foldl' (r: domain:
    r // {
      ${domain}.extraDomainNames =
        [ "${config.networking.hostName}.tail05275.ts.net" ];
    }) { } config.services.inadyn.domains;
  services.inadyn.enable = true;
  services.inadyn.provider = "cloudflare.com";
--- a/secrets/mullvad.age
+++ b/secrets/mullvad.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -13,7 +13,6 @@ let
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEucfNzPbDRdDjTaLG3PzN4lAzDAq3QUkaLvaRjjsCY";
  systems = [ home-pc home-server pilot1 ];
 in {
  "mullvad.age".publicKeys = [ felschr home-pc home-server pilot1 ];
  "restic/b2.age".publicKeys = [ felschr home-pc home-server pilot1 ];
  "restic/password.age".publicKeys = [ felschr home-pc home-server pilot1 ];
  "smtp.age".publicKeys = [ felschr home-pc home-server ];
--- a/system/server.nix
+++ b/system/server.nix
@ -1,29 +1,8 @@
-{ config, pkgs, ... }:
+{ ... }:
 {
  imports = [ ./common.nix ./vpn.nix ];
  # use xserver without display manager
  services.xserver.displayManager.startx.enable = true;
  # Allow web server to be accessible outside of Mullvad VPN
  networking.firewall.extraCommands = ''
    ${pkgs.nftables}/bin/nft -f ${
      pkgs.writeText "mullvad-incoming" ''
        table inet allow-incoming-traffic {
          chain allow-incoming {
            type filter hook input priority -100; policy accept;
            tcp dport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
            udp dport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
          }
          chain allow-outgoing {
            type route hook output priority -100; policy accept;
            tcp sport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
            udp sport {80, 443} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
          }
        }
      ''
    }
  '';
 }
--- a/system/vpn.nix
+++ b/system/vpn.nix
@ -1,67 +1,30 @@
-{ config, pkgs, ... }:
+{ config, lib, ... }:
-let tailscaleInterface = config.services.tailscale.interfaceName;
+let
  cfg = config.services.tailscale;
  tailscaleInterface = cfg.interfaceName;
 in {
  age.secrets.mullvad.file = ../secrets/mullvad.age;
  networking.wireguard.enable = true;
  networking.firewall.trustedInterfaces = [ tailscaleInterface ];
  services.tailscale = {
    enable = true;
-    # authKeyFile = ; # TODO add this to create auto-connect systemd job
+    authKeyFile = "/dummy";
    openFirewall = true;
    useRoutingFeatures = "both";
    extraUpFlags = [
      "--reset"
      "--accept-routes"
      "--exit-node=de-ber-wg-004.mullvad.ts.net"
      "--exit-node-allow-lan-access"
    ];
  };
-  services.mullvad-vpn.enable = true;
+  # call taiscale up without --auth-key
-
+  systemd.services.tailscaled-autoconnect.script = ''
-  # set some options after every daemon start
+    status=$(${config.systemd.package}/bin/systemctl show -P StatusText tailscaled.service)
-  # to avoid accidentally leaving unsafe settings
+    if [[ $status != Connected* ]]; then
-  systemd.services."mullvad-daemon" = {
+      ${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags}
-    serviceConfig.LoadCredential =
+    fi
      [ "account:${config.age.secrets.mullvad.path}" ];
    postStart = ''
      while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done
      ${pkgs.mullvad}/bin/mullvad lockdown-mode set on
      ${pkgs.mullvad}/bin/mullvad auto-connect set on
      ${pkgs.mullvad}/bin/mullvad dns set default
      ${pkgs.mullvad}/bin/mullvad lan set allow
      ${pkgs.mullvad}/bin/mullvad tunnel set ipv6 on
      ${pkgs.mullvad}/bin/mullvad tunnel set wireguard --quantum-resistant=on
      ${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard
      ${pkgs.mullvad}/bin/mullvad relay set location de ber
      account="$(<"$CREDENTIALS_DIRECTORY/account")"
      current_account="$(${pkgs.mullvad}/bin/mullvad account get | grep "account:" | sed 's/.* //')"
      if [[ "$current_account" != "$account" ]]; then
        ${pkgs.mullvad}/bin/mullvad account login "$account"
      fi
    '';
  };
  # Exclude Tailscale from Mullvad VPN
  networking.firewall.extraCommands = ''
    ${pkgs.nftables}/bin/nft -f ${
      pkgs.writeText "mullvad-incoming" ''
        table inet allow-tailscale {
          chain exclude-dns {
            type filter hook output priority -10; policy accept;
            ip daddr 100.00.100.100 udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
            ip daddr 100.00.100.100 tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
          }
          chain exclude-outgoing {
            type route hook output priority 0; policy accept;
            ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
            ip6 daddr fd7a:115c:a1e0::/48 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
          }
          chain allow-incoming {
            type filter hook input priority -100; policy accept;
            iifname "${tailscaleInterface}" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
          }
        }
      ''
    }
  '';
 }