feat(vpn): improve tailscale config

2023-12-27 18:03:57 +01:00 · 2023-12-27 18:03:57 +01:00 · 6ca1656297
parent bdbb43b09d
commit 6ca1656297
3 changed files with 19 additions and 5 deletions
--- a/hosts/home-pc.nix
+++ b/hosts/home-pc.nix
@ -40,6 +40,8 @@
    };
  };

+  services.tailscale.extraUpFlags = [ "--advertise-routes=192.168.1.0/24" ];
+
  networking.firewall.allowedUDPPorts = [
    24727 # AusweisApp2
  ];
--- a/hosts/home-server.nix
+++ b/hosts/home-server.nix
@ -113,6 +113,12 @@ in {
    inherit hostKeys;
  };

+  services.tailscale.extraUpFlags = [
+    "--advertise-routes=192.168.1.0/24"
+    "--advertise-tags=tag:felschr-com"
+    "--advertise-connector"
+  ];
+
  # ssh root@hostname "echo "$(read -s pass; echo \'"$pass"\')" > /crypt-ramfs/passphrase"
  boot.initrd.availableKernelModules = [ "igb" ];
  boot.initrd.network = {
--- a/system/vpn.nix
+++ b/system/vpn.nix
@ -1,15 +1,21 @@
 { config, pkgs, ... }:

-{
+let tailscaleInterface = config.services.tailscale.interfaceName;
+in {
  age.secrets.mullvad.file = ../secrets/mullvad.age;

  networking.wireguard.enable = true;
+  networking.firewall.trustedInterfaces = [ tailscaleInterface ];
+
+  services.tailscale = {
+    enable = true;
+    # authKeyFile = ; # TODO add this to create auto-connect systemd job
+    openFirewall = true;
+    useRoutingFeatures = "both";
+  };

-  services.tailscale.enable = true;
  services.mullvad-vpn.enable = true;

-  networking.firewall.trustedInterfaces = [ "tailscale0" ];
-
  # set some options after every daemon start
  # to avoid accidentally leaving unsafe settings
  systemd.services."mullvad-daemon" = {
@ -52,7 +58,7 @@
          }
          chain allow-incoming {
            type filter hook input priority -100; policy accept;
-            iifname "tailscale0" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+            iifname "${tailscaleInterface}" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
          }
        }
      ''