feat: use network namespace for wireguard

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-09-11 23:14:49 +02:00 · 2025-09-11 23:14:49 +02:00 · ded73650a9
commit ded73650a9
parent a767bcc039
1 changed files with 41 additions and 22 deletions
--- a/hosts/hosting-02/default.nix
+++ b/hosts/hosting-02/default.nix
@ -35,33 +35,51 @@
    address = [
      "2a01:4f8:c013:7fc0::/64"
    ];
-
-    routingPolicyRules = [
-      {
-        From = "10.64.244.95/32";
-        Table = "vpn";
-      }
-      {
-        From = "fc00:bbbb:bbbb:bb01::1:f45e/128";
-        Table = "vpn";
-      }
-      {
-        User = config.users.users.vpn.uid;
-        Table = "vpn";
-        Family = "both";
-      }
-    ];
  };

-  users.groups.vpn = { };
-  users.users.vpn = {
-    isSystemUser = true;
-    group = "vpn";
-    uid = 51280;
+  systemd.services."netns@" = {
+    description = "Network namespace %i";
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.iproute2}/bin/ip netns add %i";
+      ExecStop = "${pkgs.iproute2}/bin/ip netns del %i";
+    };
  };

+  systemd.services."veth-setup@" = {
+    description = "Setup veth pair for %i namespace";
+    after = [ "netns@%i.service" ];
+    requires = [ "netns@%i.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = ''
+        ${pkgs.iproute2}/bin/ip link add veth-%i type veth peer name veth-ns-%i
+        ${pkgs.iproute2}/bin/ip link set veth-ns-%i netns %i
+        ${pkgs.iproute2}/bin/ip link set veth-%i up
+        ${pkgs.iproute2}/bin/ip netns exec %i ${pkgs.iproute2}/bin/ip link set veth-ns-%i up
+        ${pkgs.iproute2}/bin/ip netns exec %i ${pkgs.iproute2}/bin/ip addr add 10.0.0.2/24 dev veth-ns-%i
+        ${pkgs.iproute2}/bin/ip netns exec %i ${pkgs.iproute2}/bin/ip route add default via 10.0.0.1
+      '';
+      ExecStop = "${pkgs.iproute2}/bin/ip link del veth-%i";
+    };
+  };
+
+  systemd.network.networks."50-veth" = {
+    matchConfig.Name = "veth-*";
+    networkConfig = {
+      Address = "10.0.0.1/24";
+    };
+  };
+
+  systemd.services."wireguard-wg0".requires = [
+    "netns@vpn.service"
+    "veth-setup@vpn.service"
+  ];
  networking.wireguard = {
    enable = true;
+    useNetworkd = false;

    interfaces.wg0 = {
      ips = [
@ -83,7 +101,8 @@

      listenPort = 51820;
      privateKeyFile = config.sops.secrets.wireguardKey.path;
-      table = "133";
+      socketNamespace = "init";
+      interfaceNamespace = "vpn";
    };
  };