summary refs log tree commit diff
path: root/nixos/modules/services/networking
diff options
context:
space:
mode:
authorevujumenuk <evujumenuk@mailinator.com>2017-08-04 18:30:53 +0200
committerGitHub <noreply@github.com>2017-08-04 18:30:53 +0200
commite355f7044d7efaa49761bc4d4f43e94b0f2f3ab2 (patch)
tree4eb3d95e1f3c4b11f5b31aba7ed3e82f6ae9b30f /nixos/modules/services/networking
parent53bd6cf417c82203d67e2a25611b05c119dc6d16 (diff)
downloadnixlib-e355f7044d7efaa49761bc4d4f43e94b0f2f3ab2.tar
nixlib-e355f7044d7efaa49761bc4d4f43e94b0f2f3ab2.tar.gz
nixlib-e355f7044d7efaa49761bc4d4f43e94b0f2f3ab2.tar.bz2
nixlib-e355f7044d7efaa49761bc4d4f43e94b0f2f3ab2.tar.lz
nixlib-e355f7044d7efaa49761bc4d4f43e94b0f2f3ab2.tar.xz
nixlib-e355f7044d7efaa49761bc4d4f43e94b0f2f3ab2.tar.zst
nixlib-e355f7044d7efaa49761bc4d4f43e94b0f2f3ab2.zip
wireguard: add per-peer routing table option
This adds a convenient per-peer option to set the routing table that associated routes are added to. This functionality is very useful for isolating interfaces from the kernel's global routing and forcing all traffic of a virtual interface (or a group of processes, via e.g. "ip rule add uidrange 10000-10009 lookup 42") through Wireguard.
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r--nixos/modules/services/networking/wireguard.nix19
1 files changed, 15 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
index be832ea45d8f..f76909af4caa 100644
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -160,6 +160,14 @@ let
         interval of 25 seconds; however, most users will not need this.'';
       };
 
+      table = mkOption {
+        default = "main";
+        type = types.str;
+        description = ''The kernel routing table to add this peer's associated
+        routes to. Setting this is useful for e.g. policy routing ("ip rule")
+        or virtual routing and forwarding ("ip vrf"). Both numeric table IDs
+        and table names (/etc/rt_tables) can be used. Defaults to "main".'';
+      };
     };
 
   };
@@ -207,9 +215,11 @@ let
 
             "${ipCommand} link set up dev ${name}"
 
-            (map (peer: (map (ip:
-            "${ipCommand} route replace ${ip} dev ${name}"
-            ) peer.allowedIPs)) values.peers)
+            (map (peer:
+            (map (allowedIP:
+            "${ipCommand} route replace ${allowedIP} dev ${name} table ${peer.table}"
+            ) peer.allowedIPs)
+            ) values.peers)
 
             values.postSetup
           ]);
@@ -240,7 +250,8 @@ in
             peers = [
               { allowedIPs = [ "192.168.20.1/32" ];
                 publicKey  = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=";
-                endpoint   = "demo.wireguard.io:12913"; }
+                endpoint   = "demo.wireguard.io:12913";
+                table      = "42"; }
             ];
           };
         };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-11 11:14:54 +0000