feat: add proxy-home vpn to accelerate traffic between local nodes

2025-10-10 23:00:39 +02:00 · 2024-05-20 01:35:01 +02:00 · 2024-05-20 01:35:01 +02:00 · b01c521830
commit b01c521830
parent 34fd783e60
22 changed files with 123 additions and 10 deletions
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@ -9,6 +9,10 @@ in {
  wireguard.proxy-sentinel = {
    client.via = "sentinel";
    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
+  };
+
+  wireguard.proxy-home = {
+    client.via = "ward";
    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
  };

@ -82,7 +86,7 @@ in {
  nodes.ward-web-proxy = {
    services.nginx = {
      upstreams.grafana = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {};
+        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {};
        extraConfig = ''
          zone grafana 64k;
          keepalive 2;
--- a/hosts/sire/guests/minecraft.nix
+++ b/hosts/sire/guests/minecraft.nix
@ -360,8 +360,9 @@ in {
  ];

  nodes.sentinel = {
-    # Make sure to masquerade 25565 (wan) -> 25565 (proxy-sentinel)
-    # Make sure to masquerade 25566 (wan) -> 25566 (proxy-sentinel)
+    # Rewrite destination addr with dnat on incoming connections
+    # and masquerade responses to make them look like they originate from this host.
+    # - 25565,25566 (wan) -> 25565,25566 (proxy-sentinel)
    networking.nftables.chains = {
      postrouting.to-minecraft = {
        after = ["hook"];
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -84,11 +84,11 @@ in {
        # Use the local mirror-proxy for some services (not necessary, just for speed)
        {
          domain = nodes.sentinel.config.networking.providedDomains.grafana;
-          answer = "192.168.1.1";
+          answer = "192.168.1.4"; # web-proxy
        }
        {
          domain = nodes.sentinel.config.networking.providedDomains.immich;
-          answer = "192.168.1.1";
+          answer = "192.168.1.4"; # web-proxy
        }
      ];
      filters = [
--- a/hosts/ward/guests/forgejo.nix
+++ b/hosts/ward/guests/forgejo.nix
@ -29,7 +29,9 @@ in {
  nodes.sentinel = {
    networking.providedDomains.forgejo = forgejoDomain;

-    # Make sure to masquerade 9922 (wan) -> 22 (proxy-sentinel)
+    # Rewrite destination addr with dnat on incoming connections
+    # and masquerade responses to make them look like they originate from this host.
+    # - 9922 (wan) -> 22 (proxy-sentinel)
    networking.nftables.chains = {
      postrouting.to-forgejo = {
        after = ["hook"];
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@ -1,6 +1,8 @@
 {config, ...}: let
  inherit (config.repo.secrets.local) acme;
 in {
+  wireguard.proxy-home.client.via = "ward";
+
  age.secrets.acme-cloudflare-dns-token = {
    rekeyFile = config.node.secretsDir + "/acme-cloudflare-dns-token.age";
    mode = "440";
@ -27,10 +29,6 @@ in {
    inherit (acme) certs wildcardDomains;
  };

-  #nodes.sentinel = {
-  #  # port forward 80,443 (ward) to 80,443 (web-proxy)
-  #};
-
  users.groups.acme.members = ["nginx"];
  services.nginx.enable = true;
  services.nginx.recommendedSetup = true;
--- a/hosts/ward/kea.nix
+++ b/hosts/ward/kea.nix
@ -7,6 +7,7 @@
  inherit (lib) net;
  lanCidrv4 = "192.168.1.0/24";
  dnsIp = net.cidr.host 3 lanCidrv4;
+  webProxyIp = net.cidr.host 4 lanCidrv4;
 in {
  # TODO make meta.kea module?
  # TODO reserve by default using assignIps algo?
@ -49,6 +50,10 @@ in {
              hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
              ip-address = dnsIp;
            }
+            {
+              hw-address = nodes.ward-web-proxy.config.lib.microvm.mac;
+              ip-address = webProxyIp;
+            }
            {
              hw-address = nodes.sire-samba.config.lib.microvm.mac;
              ip-address = net.cidr.host 10 lanCidrv4;
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -111,6 +111,20 @@ in {
        verdict = "accept";
      };

+      lan-to-local = {
+        from = ["lan"];
+        to = ["local"];
+
+        allowedUDPPorts = [config.wireguard.proxy-home.server.port];
+      };
+
+      # Forward traffic between participants
+      forward-proxy-home-vpn-traffic = {
+        from = ["proxy-home"];
+        to = ["proxy-home"];
+        verdict = "accept";
+      };
+
      #masquerade-vpn = {
      #  from = ["wg-home"];
      #  to = ["lan"];
@ -135,4 +149,11 @@ in {
  #  reservedAddresses = ["10.10.0.1/24" "fd00:10::/120"];
  #  openFirewall = true;
  #};
+
+  wireguard.proxy-home.server = {
+    host = "192.168.1.1";
+    port = 51444;
+    reservedAddresses = ["10.44.0.0/24" "fd00:44::/120"];
+    openFirewall = false; # Explicitly opened only for lan
+  };
 }