feat: add proxy-home vpn to accelerate traffic between local nodes

2024-05-20 01:35:01 +02:00 · 2024-05-20 01:35:01 +02:00 · b01c521830
commit b01c521830
parent 34fd783e60
22 changed files with 123 additions and 10 deletions
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@ -9,6 +9,10 @@ in {
  wireguard.proxy-sentinel = {
    client.via = "sentinel";
    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
+  };
+
+  wireguard.proxy-home = {
+    client.via = "ward";
    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
  };

@ -82,7 +86,7 @@ in {
  nodes.ward-web-proxy = {
    services.nginx = {
      upstreams.grafana = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {};
+        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {};
        extraConfig = ''
          zone grafana 64k;
          keepalive 2;
--- a/hosts/sire/guests/minecraft.nix
+++ b/hosts/sire/guests/minecraft.nix
@ -360,8 +360,9 @@ in {
  ];

  nodes.sentinel = {
-    # Make sure to masquerade 25565 (wan) -> 25565 (proxy-sentinel)
-    # Make sure to masquerade 25566 (wan) -> 25566 (proxy-sentinel)
+    # Rewrite destination addr with dnat on incoming connections
+    # and masquerade responses to make them look like they originate from this host.
+    # - 25565,25566 (wan) -> 25565,25566 (proxy-sentinel)
    networking.nftables.chains = {
      postrouting.to-minecraft = {
        after = ["hook"];
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -84,11 +84,11 @@ in {
        # Use the local mirror-proxy for some services (not necessary, just for speed)
        {
          domain = nodes.sentinel.config.networking.providedDomains.grafana;
-          answer = "192.168.1.1";
+          answer = "192.168.1.4"; # web-proxy
        }
        {
          domain = nodes.sentinel.config.networking.providedDomains.immich;
-          answer = "192.168.1.1";
+          answer = "192.168.1.4"; # web-proxy
        }
      ];
      filters = [
--- a/hosts/ward/guests/forgejo.nix
+++ b/hosts/ward/guests/forgejo.nix
@ -29,7 +29,9 @@ in {
  nodes.sentinel = {
    networking.providedDomains.forgejo = forgejoDomain;

-    # Make sure to masquerade 9922 (wan) -> 22 (proxy-sentinel)
+    # Rewrite destination addr with dnat on incoming connections
+    # and masquerade responses to make them look like they originate from this host.
+    # - 9922 (wan) -> 22 (proxy-sentinel)
    networking.nftables.chains = {
      postrouting.to-forgejo = {
        after = ["hook"];
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@ -1,6 +1,8 @@
 {config, ...}: let
  inherit (config.repo.secrets.local) acme;
 in {
+  wireguard.proxy-home.client.via = "ward";
+
  age.secrets.acme-cloudflare-dns-token = {
    rekeyFile = config.node.secretsDir + "/acme-cloudflare-dns-token.age";
    mode = "440";
@ -27,10 +29,6 @@ in {
    inherit (acme) certs wildcardDomains;
  };

-  #nodes.sentinel = {
-  #  # port forward 80,443 (ward) to 80,443 (web-proxy)
-  #};
-
  users.groups.acme.members = ["nginx"];
  services.nginx.enable = true;
  services.nginx.recommendedSetup = true;
--- a/hosts/ward/kea.nix
+++ b/hosts/ward/kea.nix
@ -7,6 +7,7 @@
  inherit (lib) net;
  lanCidrv4 = "192.168.1.0/24";
  dnsIp = net.cidr.host 3 lanCidrv4;
+  webProxyIp = net.cidr.host 4 lanCidrv4;
 in {
  # TODO make meta.kea module?
  # TODO reserve by default using assignIps algo?
@ -49,6 +50,10 @@ in {
              hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
              ip-address = dnsIp;
            }
+            {
+              hw-address = nodes.ward-web-proxy.config.lib.microvm.mac;
+              ip-address = webProxyIp;
+            }
            {
              hw-address = nodes.sire-samba.config.lib.microvm.mac;
              ip-address = net.cidr.host 10 lanCidrv4;
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -111,6 +111,20 @@ in {
        verdict = "accept";
      };

+      lan-to-local = {
+        from = ["lan"];
+        to = ["local"];
+
+        allowedUDPPorts = [config.wireguard.proxy-home.server.port];
+      };
+
+      # Forward traffic between participants
+      forward-proxy-home-vpn-traffic = {
+        from = ["proxy-home"];
+        to = ["proxy-home"];
+        verdict = "accept";
+      };
+
      #masquerade-vpn = {
      #  from = ["wg-home"];
      #  to = ["lan"];
@ -135,4 +149,11 @@ in {
  #  reservedAddresses = ["10.10.0.1/24" "fd00:10::/120"];
  #  openFirewall = true;
  #};
+
+  wireguard.proxy-home.server = {
+    host = "192.168.1.1";
+    port = 51444;
+    reservedAddresses = ["10.44.0.0/24" "fd00:44::/120"];
+    openFirewall = false; # Explicitly opened only for lan
+  };
 }
--- a/secrets/rekeyed/sire-grafana/0a8882c335fc3dea59c133350e4debb0-wireguard-proxy-home-psks-sire-grafana+ward.age
+++ b/secrets/rekeyed/sire-grafana/0a8882c335fc3dea59c133350e4debb0-wireguard-proxy-home-psks-sire-grafana+ward.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 B7KO8w zu1oBpXzNBiaBfC/mvByu5ANim3bR8gQagtgBYagn1U
+KD/fQXr+onY/xjQbdvFhHcZZeM3sxDy8/t+b+6tA6yY
+-> U'U]!k-grease YMj *I2Pb P b7-a
+77DIyjlP4NYKKNwTW2cw4f1LRG6thm/qMaiFSImdxEU4HnVPjG5pZjIYcwCd2VbF
+2/XIqln4GRex6vQ
+--- 0R+PKfBFabTixZupYfw1XzrbLSwMDtDiDywMjYBf360
+åöÔ`4ýLà9ÈL×Pqþ'Oz›A‘›ÕU2p˜H\UÈY�·9R�pô†dÍñ!qêÞùgÎ–`"¨ai”ÊðâU&©=6uÞ>¼
--- a/secrets/rekeyed/sire-grafana/bc7b1994bea7dca5fee13a43ea98b611-wireguard-proxy-home-priv-sire-grafana.age
+++ b/secrets/rekeyed/sire-grafana/bc7b1994bea7dca5fee13a43ea98b611-wireguard-proxy-home-priv-sire-grafana.age
--- a/secrets/rekeyed/ward-web-proxy/00bc749b81ecaa1f3bff46c4e9202d7c-wireguard-proxy-home-priv-ward-web-proxy.age
+++ b/secrets/rekeyed/ward-web-proxy/00bc749b81ecaa1f3bff46c4e9202d7c-wireguard-proxy-home-priv-ward-web-proxy.age
--- a/secrets/rekeyed/ward-web-proxy/53f02080ea6c3c8f59913279497ecee8-wireguard-proxy-home-psks-ward+ward-web-proxy.age
+++ b/secrets/rekeyed/ward-web-proxy/53f02080ea6c3c8f59913279497ecee8-wireguard-proxy-home-psks-ward+ward-web-proxy.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 NwOpTA M3XfBa56BbC4MvQSsfz6JuF+482KHcKyTyuac0kDUAg
+IQSmZgcOAvcGHseNGiZWakS1iPitMfnK663w/wPAfi8
+-> gn{-grease 6Xd(xF
+WTqjUqa1wVkv4QncJMrB9lf/q+j8ONd77ihZYfK2eDVVpeFMoQJmkFK90LQPp4kI
+KA9Pev4gn30gsn0
+--- I5yMQv1OPtVGGIukGMfGXohgFaPu1TxUx9xHIag4Z2g
+ŔŁ´3Ś4ďsx|Ęą3]6’ č2Wžl˘_šäëľî>˛R8ß˘P:
+  ŚąvĚ¶M}É“|ÓzĂvĎĺ�ľ”®üUs›ňÜŐ«
--- a/secrets/rekeyed/ward/5702f71177f7beb0e43a6d154b3817ac-wireguard-proxy-home-priv-ward.age
+++ b/secrets/rekeyed/ward/5702f71177f7beb0e43a6d154b3817ac-wireguard-proxy-home-priv-ward.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg gJLsRK+YwOX06FcZc5DvsVc6ldDn7p7ZFGWUqKVKEC0
+McHR+wTpJzcz5rY0bhBxTMoGSECoGnkHL/M03VigXQs
+-> 1^\gvk-grease p7(Ne @R,@K7} j2*>
+1hxCbkcrk5zR/Z8fhGEtJtQR6IxOphV4pCu4o6L0ZNXMeaLwIvaRbisR8+mY
+--- iGtzzmAXtd5zQy2yq3Y4mIbpCtgUF5KlN6GDUOdBkDE
+8š#¹)*ñ|cÅ2Ø)ôBW!°Œb¶–×©8A¬Ç‡9%g´ª–!@%ê¯3 l.	ú{ÒªüŸUå~YF-`ÃˆØ�6™
--- a/secrets/rekeyed/ward/78fe89e07283f0eaf30e5a2856ad6013-wireguard-proxy-home-psks-ward+ward-web-proxy.age
+++ b/secrets/rekeyed/ward/78fe89e07283f0eaf30e5a2856ad6013-wireguard-proxy-home-psks-ward+ward-web-proxy.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg 8emaUUHPZjqD1R5y+35VdOXhU0h/RF5tM1ZMXaOzimI
+CctB9o3TCAcBfQdqtfQADApjnRA08XWYOYh/yVmQdBs
+-> >,)ts-grease +~0KV. G>[Ld#H "1ul/\ qi4Ed
+NppQ/1aBVln6ceOkcU1W0k1DC2aQppstXA
+--- i81cVk+uP3rCX2QMb0npH+YkxSbajCxqEA2BwTMXmEM
+™ÔqmÜ’Ëd"Ç{‡v•š‘¼qÙËåU\·`Ð;`Y ÂÁ  'ÉìA¦'’oýQîíÑ`|
+Bõ.Þ´™ßÒïLŸ>Î#{@íŽ�.
--- a/secrets/rekeyed/ward/f989d3e7076a554bd3feb4a229ee164d-wireguard-proxy-home-psks-sire-grafana+ward.age
+++ b/secrets/rekeyed/ward/f989d3e7076a554bd3feb4a229ee164d-wireguard-proxy-home-psks-sire-grafana+ward.age
--- a/secrets/wireguard/proxy-home/keys/sire-grafana.age
+++ b/secrets/wireguard/proxy-home/keys/sire-grafana.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 Rw/oOZBjevIBjQ/IP9PZKr5C5K7fjc34bK4TIXSsp08
+7/RDuF5ZD6p9aGLowMVH6BhVEiZS5CZvj5e6QEoPSuE
+-> piv-p256 xqSe8Q Akzj6/Ss/29QvrRa85ENsvoTVCd/Y3i95R2aLW6ce5e/
+aSBOCWaS/XqWPXFP2IJaLTexnuIvL3QcvA7yw+eGiv8
+-> 6No!9:-grease cHGyS-9
+T7E
+--- 9ZR3RpInJ+zR55nhx86OwjpcKJme/bTayn0ICqyd7pE
+5·0åEš¨›zC$ÒÒíc5.Gdg\.®a›ÌûßÌ�ÌÓ)\é2y”3HA�’,LL,fQ;pAäÌMµE®|(^�îÆvg‚
--- a/secrets/wireguard/proxy-home/keys/sire-grafana.pub
+++ b/secrets/wireguard/proxy-home/keys/sire-grafana.pub
@ -0,0 +1 @@
+QxmAb3B+VxRsmZtLA0dZIyhcMEl9eF5pjI9PVHjt12A=
--- a/secrets/wireguard/proxy-home/keys/ward-web-proxy.age
+++ b/secrets/wireguard/proxy-home/keys/ward-web-proxy.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 03m127mzQrZzG+i0lCiYxE1LDmV66p7x85lAr7kvdQM
+p7L8vQHqGzFzgLRykoG8djYuEZGaZs1vHsv6/2soxQA
+-> piv-p256 xqSe8Q ArF+jT+zyRUCWLNnFdk+d6CfnyyMbqv+1JlX8fHVMx4+
+hvAvhvmPWbaU3Zt2Goyd1uzYvfwtNHBjBHDygvEJEfg
+-> zBsEU-grease spTl#x|
+jK2dhVVwUINl6H+2neoAjrTmIHY5ayPQlUAZKdJpDHyIF+Gf1dCc2VqylTrQMhK4
+wJe+Bwcvk4s92nIRfqTl4A4
+--- urQ0EN70k4q/ZNTSt95DHpsrhIM9UR39dOX816MLcFk
+µß–å:S3á#3€8%}æåb \¹zÎõ<;0]‚`•ÞX›vÐÔñ›ŒœDxKtz»ÍÂ<�´ýÅÜÂõï¶ :L´LñÌ*Q
--- a/secrets/wireguard/proxy-home/keys/ward-web-proxy.pub
+++ b/secrets/wireguard/proxy-home/keys/ward-web-proxy.pub
@ -0,0 +1 @@
+HBOE43AOwpccH/e2337pti21iKzrEtO8oyLXUMVzHQk=
--- a/secrets/wireguard/proxy-home/keys/ward.age
+++ b/secrets/wireguard/proxy-home/keys/ward.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 6TWmq3L5UXGTTKrgjQhj8Xe0RZfJo+XQ0w8ngrLjAzY
+z/9XdrqKejXvJx0w81TLqQwSxn+3Ul1B1jREjO1wuI
+-> piv-p256 xqSe8Q A8/BCRMWX7YRm9lF6o0zW9uJ/YVwTSLojVGg9Lz4S031
+1n+2uCSHeq83UPc7qLxWUwknS2gNOWEoL9Y4+7n7gJY
+-> K-grease )\Dl&j
+pYUrWVDmNacpIA14gM7Ucp4Y4qYxKNqdfNvIR7hQJECuae2S
+--- iS2EvPZPh73Zm6X79VRvEeNzBBxqeLBiuaJ0XKgEMaI
+É((�@¯’j3S,’kV4Ú@hgz˜¾Eð¼nÆª‡Ñ¨åÛÊ›_GWu—�M.ÿÈbûŽÌî%Õô£“r§ñ/pÖöÀU
--- a/secrets/wireguard/proxy-home/keys/ward.pub
+++ b/secrets/wireguard/proxy-home/keys/ward.pub
@ -0,0 +1 @@
+s+Z3G/1gmemNd7GgvWgodWNSciRlWmUi7wCoiywd/Tc=
--- a/secrets/wireguard/proxy-home/psks/sire-grafana+ward.age
+++ b/secrets/wireguard/proxy-home/psks/sire-grafana+ward.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 AOH3GXLMZjdgOSwXH8gRlil6HAxX903ZDfHuaNGaHXA
+8NqugSGdD5bJsUzcA7x4et6mKR/VFvhb4ufcrzrGYmY
+-> piv-p256 xqSe8Q A89eNTdb5orVU0/LcoHttKE0nXuaKmAaMek7Lz1CqKxZ
+mWcA2Fg1b45GHr+ihtBLsEGQvgny6aJC/5X+DsfNjWs
+-> <'-grease ZB-;
+otJwM1DDzq+E7TVkQrg36V91Y7TxL6Ic2eWJ3fbZNBEz3wc
+--- H2r1DxPHmPXIqyUzAebNBLNhkmM91W9Y9NVORENY48o
+*Ù:ìÍ1éÐð#ÔçH.Ï>'ÐÐ:áR‘u½¿´9šè‹²;<ø»
+†ìšÉ¯Œex…fùB!-š‡Î÷Æ^jÕ»Hš%r„
--- a/secrets/wireguard/proxy-home/psks/ward+ward-web-proxy.age
+++ b/secrets/wireguard/proxy-home/psks/ward+ward-web-proxy.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 4Pc4cxDkGJLio/xK07yBUmfu0XAC+6c4k4YAqw08338
+ZZ+aGb7tklVuZ5l+jd+lsnBn+eUdvXnQUOv2F5p3amg
+-> piv-p256 xqSe8Q AndILF26ubv7WafOIZpeERT4hTCDetQV1uiZht4fjB4D
+Os3uF+Re1ljLbDYZth3yVclek/7Y7z052phV8M4jRZw
+-> >2r7LOM-grease fu[4)c
+el9CM2uCv9d4G1LZDKJ/WHuGJU10kExbVRpKaTgqTp7MGGYgVYSRYMio
+--- umzvoZllAfBEQ4R0o57IISDtkgJEfhfpOt399vQsz0w
+QrÄƒ£2?WÓ¦`“WÆ}kì2˜ðº7Ðq€nœâÛ”K2…Dƒ�+ïã˜Íò!±ÊéY¿Ã3ñ+n«ËŒÆcÔ¥Ø›½p^‰O]´Ù
				`@ -0,0 +1 @@`
				`QxmAb3B+VxRsmZtLA0dZIyhcMEl9eF5pjI9PVHjt12A=`
				`@ -0,0 +1 @@`
				`HBOE43AOwpccH/e2337pti21iKzrEtO8oyLXUMVzHQk=`
				`@ -0,0 +1 @@`
				`s+Z3G/1gmemNd7GgvWgodWNSciRlWmUi7wCoiywd/Tc=`