From 084509af8bd86b24de1139c42fc0aade23a705f4 Mon Sep 17 00:00:00 2001 From: digital Date: Wed, 31 Aug 2022 22:22:26 +0200 Subject: [PATCH 1/3] nixos/wireguard: add option to set firewall mark Wireguard can tag its packets with a firewall mark. This can be used for firewalls or policy routing. This is very useful in some setups where all traffic should go through a wireguard interface. The wireguard packets cannot go through the wireguard interface and must be routed differently, which can be done via the Firewall Mark. The nixos option `config.networking.wireguard.interface..fwMark` is of type `types.str` and not `types.int` to allow for specifying the mark as a hexadecimal value. --- nixos/modules/services/networking/wireguard.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 23b3008f02d..8cc4fa9faf3 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -137,6 +137,20 @@ let See [documentation](https://www.wireguard.com/netns/). ''; }; + + fwMark = mkOption { + default = null; + type = with types; nullOr str; + example = "0x6e6978"; + description = lib.mdDoc '' + Mark all wireguard packets originating from + this interface with the given firewall mark. The firewall mark can be + used in firewalls or policy routing to filter the wireguard packets. + This can be useful for setup where all traffic goes through the + wireguard tunnel, because the wireguard packets need to be routed + differently. + ''; + }; }; }; @@ -406,6 +420,7 @@ let ${concatStringsSep " " ( [ ''${wg} set "${name}" private-key "${privKey}"'' ] ++ optional (values.listenPort != null) ''listen-port "${toString values.listenPort}"'' + ++ optional (values.fwMark != null) ''fwmark "${values.fwMark}"'' )} ${ipPostMove} link set up dev "${name}" From eb49174f7b3e4222e69a21ee9a1cb59f84b73c8d Mon Sep 17 00:00:00 2001 From: digital Date: Wed, 31 Aug 2022 22:22:40 +0200 Subject: [PATCH 2/3] nixos/wireguard: add option to set mtu Some networks can only transfer packets with a lower than normal maximum transfer unit size. In these cases, it is necessary to set a MTU that works for the given upstream network. --- nixos/modules/services/networking/wireguard.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 8cc4fa9faf3..6a5d7c6b041 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -151,6 +151,19 @@ let differently. ''; }; + + mtu = mkOption { + default = null; + type = with types; nullOr int; + example = 1280; + description = lib.mdDoc '' + Set the maximum transmission unit in bytes for the wireguard + interface. Beware that the wireguard packets have a header that may + add up to 80 bytes to the mtu. By default, the MTU is (1500 - 80) = + 1420. However, if the MTU of the upstream network is lower, the MTU + of the wireguard network has to be adjusted as well. + ''; + }; }; }; @@ -412,6 +425,7 @@ let ${ipPreMove} link add dev "${name}" type wireguard ${optionalString (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) ''${ipPreMove} link set "${name}" netns "${ns}"''} + ${optionalString (values.mtu != null) ''${ipPreMove} link set "${name}" mtu ${toString values.mtu}''} ${concatMapStringsSep "\n" (ip: ''${ipPostMove} address add "${ip}" dev "${name}"'' From 0c704db698bbf27508976aa7053bf12a7059e0d2 Mon Sep 17 00:00:00 2001 From: digital Date: Wed, 31 Aug 2022 22:48:43 +0200 Subject: [PATCH 3/3] nixos/docs: update changelog --- nixos/doc/manual/from_md/release-notes/rl-2211.section.xml | 6 ++++++ nixos/doc/manual/release-notes/rl-2211.section.md | 2 ++ 2 files changed, 8 insertions(+) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index 009b57bad86..686be4f9d45 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -640,6 +640,12 @@ guide on how to migrate your Neo4j instance. + + + The networking.wireguard module now can set + the mtu on interfaces and tag its packets with an fwmark. + + The services.matrix-synapse systemd unit diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index b4e051a841f..a72c552f657 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -215,6 +215,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance. +- The `networking.wireguard` module now can set the mtu on interfaces and tag its packets with an fwmark. + - The `services.matrix-synapse` systemd unit has been hardened. - Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.