l yellow.r: allow traffic only through vpn

This commit is contained in:
lassulus 2022-12-11 19:07:58 +01:00
parent 4cb2771732
commit 85c7617820

View File

@ -1,6 +1,6 @@
with import <stockholm/lib>; { config, lib, pkgs, ... }: let
{ config, lib, pkgs, ... }: vpnIp = "85.202.81.161";
{ in {
imports = [ imports = [
<stockholm/lass> <stockholm/lass>
<stockholm/lass/2configs> <stockholm/lass/2configs>
@ -11,6 +11,8 @@ with import <stockholm/lib>;
users.groups.download.members = [ "transmission" ]; users.groups.download.members = [ "transmission" ];
networking.useHostResolvConf = false;
networking.useNetworkd = true;
systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ]; systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
systemd.services.transmission.after = [ "openvpn-nordvpn.service" ]; systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
services.transmission = { services.transmission = {
@ -159,13 +161,22 @@ with import <stockholm/lib>;
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
]; ];
tables.filter.OUTPUT = {
policy = "DROP";
rules = [
{ v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; }
{ predicate = "-o tun0"; target = "ACCEPT"; }
{ predicate = "-o retiolum"; target = "ACCEPT"; }
{ v6 = false; predicate = "-o eth0 -d 10.233.0.0/24"; target = "ACCEPT"; }
];
};
}; };
services.openvpn.servers.nordvpn.config = '' services.openvpn.servers.nordvpn.config = ''
client client
dev tun dev tun
proto udp proto udp
remote 194.110.84.106 1194 remote ${vpnIp} 1194
resolv-retry infinite resolv-retry infinite
remote-random remote-random
nobind nobind