diff options
| author | Mel <mel@rnrd.eu> | 2026-03-31 22:11:10 +0200 |
|---|---|---|
| committer | Mel <mel@rnrd.eu> | 2026-03-31 22:11:10 +0200 |
| commit | 2780fc65523814564153d92ab2d0f19be4ba0e02 (patch) | |
| tree | 472904f62e920551dbaba896a524e01576b5ced1 /modules/vpn/definition.nix | |
| parent | 7d899f695a1d5a448226ed9479c0e4c52454f595 (diff) | |
| download | network-2780fc65523814564153d92ab2d0f19be4ba0e02.tar.zst network-2780fc65523814564153d92ab2d0f19be4ba0e02.zip | |
VLESS/Reality VPN configuration for DPI evasion
Signed-off-by: Mel <mel@rnrd.eu>
Diffstat (limited to 'modules/vpn/definition.nix')
| -rw-r--r-- | modules/vpn/definition.nix | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/modules/vpn/definition.nix b/modules/vpn/definition.nix new file mode 100644 index 0000000..0eb2ac1 --- /dev/null +++ b/modules/vpn/definition.nix @@ -0,0 +1,63 @@ +# definition of the network layout which supports our vpn +# architecture. + +{ + # these are the available paths which a user is allowed to take + # to reach a specified egress server. + # when a user connects to a port defined here via wireguard, + # the primary ingress server (us), will establish a connection with + # the user and the backend egress server (this time, not via wireguard, + # but with a specific dpi-evading protocol), and route the users packets + # through to the egress. + paths = [ + { + port = 50501; + egress = "taupe"; + + info = { + uuid = "328c90a0-20ae-4d4c-9e54-97e9ab41c053"; + short = "b20629b505f39194"; + + public = "_837k5niQBE-qmgqpZalH3cS_fAIBwv8dwMoDW1uvgk"; + keySecret = ../../secrets/vpn/egress-key-taupe.age; + }; + } + { + port = 50502; + egress = "taureau"; + + info = { + uuid = "826b8598-ed75-4782-9b7e-27e0e16e1141"; + short = "8f7e9f8a3fa46bf0"; + + public = "HvR4iP8URERpPBM4oG1Bjfw3mIfN0MoL2x6MHlt_TUM"; + keySecret = ../../secrets/vpn/egress-key-taureau.age; + }; + } + ]; + + # there are our users who are allowed to connect to any of our "paths". + # their ip is always a template, with 'X' representing the path index. + users = { + mel = { + key = "vnZoHXapCLLUhZ8A8R5W0iJ8LpWVLve29z41kkoT0BU="; + ip = "10.123.X.101"; + }; + + andrei = { + key = "qqU4uYImLfUohIwl4KBshPtTINFcs0JVALjbmwpfxRg="; + ip = "10.123.X.102"; + }; + + sergo = { + key = "qbZGMNIDZFCJC6SHtlyNIlIdGWHELceXClJCcagrj2Y="; + ip = "10.123.X.103"; + }; + }; + + # we use a website as a "mask" for vless/reality, which will tell our peers + # to pretend as if they're a user and a well-known website communicating with + # each other, even though they know that the keys don't actually match up, + # it's not possible to see that on the outside. + mask = "microsoft.com"; +} |