Define VPN egress & ingress default MTUs, routes, reverse paths, ...

Signed-off-by: Mel <mel@rnrd.eu>

1 files changed, 15 insertions, 1 deletions

diff --git a/modules/vpn/ingress.nix b/modules/vpn/ingress.nix
index 2a6a582..2cf1ae5 100644
--- a/modules/vpn/ingress.nix
+++ b/modules/vpn/ingress.nix
@@ -25,7 +25,8 @@ let
 
   ingressName = index: "vpn-ingress${toString index}";
   egressName = "vpn-egress0";
-  egressAddress = "10.123.255.1/30";
+  egressAddress = "10.123.255.1/16"; # /16 encompasses all possible subnet addresses
+  egressMTU = 1400;
 
   egressHost = name: "${name}.rnrd.eu";
 in
@@ -36,6 +37,8 @@ in
 
   networking.firewall = {
     allowedUDPPorts = map (x: x.port) paths;
+    allowedTCPPorts = map (x: x.port) paths;
+    checkReversePath = "loose";
   };
 
   age.secrets.ingress-key = {
@@ -83,9 +86,13 @@ in
           "20-${egressName}" = {
             name = egressName;
             address = [ egressAddress ];
+            networkConfig = {
+              IPv4ReversePathFilter = "loose";
+            };
             linkConfig = {
               ActivationPolicy = "up";
               RequiredForOnline = "no"; # does not count as online
+              MTUBytes = toString egressMTU;
             };
             routes = [
               {
@@ -137,6 +144,7 @@ in
             tag = inboundName;
             interface_name = egressName;
             address = [ egressAddress ];
+            mtu = egressMTU;
             auto_route = false; # we route manually
             strict_route = false;
             endpoint_independent_nat = true;
@@ -146,6 +154,7 @@ in
         outbounds = map (path: {
           type = "vless";
           flow = "xtls-rprx-vision";
+          packet_encoding = "xudp";
 
           server = egressHost path.egress;
           server_port = 443;
@@ -179,6 +188,11 @@ in
 
           auto_detect_interface = true;
         };
+
+        log = {
+          level = "debug";
+          timestamp = true;
+        };
       };
     };
 }