From 97a40c153e1daf8a1de251db825cb6a6020d5e1f Mon Sep 17 00:00:00 2001 From: Mel Date: Thu, 23 Apr 2026 20:35:56 +0200 Subject: Define VPN egress & ingress default MTUs, routes, reverse paths, ... Signed-off-by: Mel --- modules/vpn/ingress.nix | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'modules/vpn/ingress.nix') diff --git a/modules/vpn/ingress.nix b/modules/vpn/ingress.nix index 2a6a582..2cf1ae5 100644 --- a/modules/vpn/ingress.nix +++ b/modules/vpn/ingress.nix @@ -25,7 +25,8 @@ let ingressName = index: "vpn-ingress${toString index}"; egressName = "vpn-egress0"; - egressAddress = "10.123.255.1/30"; + egressAddress = "10.123.255.1/16"; # /16 encompasses all possible subnet addresses + egressMTU = 1400; egressHost = name: "${name}.rnrd.eu"; in @@ -36,6 +37,8 @@ in networking.firewall = { allowedUDPPorts = map (x: x.port) paths; + allowedTCPPorts = map (x: x.port) paths; + checkReversePath = "loose"; }; age.secrets.ingress-key = { @@ -83,9 +86,13 @@ in "20-${egressName}" = { name = egressName; address = [ egressAddress ]; + networkConfig = { + IPv4ReversePathFilter = "loose"; + }; linkConfig = { ActivationPolicy = "up"; RequiredForOnline = "no"; # does not count as online + MTUBytes = toString egressMTU; }; routes = [ { @@ -137,6 +144,7 @@ in tag = inboundName; interface_name = egressName; address = [ egressAddress ]; + mtu = egressMTU; auto_route = false; # we route manually strict_route = false; endpoint_independent_nat = true; @@ -146,6 +154,7 @@ in outbounds = map (path: { type = "vless"; flow = "xtls-rprx-vision"; + packet_encoding = "xudp"; server = egressHost path.egress; server_port = 443; @@ -179,6 +188,11 @@ in auto_detect_interface = true; }; + + log = { + level = "debug"; + timestamp = true; + }; }; }; } -- cgit 1.4.1