blob: 60ea5d03f9f76af35502a74473b9fe32371c8324 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
# definition of the network layout which supports our vpn
# architecture.
{
# these are the available paths which a user is allowed to take
# to reach a specified egress server.
# when a user connects to a port defined here via wireguard,
# the primary ingress server (us), will establish a connection with
# the user and the backend egress server (this time, not via wireguard,
# but with a specific dpi-evading protocol), and route the users packets
# through to the egress.
paths = [
{
port = 50501;
egress = "taupe";
info = {
uuid = "328c90a0-20ae-4d4c-9e54-97e9ab41c053";
short = "b20629b505f39194";
public = "_837k5niQBE-qmgqpZalH3cS_fAIBwv8dwMoDW1uvgk";
keySecret = ../../secrets/vpn/egress-key-taupe.age;
};
}
{
port = 50502;
egress = "taureau";
info = {
uuid = "826b8598-ed75-4782-9b7e-27e0e16e1141";
short = "8f7e9f8a3fa46bf0";
public = "HvR4iP8URERpPBM4oG1Bjfw3mIfN0MoL2x6MHlt_TUM";
keySecret = ../../secrets/vpn/egress-key-taureau.age;
};
}
];
# there are our users who are allowed to connect to any of our "paths".
# their ip is always a template, with 'X' representing the path index.
users = {
mel = {
key = "vnZoHXapCLLUhZ8A8R5W0iJ8LpWVLve29z41kkoT0BU=";
ip = "10.123.X.101";
};
andrei = {
key = "qqU4uYImLfUohIwl4KBshPtTINFcs0JVALjbmwpfxRg=";
ip = "10.123.X.102";
};
sergo = {
key = "qbZGMNIDZFCJC6SHtlyNIlIdGWHELceXClJCcagrj2Y=";
ip = "10.123.X.103";
};
fedor = {
key = "tEO9r8+jTpu8TBRmZ+/v087IgD/QfmofLUKs249i/F0=";
ip = "10.123.X.104";
};
};
# we use a website as a "mask" for vless/reality, which will tell our peers
# to pretend as if they're a user and a well-known website communicating with
# each other, even though they know that the keys don't actually match up,
# it's not possible to see that on the outside.
mask = "microsoft.com";
# we don't actually need this to configure the tunnel, but this is
# the public key of the ingress interface.
# when creating wireguard vpn configurations for the users, this
# is the public key of the server peer at `tunnel.rnrd.eu`.
# the matching private key of the pair is the secret `vpn/ingress-key`.
ingress.public = "s5yyPCJiN0uqW0jzKIbYCF7I9TthymiRzpNt466XeWk=";
}
|
