zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Enable firewall for PIA VPN wireguard interface

Browse Source
This commit is contained in:
Zuckerberg 2023-03-12 20:29:20 -06:00
parent 440401a391
commit 478235fe32
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
common/network/pia-wireguard.nix
View File

@ -6,7 +6,7 @@
# https://github.com/pia-foss/manual-connections # https://github.com/pia-foss/manual-connections
# https://github.com/thrnz/docker-wireguard-pia/blob/master/extra/wg-gen.sh # https://github.com/thrnz/docker-wireguard-pia/blob/master/extra/wg-gen.sh
# TODO turn on firewall for VPN interface # TODO reassign ports of other VPN container services to ones that PIA won't forward to and add bash code to check to be sure port stays in this range
# TODO handle potential errors (or at least print status, success, and failures to the console) # TODO handle potential errors (or at least print status, success, and failures to the console)
# TODO handle 2 month limit for port # TODO handle 2 month limit for port
# TODO handle VPN container with different name # TODO handle VPN container with different name
@ -212,6 +212,10 @@ in {
echo $signature >> /tmp/${cfg.interfaceName}-port-renewal echo $signature >> /tmp/${cfg.interfaceName}-port-renewal
echo $payload >> /tmp/${cfg.interfaceName}-port-renewal echo $payload >> /tmp/${cfg.interfaceName}-port-renewal
# Block all traffic from VPN interface except for traffic that is from the forwarded port
iptables -I INPUT -i ${cfg.interfaceName} -j DROP
iptables -I INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
# The first port refresh triggers the port to be actually allocated # The first port refresh triggers the port to be actually allocated
${refreshPIAPort} ${refreshPIAPort}