2.1 KiB
2.1 KiB
sixnix
My ISP provides me a single /64 and it's dynamically assigned. I cannot have multiple networks with functional autoconfiguration. One solution to this is use one of 4to6 tunnel brokers like the one offered by Hurricane Electric. Since my ISP uses CGNAT this setup is tricky if not impossible.
Fortunately Linode provides free /56 to customers and the cheapest VPS costs just $5/month. You get 256 /64 subnets. The following table provides an example where you can have 15 delegations of /60 and use the 16th /60 for the wireguard peer addressing.
| Client subnet | WireGuard subnet | |
|---|---|---|
| 2001:db8::/60 | 2001:db8:0:f0::/64 | 1 |
| 2001:db8:0:10::/60 | 2001:db8:0:f1::/64 | 2 |
| 2001:db8:0:20::/60 | 2001:db8:0:f2::/64 | 3 |
| 2001:db8:0:30::/60 | 2001:db8:0:f3::/64 | 4 |
| 2001:db8:0:40::/60 | 2001:db8:0:f4::/64 | 5 |
| 2001:db8:0:50::/60 | 2001:db8:0:f5::/64 | 6 |
| 2001:db8:0:60::/60 | 2001:db8:0:f6::/64 | 7 |
| 2001:db8:0:70::/60 | 2001:db8:0:f7::/64 | 8 |
| 2001:db8:0:80::/60 | 2001:db8:0:f8::/64 | 9 |
| 2001:db8:0:90::/60 | 2001:db8:0:f9::/64 | 10 |
| 2001:db8:0:a0::/60 | 2001:db8:0:fa::/64 | 11 |
| 2001:db8:0:b0::/60 | 2001:db8:0:fb::/64 | 12 |
| 2001:db8:0:c0::/60 | 2001:db8:0:fc::/64 | 13 |
| 2001:db8:0:d0::/60 | 2001:db8:0:fd::/64 | 14 |
| 2001:db8:0:e0::/60 | 2001:db8:0:fe::/64 | 15 |
| Host | Subnet |
|---|---|
| wireguard.example.com | 2001:0db8:0:ff::/64 |
You can follow the linode's nixos installation guide and/or use this repo as a reference to set up your wireguard tunnels.
- set up sops using the docs here
- add root password, wireguard server private keys and peer public keys
- add ssh public keys and configure any additional user accounts in
modules/access.nix - configure egress, firewall, wireguard tunnels etc in
modules/network.nix