From 4422eef64a6df88ed359df58e29dcc55ec529b55 Mon Sep 17 00:00:00 2001 From: caleb Date: Tue, 26 Mar 2024 09:39:49 -0400 Subject: [PATCH] added encrypted dns and worked on mullvad-tailscale compat (commnented out as of now) --- networking-configuration.nix | 46 +++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/networking-configuration.nix b/networking-configuration.nix index d9ca213..8324b4a 100644 --- a/networking-configuration.nix +++ b/networking-configuration.nix @@ -11,10 +11,54 @@ systemd.services.NetworkManager-wait-online.enable = false; #disable wait online since it is broken hardware.bluetooth.enable = true; + # Enable encrypted DNS + services.dnscrypt-proxy2 = { + enable = true; + settings = { + ipv6_servers = true; + require_dnssec = true; + }; + }; + systemd.services.dnscrypt-proxy2.serviceConfig = { + StateDirectory = "dnscrypt-proxy"; + }; + # Enable mullvad vpn services.mullvad-vpn.package = pkgs.mullvad-vpn; + #services.resolved.enable = true; + #networking.resolvconf.enable = false; services.mullvad-vpn.enable = true; # Enable tailscale services.tailscale.enable = true; -} \ No newline at end of file + + # exclude tailscale IPs from mullvad routing + /* networking.nftables = { + enable = true; + ruleset = '' + define TAILNET_DNS = { + 100.100.100.100 + } + define TAILNET_IPV4 = { + 100.64.0.0/10 + } + define TAILNET_IPV6 = { + fd7a:115c:a1e0::/48 + } + table inet excludeTraffic { + chain excludeDns { + type filter hook output priority -10; policy accept; + ip daddr $TAILNET_DNS udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; + ip daddr $TAILNET_DNS tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; + } + } + table inet excludeTraffic { + chain excludeOutgoing { + type route hook output priority 0; policy accept; + ip daddr $TAILNET_IPV4 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; + ip6 daddr $TAILNET_IPV6 ct mark set 0x00000f41 meta mark set 0x6d6f6c65; + } + } + ''; + }; */ +}