Skip to content

sdlfoundation/hard-nix-router

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
modules
modules
 
 
repos
repos
 
 
scripts
scripts
 
 
www
www
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
flake.lock
flake.lock
 
 
flake.nix
flake.nix
 
 
routerconfig.nix.example
routerconfig.nix.example
 
 

Repository files navigation

hard-nix-router

A reasonably secure and highly configurable NixOS router for paranoid people.

Unlike other NixOS frameworks for setting up routers, this one is very bare-bones and insecure features that could lead to security holes, such as port forwarding, are not included by design.

Features

  • Pre-configured Kea DHCP server
  • DNS cache with dnsmasq
  • Encrypted DNS queries with Stubby
  • Router-wide adblocker with constantly updated host blocklist
  • Hardened but configurable Nix firewall
  • MAC address filtering with nftables
  • Login bruteforce attack prevention with fail2ban
  • Audits
  • Intrusion Detection System with Sirucata
  • Power management for laptop hosts
  • doas over sudo; trash over rm
  • Maintenance commands

To edit the configuration, refer to routerconfig.nix.

Additional Security Considerations

  • Set up an OpenBSD bastion host in between your home gateway and router.
  • Use VLAN tags on L2 via a switch to separate your device traffic.
  • Disable wireless AP altogether.

Prerequisites

In order to host your own router, you need to set up your home networking equipment accordingly. Depending on if you have a modern home router which has all-in-one routing and modulating capabilities, or a typical modem, you need to pick the sections below.

Modern Router

Since modern routers have routing functionality built-in, but they also have the modulation/demodulation necessary for your ISP's proprietary signals, you need to disable the routing functionality while keeping the router functionality.

To achieve this, you have two options, bridge mode and DMZ.

  • Bridge Mode: The ideal option of the two. Bridge Mode forwards all incoming traffic to the host specified via a LAN port. Some ISPs intentionally keep this option disabled— if that is the case, you need to contact them for more information.
  • DMZ: It stands for Demilitarized Zone, which similarly forwards data to a host but with the intended use case being separating secure systems from insecure ones.

After setting up the packet forwarding, you just need to disable the DHCP server and perhaps the firewall of the home router and you may continue with the installation.

Modem

Connection of a switch to the modem is required to have ports both for the router and the computer hosts connecting to the Internet and receiving private IP addresses via NAT.

Installation

  1. Clone the repository: cd /etc && rm -r nixos && git clone https://github.com/XXXX/hard-nix-router.
  2. Update flakes: nix flake update.
  3. cp routerconfig.nix.example routerconfig.nix and make the desired changes to the config.
  4. Build the system: nixos-rebuild switch --flake .

Post-install

Some commonly used CLI tools come pre-installed. To view them and their use case, refer to modules/pkgs/cli.nix.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages