feat(fw): route appletv through a toggleable cyberghost germany exit #149

Merged

dominik.polakovics merged 1 commit from lab/20260612-1929 into main

2026-06-12 20:56:21 +02:00

dominik.polakovics commented

2026-06-12 20:52:21 +02:00

Owner

Adds a second CyberGhost connection (Germany, OpenVPN UDP, 87-1-DE.cg-dialup.net) terminating on fw, policy-routing the Apple TV (10.42.99.15) through it for geo-unblocking ARTE/ARD/ZDF/Joyn.

Toggle (off after every boot — Austria is the resting state):

systemctl start cyberghost-de.target → Apple TV egresses via Germany
systemctl stop cyberghost-de.target → Apple TV is a normal Austrian client again

Design:

hosts/fw/modules/cyberghost-de.nix: OpenVPN client on pinned tun-cg-de, route-nopull; tun route (metric 50, table vpn-de/101) managed by OpenVPN up/down hooks so it tracks tunnel state exactly.
cyberghost-de-routing installs an unreachable default (metric 100) plus per-client ip rules (local /20 → main at prio 90, rest → vpn-de at prio 100). Rule lifetime is tied to the target, not the openvpn unit: a tunnel crash hard-kills the client's WAN egress instead of leaking the Austrian IP.
Jellyfin & LAN unaffected in all states: hairpin DNAT rewrites to 10.42.97.5 before routing, so those flows hit the local-/20 exception; DNS stays on fw's dnsmasq.
firewall: rpfilter exemption for tun-cg-de, multimedia→tunnel forward accept, masquerade out the tunnel — all static and inert while the target is off.
Static lease 48:e1:5c:b3:65:65 → 10.42.99.15 (dnsmasq + dormant Kea mirror). The Apple TV needs one network re-join to move off its dynamic lease (.181).

Secrets (cyberghost-auth/-ca/-cert/-key) already landed on main (7739746).

Adds a second CyberGhost connection (Germany, OpenVPN UDP, `87-1-DE.cg-dialup.net`) terminating on fw, policy-routing the Apple TV (`10.42.99.15`) through it for geo-unblocking ARTE/ARD/ZDF/Joyn. **Toggle** (off after every boot — Austria is the resting state): - `systemctl start cyberghost-de.target` → Apple TV egresses via Germany - `systemctl stop cyberghost-de.target` → Apple TV is a normal Austrian client again **Design:** - `hosts/fw/modules/cyberghost-de.nix`: OpenVPN client on pinned `tun-cg-de`, `route-nopull`; tun route (metric 50, table `vpn-de`/101) managed by OpenVPN up/down hooks so it tracks tunnel state exactly. - `cyberghost-de-routing` installs an `unreachable default` (metric 100) plus per-client ip rules (local /20 → main at prio 90, rest → `vpn-de` at prio 100). Rule lifetime is tied to the target, not the openvpn unit: a tunnel crash hard-kills the client's WAN egress instead of leaking the Austrian IP. - Jellyfin & LAN unaffected in all states: hairpin DNAT rewrites to 10.42.97.5 before routing, so those flows hit the local-/20 exception; DNS stays on fw's dnsmasq. - firewall: rpfilter exemption for `tun-cg-de`, multimedia→tunnel forward accept, masquerade out the tunnel — all static and inert while the target is off. - Static lease `48:e1:5c:b3:65:65 → 10.42.99.15` (dnsmasq + dormant Kea mirror). The Apple TV needs one network re-join to move off its dynamic lease (.181). Secrets (`cyberghost-auth/-ca/-cert/-key`) already landed on main (7739746).

dominik.polakovics added 1 commit

2026-06-12 20:52:21 +02:00

feat(fw): route appletv through a toggleable cyberghost germany exit 8c16f6757a

dominik.polakovics merged commit dee65364ae into main

2026-06-12 20:56:21 +02:00

dominik.polakovics deleted branch lab/20260612-1929

2026-06-12 20:56:21 +02:00

dominik.polakovics referenced this pull request from a commit

2026-06-12 20:56:23 +02:00

Merge pull request 'feat(fw): route appletv through a toggleable cyberghost germany exit' (#149) from lab/20260612-1929 into main

dominik.polakovics referenced this pull request

2026-06-12 21:04:59 +02:00