Add IDS-VM as a defensive networking mechanism

- Adds new virtual machine called ids-vm.
- If enabled, sets it as a default gateway for other VMs except or net-vm.
- Uses mitmproxy to monitor http and https traffic.
- Creates a web interface to the mitmproxy.
- Sets Chromium to ignore self-signed CA certificate generated by mitmproxy.

Signed-off-by: Risto Kuusela <risto.kuusela@unikie.com>

modules/virtualization/microvm/guivm.nix

@@ -57,6 +57,7 @@
             pkgs.waypipe
             pkgs.networkmanagerapplet
             pkgs.nm-launcher
+            pkgs.mitmweb-ui
           ];
         };
 

modules/virtualization/microvm/idsvm.nix

@@ -0,0 +1,167 @@
+# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  configHost = config;
+  vmName = "ids-vm";
+  macAddress = "02:00:00:01:01:02";
+  networkName = "ethint0";
+  idsvmBaseConfiguration = {
+    imports = [
+      # (import ./common/vm-networking.nix {inherit vmName macAddress useDHCP;})
+      ({lib, ...}: {
+        ghaf = {
+          users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable;
+          development = {
+            # NOTE: SSH port also becomes accessible on the network interface
+            #       that has been passed through to NetVM
+            ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable;
+            debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable;
+          };
+        };
+
+        system.stateVersion = lib.trivial.release;
+
+        nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system;
+        nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system;
+
+        microvm.hypervisor = "qemu";
+
+        environment.systemPackages = lib.mkIf config.ghaf.profiles.debug.enable [
+          pkgs.mitmproxy
+          pkgs.snort
+          pkgs.tcpdump
+        ];
+
+        networking = {
+          enableIPv6 = false;
+          firewall.allowedTCPPorts = [22 8080 8081]; # SSH, mitmproxy, mitmweb
+          firewall.allowedUDPPorts = [67];
+          useNetworkd = true;
+          nat = {
+            enable = true;
+            internalInterfaces = [networkName];
+            extraCommands = ''
+              iptables -t nat -A PREROUTING -i ethint0 -p tcp --dport 80 -j REDIRECT --to-port 8080
+              iptables -t nat -A PREROUTING -i ethint0 -p tcp --dport 443 -j REDIRECT --to-port 8080
+            '';
+          };
+        };
+
+        # Here we add default CA keypair and corresponding self-signed certificate
+        # for mitmproxy in different formats. These should be, of course, randomly and
+        # securely generated and stored for each instance, but for development purposes
+        # we use these fixed ones.
+        environment.etc = {
+          "mitmproxy/mitmproxy-ca-cert.cer".source = ./mitmproxy-ca/mitmproxy-ca-cert.cer;
+          "mitmproxy/mitmproxy-ca-cert.p12".source = ./mitmproxy-ca/mitmproxy-ca-cert.p12;
+          "mitmproxy/mitmproxy-ca-cert.pem".source = ./mitmproxy-ca/mitmproxy-ca-cert.pem;
+          "mitmproxy/mitmproxy-ca.pem".source = ./mitmproxy-ca/mitmproxy-ca.pem;
+          "mitmproxy/mitmproxy-ca.p12".source = ./mitmproxy-ca/mitmproxy-ca.p12;
+          "mitmproxy/mitmproxy-dhparam.pem".source = ./mitmproxy-ca/mitmproxy-dhparam.pem;
+        };
+
+        systemd.services."mitmweb-server" = let
+          mitmwebScript = pkgs.writeShellScriptBin "mitmweb-server" ''
+            ${pkgs.mitmproxy}/bin/mitmweb --web-host localhost --web-port 8081 --set confdir=/etc/mitmproxy
+          '';
+        in {
+          enable = true;
+          description = "Run mitmweb to establish web interface for mitmproxy";
+          path = [mitmwebScript];
+          wantedBy = ["multi-user.target"];
+          serviceConfig = {
+            Type = "simple";
+            # RemainAfterExit = true;
+            StandardOutput = "journal";
+            StandardError = "journal";
+            ExecStart = "${mitmwebScript}/bin/mitmweb-server";
+            Restart = "on-failure";
+            RestartSec = "1";
+          };
+        };
+
+        microvm.interfaces = [
+          {
+            type = "tap";
+            # The interface names must have maximum length of 15 characters
+            id = "tap-${vmName}";
+            mac = macAddress;
+          }
+        ];
+
+        systemd.network = {
+          enable = true;
+          # Set internal network's interface name to networkName
+          links."10-${networkName}" = {
+            matchConfig.PermanentMACAddress = macAddress;
+            linkConfig.Name = networkName;
+          };
+          networks."10-${networkName}" = {
+            matchConfig.MACAddress = macAddress;
+            DHCP = "no";
+            gateway = ["192.168.100.1"];
+            addresses = [
+              {
+                addressConfig.Address = "192.168.100.3/24";
+              }
+              {
+                # IP-address for debugging subnet
+                addressConfig.Address = "192.168.101.4/24";
+              }
+            ];
+            linkConfig.RequiredForOnline = "routable";
+            linkConfig.ActivationPolicy = "always-up";
+          };
+        };
+
+        services.resolved.dnssec = "false";
+
+        microvm = {
+          optimize.enable = true;
+          shares = [
+            {
+              tag = "ro-store";
+              source = "/nix/store";
+              mountPoint = "/nix/.ro-store";
+            }
+          ];
+          writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store";
+        };
+
+        imports = import ../../module-list.nix;
+      })
+    ];
+  };
+  cfg = config.ghaf.virtualization.microvm.idsvm;
+in {
+  options.ghaf.virtualization.microvm.idsvm = {
+    enable = lib.mkEnableOption "IDSVM";
+
+    extraModules = lib.mkOption {
+      description = ''
+        List of additional modules to be imported and evaluated as part of
+        IDSVM's NixOS configuration.
+      '';
+      default = [];
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    microvm.vms."${vmName}" = {
+      autostart = true;
+      config =
+        idsvmBaseConfiguration
+        // {
+          imports =
+            idsvmBaseConfiguration.imports
+            ++ cfg.extraModules;
+        };
+      specialArgs = {inherit lib;};
+    };
+  };
+}

modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.cer

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUItvWgfGeI8GlhgumoYarXZhO1OMwDQYJKoZIhvcNAQEL
+BQAwKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAltaXRtcHJveHkwHhcN
+MjMwNjI2MjA0MjUxWhcNMzMwNjI1MjA0MjUxWjAoMRIwEAYDVQQDDAltaXRtcHJv
+eHkxEjAQBgNVBAoMCW1pdG1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAOPknE6S+anfr52iO58VsPBcKrTbpWCV1NPmpWh6YmZxuzA3IjNu8X9i
+0ByVgutysmrIXWqt7EOds8vCqLCX3+pGB6XsNMC4ksn42SH6QmWUTZizUjCI+7c2
+B1fYxzU5aaG2Z9TDtfExdWqnHR0c0dTR7c2IUeH7qgy/8oSukQeFdhp/j/d+cosU
+KtXxMl9vk4wiseLRS2JBb+QKdM+TdNKLpAZmYT68WIIPB/0Vsxo1ZeSf8A4KLElr
+9z9oksT5RPZAkuqV4TtWZoSPf01lB5jBCRblSGqw3m9ARAjH3MN1cDvwKkOtPrEC
+iBKv9S51CyGPLkrEQoQrscvGKkEp5mECAwEAAaNXMFUwDwYDVR0TAQH/BAUwAwEB
+/zATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
+FLfWC+xt92Gs5X8I0H9E0ZPZ1nUZMA0GCSqGSIb3DQEBCwUAA4IBAQCEuExtxt6S
+Pr7hXul8xNl8gjb94xB2vB6DJwtn97vXDtMqQ7P6o9e+7d2Yzp/y/hAlVpkZbwJo
+WnE5aKI+SiuoyPJhM3qtSqFEnjogm+2GS+Htd9SGYPX6qrsbG5/FUE2NKF4sr9zB
+vNYOzcaJO6X1+A3a7fS65ytjRYwO0T+6NtPkqwJ/ACT3vov94u9oGJ8O9rkFoG93
+7Guyh26JA71/N8SKWSIB/35pYKvX2usmsPCs8UYNC3UH4fH4d0yHBA9vV9XLE5H5
+cgESHG6F13V3WpeEgc83DWG6Tvml64ldORCVSi5doLTfaN/UIEZXFPMZ2ZCfsQvA
++PqFqfsCDYU1
+-----END CERTIFICATE-----

modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.cer.license

@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2022-2023 TII (SSRC) and the Ghaf contributors
+
+SPDX-License-Identifier: Apache-2.0

modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.p12.license

@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2022-2023 TII (SSRC) and the Ghaf contributors
+
+SPDX-License-Identifier: Apache-2.0

modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUItvWgfGeI8GlhgumoYarXZhO1OMwDQYJKoZIhvcNAQEL
+BQAwKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAltaXRtcHJveHkwHhcN
+MjMwNjI2MjA0MjUxWhcNMzMwNjI1MjA0MjUxWjAoMRIwEAYDVQQDDAltaXRtcHJv
+eHkxEjAQBgNVBAoMCW1pdG1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAOPknE6S+anfr52iO58VsPBcKrTbpWCV1NPmpWh6YmZxuzA3IjNu8X9i
+0ByVgutysmrIXWqt7EOds8vCqLCX3+pGB6XsNMC4ksn42SH6QmWUTZizUjCI+7c2
+B1fYxzU5aaG2Z9TDtfExdWqnHR0c0dTR7c2IUeH7qgy/8oSukQeFdhp/j/d+cosU
+KtXxMl9vk4wiseLRS2JBb+QKdM+TdNKLpAZmYT68WIIPB/0Vsxo1ZeSf8A4KLElr
+9z9oksT5RPZAkuqV4TtWZoSPf01lB5jBCRblSGqw3m9ARAjH3MN1cDvwKkOtPrEC
+iBKv9S51CyGPLkrEQoQrscvGKkEp5mECAwEAAaNXMFUwDwYDVR0TAQH/BAUwAwEB
+/zATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
+FLfWC+xt92Gs5X8I0H9E0ZPZ1nUZMA0GCSqGSIb3DQEBCwUAA4IBAQCEuExtxt6S
+Pr7hXul8xNl8gjb94xB2vB6DJwtn97vXDtMqQ7P6o9e+7d2Yzp/y/hAlVpkZbwJo
+WnE5aKI+SiuoyPJhM3qtSqFEnjogm+2GS+Htd9SGYPX6qrsbG5/FUE2NKF4sr9zB
+vNYOzcaJO6X1+A3a7fS65ytjRYwO0T+6NtPkqwJ/ACT3vov94u9oGJ8O9rkFoG93
+7Guyh26JA71/N8SKWSIB/35pYKvX2usmsPCs8UYNC3UH4fH4d0yHBA9vV9XLE5H5
+cgESHG6F13V3WpeEgc83DWG6Tvml64ldORCVSi5doLTfaN/UIEZXFPMZ2ZCfsQvA
++PqFqfsCDYU1
+-----END CERTIFICATE-----

modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca.p12.license

@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2022-2023 TII (SSRC) and the Ghaf contributors
+
+SPDX-License-Identifier: Apache-2.0

modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca.pem

@@ -0,0 +1,47 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA4+ScTpL5qd+vnaI7nxWw8FwqtNulYJXU0+alaHpiZnG7MDci
+M27xf2LQHJWC63Kyashdaq3sQ52zy8KosJff6kYHpew0wLiSyfjZIfpCZZRNmLNS
+MIj7tzYHV9jHNTlpobZn1MO18TF1aqcdHRzR1NHtzYhR4fuqDL/yhK6RB4V2Gn+P
+935yixQq1fEyX2+TjCKx4tFLYkFv5Ap0z5N00oukBmZhPrxYgg8H/RWzGjVl5J/w
+DgosSWv3P2iSxPlE9kCS6pXhO1ZmhI9/TWUHmMEJFuVIarDeb0BECMfcw3VwO/Aq
+Q60+sQKIEq/1LnULIY8uSsRChCuxy8YqQSnmYQIDAQABAoIBAQC/S1L5kd4Ifj+H
+7nplm2ufF36xuf4kCSFRjjYicTjQDX+3hVAsJGCLMYLHu6jdwrWJdQ8VUVEVoPcf
+fxLiyVmn6YjZ+mB9tXFiIIUDRHMfmVFZcIz5OMMykyOu1cTCJKNKnzahHndHMuEA
+2a5SlbJ9FoqrEFbLftjLQwRr46zRxduoF2Znz/XhPMcoOsMoFuUIEtS3kmblW8Zr
+UzKkvT2GUb5b19WNIbK/1ZWnkYTh6nTQPNz8FYpNb7ZuS/UfNGP05r+ZbgzmSS8B
+Mwl2u2AqXEo15ULjEP8XQpmQXDbaOAjZHzF0nqx2Sw7iY9MfAarIekGLVRJ+LRwA
+mkT8TPuRAoGBAP+20Ah6SCJN4DpDLC/Zu/2rRanpxxyk1awseFlfNOPegAuM+Gic
+fHeUDYooHxZwbowAjyo4o36rnHJJi8ZniTHZG9ddy9U75TgVZK4Xr7MkmmOCpv1Q
+50BTxsnWir3pTspgWCZ8oXmyvNJV/hl0fGqFW3WxI41upMM6w3uSMdvnAoGBAOQl
+1dgXh+Qo8DhAaWmhmDLpcfWD2XB3rhZxQfbYCC+oyrQgpgyQpOEgmPKcjDrsToRK
+Ze08O3t5inrvyH41THhByDfV6pxZSGRPoBxr1ZMej6V50FFHctQbDqDhmBdlKpkx
+3ryGBrhUxjwklg915UwvZc1iewYdZxd0JeST+CJ3AoGBALbU9QU6uRyd5baClLNZ
+0InczaBhIBYg3Q2PdjUgV2adjZu0nV/ekzfESbIAYcnfdYrwU2xytqM4/FDSuPeQ
+y40ymC9yRu0dOBTTZvr6wIsrnp+LqO3xzIY34CgsF2MVz1nvbNeHwMSMwWj6RwXY
+PaTD2NLbZnoXJALany5ZJwD9AoGAVKqZ1my9GHX819NHi1TVx6cMjIFWsz8m0ttL
+EJERUKaCOyCWnrkbBxTyza48+Czz4nI9qzGcHXF4a7EKpZOgAkzfQaFYRJd5nwhR
+sdpu0v8XbeBr543tVjuITToLGDuJ+HoiX7IZUlTbkDw/mBM3efNpAzRV1WoZ9QE8
+grxK7HcCgYAT0dGsFd1RY+m/Ik/jTxRDSi7zLLtyZO8AsGsfqsm0b8GhTTlXzEmH
+kgp75/W058vjc7H1PY7FNr5neUn/Dtom2YtJRhANK/dhzh+RDSfFgbCX+VHTwh1a
+nb7F25+bEhlvfe5yLb+O6ZzbsL/EdJYg0BoHCgTI2bZJkzRtAzdHuA==
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUItvWgfGeI8GlhgumoYarXZhO1OMwDQYJKoZIhvcNAQEL
+BQAwKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAltaXRtcHJveHkwHhcN
+MjMwNjI2MjA0MjUxWhcNMzMwNjI1MjA0MjUxWjAoMRIwEAYDVQQDDAltaXRtcHJv
+eHkxEjAQBgNVBAoMCW1pdG1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAOPknE6S+anfr52iO58VsPBcKrTbpWCV1NPmpWh6YmZxuzA3IjNu8X9i
+0ByVgutysmrIXWqt7EOds8vCqLCX3+pGB6XsNMC4ksn42SH6QmWUTZizUjCI+7c2
+B1fYxzU5aaG2Z9TDtfExdWqnHR0c0dTR7c2IUeH7qgy/8oSukQeFdhp/j/d+cosU
+KtXxMl9vk4wiseLRS2JBb+QKdM+TdNKLpAZmYT68WIIPB/0Vsxo1ZeSf8A4KLElr
+9z9oksT5RPZAkuqV4TtWZoSPf01lB5jBCRblSGqw3m9ARAjH3MN1cDvwKkOtPrEC
+iBKv9S51CyGPLkrEQoQrscvGKkEp5mECAwEAAaNXMFUwDwYDVR0TAQH/BAUwAwEB
+/zATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
+FLfWC+xt92Gs5X8I0H9E0ZPZ1nUZMA0GCSqGSIb3DQEBCwUAA4IBAQCEuExtxt6S
+Pr7hXul8xNl8gjb94xB2vB6DJwtn97vXDtMqQ7P6o9e+7d2Yzp/y/hAlVpkZbwJo
+WnE5aKI+SiuoyPJhM3qtSqFEnjogm+2GS+Htd9SGYPX6qrsbG5/FUE2NKF4sr9zB
+vNYOzcaJO6X1+A3a7fS65ytjRYwO0T+6NtPkqwJ/ACT3vov94u9oGJ8O9rkFoG93
+7Guyh26JA71/N8SKWSIB/35pYKvX2usmsPCs8UYNC3UH4fH4d0yHBA9vV9XLE5H5
+cgESHG6F13V3WpeEgc83DWG6Tvml64ldORCVSi5doLTfaN/UIEZXFPMZ2ZCfsQvA
++PqFqfsCDYU1
+-----END CERTIFICATE-----

modules/virtualization/microvm/mitmproxy-ca/mitmproxy-dhparam.pem

@@ -0,0 +1,14 @@
+
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEAyT6LzpwVFS3gryIo29J5icvgxCnCebcdSe/NHMkD8dKJf8suFCg3
+O2+dguLakSVif/t6dhImxInJk230HmfC8q93hdcg/j8rLGJYDKu3ik6H//BAHKIv
+j5O9yjU3rXCfmVJQic2Nne39sg3CreAepEts2TvYHhVv3TEAzEqCtOuTjgDv0ntJ
+Gwpj+BJBRQGG9NvprX1YGJ7WOFBP/hWU7d6tgvE6Xa7T/u9QIKpYHMIkcN/l3ZFB
+chZEqVlyrcngtSXCROTPcDOQ6Q8QzhaBJS+Z6rcsd7X+haiQqvoFcmaJ08Ks6LQC
+ZIL2EtYJw8V8z7C0igVEBIADZBI6OTbuuhDwRw//zU1uq52Oc48CIZlGxTYG/Evq
+o9EWAXUYVzWkDSTeBH1r4z/qLPE2cnhtMxbFxuvK53jGB0emy2y1Ei6IhKshJ5qX
+IB/aE7SSHyQ3MDHHkCmQJCsOd4Mo26YX61NZ+n501XjqpCBQ2+DfZCBh8Va2wDyv
+A2Ryg9SUz8j0AXViRNMJgJrr446yro/FuJZwnQcO3WQnXeqSBnURqKjmqkeFP+d8
+6mk2tqJaY507lRNqtGlLnj7f5RNoBFJDCLBNurVgfvq9TCVWKDIFD4vZRjCrnl6I
+rD693XKIHUCWOjMh1if6omGXKHH40QuME2gNa50+YPn1iYDl88uDbbMCAQI=
+-----END DH PARAMETERS-----

modules/virtualization/microvm/netvm.nix

@@ -49,10 +49,16 @@
             dhcp-authoritative = true;
             domain = "ghaf";
             listen-address = ["127.0.0.1,192.168.100.1"];
-            dhcp-option = [
-              "option:router,192.168.100.1"
-              "6,192.168.100.1"
-            ];
+            # dhcp-option =
+            #  if config.ghaf.virtualization.microvm.idsvm.enable
+            #  then [
+            #    "option:router,192.168.100.3" # set IDS-VM as a default gw
+            #    "option:dns-server,192.168.100.1"
+            #  ]
+            #  else [
+            #    "option:router,192.168.100.1" # set NetVM as a default gw
+            #    "option:dns-server,192.168.100.1"
+            #  ];
             expand-hosts = true;
             domain-needed = true;
             bogus-priv = true;

overlays/custom-packages/default.nix

@@ -13,5 +13,6 @@ _: {
     (import ./qemu)
     (import ./nm-launcher)
     (import ./labwc)
+    (import ./mitmweb-ui)
   ];
 }

overlays/custom-packages/mitmweb-ui/default.nix

@@ -0,0 +1,5 @@
+# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+(final: _prev: {
+  mitmweb-ui = final.callPackage ../../../packages/mitmweb-ui {};
+})

packages/mitmweb-ui/default.nix

@@ -0,0 +1,51 @@
+# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  stdenvNoCC,
+  pkgs,
+  lib,
+  ...
+}: let
+  waypipePort = 1100; # TODO: remove hardcoded port number
+  nmLauncher =
+    pkgs.writeShellScript
+    "mitmweb-ui"
+    ''
+      # Create ssh-tunnel between chromium-vm and ids-vm
+      ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 \
+          -o StrictHostKeyChecking=no \
+          -t ghaf@chromium-vm.ghaf \
+              ${pkgs.openssh}/bin/ssh -M -S /tmp/control_socket \
+              -f -N -L 8081:localhost:8081 ghaf@192.168.100.3
+      # TODO: check pipe creation failures
+
+      # Launch chromium application and open mitmweb page
+      ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 -o StrictHostKeyChecking=no chromium-vm.ghaf \
+          ${pkgs.waypipe}/bin/waypipe --border=#ff5733,5 --vsock -s ${toString waypipePort} server \
+          chromium --enable-features=UseOzonePlatform --ozone-platform=wayland \
+          http://localhost:8081
+
+      # Use the control socket to close the ssh tunnel between chromium-vm and ids-vm
+      ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 \
+          -o StrictHostKeyChecking=no \
+          -t ghaf@chromium-vm.ghaf \
+              ${pkgs.openssh}/bin/ssh -q -S /tmp/control_socket -O exit ghaf@192.168.100.3
+    '';
+in
+  stdenvNoCC.mkDerivation {
+    name = "mitmweb-ui";
+
+    phases = ["installPhase"];
+
+    installPhase = ''
+      mkdir -p $out/bin
+      cp ${nmLauncher} $out/bin/mitmweb-ui
+    '';
+
+    meta = with lib; {
+      description = "Script to launch Chromium to open mitmweb interface using ssh-tunneling and authentication.";
+      platforms = [
+        "x86_64-linux"
+      ];
+    };
+  }

targets/generic-x86_64.nix

@@ -28,6 +28,10 @@
 
           # networks."SSID_OF_NETWORK".psk = "WPA_PASSWORD";
         };
+        services.dnsmasq.settings.dhcp-option = [
+          "option:router,192.168.100.1" # set net-vm as a default gw
+          "option:dns-server,192.168.100.1"
+        ];
       }
     ];
     hostConfiguration = lib.nixosSystem {