colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

wg-home: rewrite forwarding rules to avoid naming any interface

Browse Source
This commit is contained in:
Colin
2024-07-13 08:28:02 +00:00
parent 26004da704
commit 7c0e7cbb71
1 changed files with 4 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
hosts/modules/wg-home.nix
View File

@@ -101,22 +101,15 @@ in
in
mkClientPeers peer-list
;
} // (lib.optionalAttrs cfg.forwardToWan (let
# TODO: don't hardcode the interface, but rather some type of "default", or NAT to an IP address
iface = if config.networking.usePredictableInterfaceNames then
"ens1"
else
"eth0"
;
in {
} // (lib.optionalAttrs cfg.forwardToWan {
# documented here: <https://nixos.wiki/wiki/WireGuard#Server_setup_2>
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING --source ${cfg.ip}/24 --out-interface ${iface} -j MASQUERADE
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING --source ${cfg.ip}/24 ! --destination ${cfg.ip}/24 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING --source ${cfg.ip}/24 --out-interface ${iface} -j MASQUERADE
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING --source ${cfg.ip}/24 ! --destination ${cfg.ip}/24 -j MASQUERADE
'';
})));
}));
# plug into my VPN abstractions so that one may:
# - `sane-vpn up wg-home` to route all traffic through servo