diff --git a/hosts/modules/wg-home.nix b/hosts/modules/wg-home.nix index 66fe87849..684fd1e94 100644 --- a/hosts/modules/wg-home.nix +++ b/hosts/modules/wg-home.nix @@ -101,22 +101,15 @@ in in mkClientPeers peer-list ; - } // (lib.optionalAttrs cfg.forwardToWan (let - # TODO: don't hardcode the interface, but rather some type of "default", or NAT to an IP address - iface = if config.networking.usePredictableInterfaceNames then - "ens1" - else - "eth0" - ; - in { + } // (lib.optionalAttrs cfg.forwardToWan { # documented here: postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING --source ${cfg.ip}/24 --out-interface ${iface} -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING --source ${cfg.ip}/24 ! --destination ${cfg.ip}/24 -j MASQUERADE ''; postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING --source ${cfg.ip}/24 --out-interface ${iface} -j MASQUERADE + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING --source ${cfg.ip}/24 ! --destination ${cfg.ip}/24 -j MASQUERADE ''; - }))); + })); # plug into my VPN abstractions so that one may: # - `sane-vpn up wg-home` to route all traffic through servo