From 3aab755e37cae018408c81ad6f8546a03bc4516b Mon Sep 17 00:00:00 2001
From: 0xWheatyz <wyatt@leeworks.dev>
Date: Wed, 15 Apr 2026 18:45:03 -0400
Subject: [PATCH] fix(wireguard): add endpoint host route and trust wg0
 interface

Add postUp/preDown hooks to create a host route for the VPN endpoint
via the real gateway, preventing a routing loop when allowedIPs is
0.0.0.0/0. Also add wg0 to firewall trustedInterfaces.
---
 configuration.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/configuration.nix b/configuration.nix
index 915eff0..bb07005 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -180,6 +180,13 @@
     dns = [ "10.0.1.65" ];
     privateKeyFile = "/etc/wireguard/private.key";
 
+    postUp = ''
+      ${pkgs.iproute2}/bin/ip route add vpn.leeworks.dev via $(${pkgs.iproute2}/bin/ip route show default | ${pkgs.gawk}/bin/awk '{print $3}') dev $(${pkgs.iproute2}/bin/ip route show default | ${pkgs.gawk}/bin/awk '{print $5}')
+    '';
+    preDown = ''
+      ${pkgs.iproute2}/bin/ip route del vpn.leeworks.dev || true
+    '';
+
     peers = [{
       publicKey = "VEpzr/CeGdS6Wsy0NDDfmlB/bCYxS55A155HWGCIIzc=";
       endpoint = "vpn.leeworks.dev:51820";
@@ -196,7 +203,7 @@
   # Open firewall for Tailscale
   networking.firewall = {
     checkReversePath = "loose";
-    trustedInterfaces = [ "tailscale0" ];
+    trustedInterfaces = [ "tailscale0" "wg0" ];
     allowedUDPPorts = [ config.services.tailscale.port ];
   };