0xWheatyz/nixos-configurations
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(wireguard): add endpoint host route and trust wg0 interface

Browse Source 
Add postUp/preDown hooks to create a host route for the VPN endpoint
via the real gateway, preventing a routing loop when allowedIPs is
0.0.0.0/0. Also add wg0 to firewall trustedInterfaces.
This commit is contained in:
0xWheatyz
2026-04-15 18:45:03 -04:00
parent 6e361b197c
commit 3aab755e37
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
configuration.nix
+8 -1
View File
@@ -180,6 +180,13 @@
dns = [ "10.0.1.65" ]; dns = [ "10.0.1.65" ];
privateKeyFile = "/etc/wireguard/private.key"; privateKeyFile = "/etc/wireguard/private.key";
postUp = ''
${pkgs.iproute2}/bin/ip route add vpn.leeworks.dev via $(${pkgs.iproute2}/bin/ip route show default | ${pkgs.gawk}/bin/awk '{print $3}') dev $(${pkgs.iproute2}/bin/ip route show default | ${pkgs.gawk}/bin/awk '{print $5}')
'';
preDown = ''
${pkgs.iproute2}/bin/ip route del vpn.leeworks.dev || true
'';
peers = [{ peers = [{
publicKey = "VEpzr/CeGdS6Wsy0NDDfmlB/bCYxS55A155HWGCIIzc="; publicKey = "VEpzr/CeGdS6Wsy0NDDfmlB/bCYxS55A155HWGCIIzc=";
endpoint = "vpn.leeworks.dev:51820"; endpoint = "vpn.leeworks.dev:51820";
@@ -196,7 +203,7 @@
# Open firewall for Tailscale # Open firewall for Tailscale
networking.firewall = { networking.firewall = {
checkReversePath = "loose"; checkReversePath = "loose";
trustedInterfaces = [ "tailscale0" ]; trustedInterfaces = [ "tailscale0" "wg0" ];
allowedUDPPorts = [ config.services.tailscale.port ]; allowedUDPPorts = [ config.services.tailscale.port ];
}; };