fix(wireguard): exclude local 10.0.0.0/24 from tunnel to preserve LAN access

Replace 0.0.0.0/0 allowedIPs with CIDR blocks covering everything except 10.0.0.0/24, which conflicts with the building's local network. Also switch endpoint back to hostname and remove unused tailscale service block.
2026-04-20 19:50:44 -04:00
parent c371552dfd
commit d83b03bbd8
1 changed files with 28 additions and 6 deletions
@@ -182,16 +182,38 @@

    peers = [{
      publicKey = "VEpzr/CeGdS6Wsy0NDDfmlB/bCYxS55A155HWGCIIzc=";
-      endpoint = "69.48.243.22:51820";
-      allowedIPs = [ "0.0.0.0/0" ];
+      endpoint = "vpn.leeworks.dev:51820";
+      # Route all traffic through VPN EXCEPT the local 10.0.0.0/24 network
+      allowedIPs = [
+        "0.0.0.0/5"
+        "8.0.0.0/7"
+        "10.0.1.0/24"
+        "10.0.2.0/23"
+        "10.0.4.0/22"
+        "10.0.8.0/21"
+        "10.0.16.0/20"
+        "10.0.32.0/19"
+        "10.0.64.0/18"
+        "10.0.128.0/17"
+        "10.1.0.0/16"
+        "10.2.0.0/15"
+        "10.4.0.0/14"
+        "10.8.0.0/13"
+        "10.16.0.0/12"
+        "10.32.0.0/11"
+        "10.64.0.0/10"
+        "10.128.0.0/9"
+        "11.0.0.0/8"
+        "12.0.0.0/6"
+        "16.0.0.0/4"
+        "32.0.0.0/3"
+        "64.0.0.0/2"
+        "128.0.0.0/1"
+      ];
      persistentKeepalive = 25;
    }];
  };

-  services.tailscale = {
-    enable = true;
-    useRoutingFeatures = "client";  # or "both" for subnet routing
-  };

  # Open firewall for Tailscale
  networking.firewall = {