From 12a8e4256267692bcd56f3e69e3d8aa18282942b Mon Sep 17 00:00:00 2001
From: Dmitriy Holkin <alukard.develop@gmail.com>
Date: Wed, 23 Oct 2019 19:31:32 +0400
Subject: [PATCH] fix wireguard

---
 modules/wireguard.nix | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index 3f2afb2..444ea71 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -13,7 +13,7 @@ in {
       after = [ "network.target" "network-online.target" ];
       wantedBy = [ "multi-user.target" ];
       environment.DEVICE = "wg0";
-      path = [ pkgs.kmod pkgs.wireguard-tools pkgs.iptables ];
+      path = [ pkgs.kmod pkgs.wireguard-tools pkgs.iptables pkgs.iproute ];
 
       serviceConfig = {
         Type = "oneshot";
@@ -26,15 +26,19 @@ in {
       '';
 
       postStart = lib.mkIf cfg.killswitch ''
-        iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT  && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && && iptables -I OUTPUT -s 192.168.0.0/24 -j ACCEPT
+        iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT  && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && iptables -I OUTPUT -s 192.168.0.0/24 -j ACCEPT
         ${lib.strings.optionalString (config.virtualisation.docker.enable) "iptables -I OUTPUT -s 172.17.0.0/16 -j ACCEPT"}
       '';
 
       preStop = ''
-        ${lib.strings.optionalString (cfg.killswitch) "iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && && iptables -D OUTPUT -s 192.168.0.0/24"}
+        ${lib.strings.optionalString (cfg.killswitch) "iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && iptables -D OUTPUT -s 192.168.0.0/24"}
         ${lib.strings.optionalString (cfg.killswitch && config.virtualisation.docker.enable) "iptables -D OUTPUT -s 172.17.0.0/16"}
         wg-quick down /root/wg0.conf
       '';
+
+      postStop = ''
+        ip link delete wg0
+      '';
     };
 
     # systemd.services."iptables-docker" = lib.mkIf (config.virtualisation.docker.enable) {