AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix wireguard

Browse Source
This commit is contained in:
Dmitriy Holkin 2019-10-23 19:31:32 +04:00
parent af0a69f624
commit 12a8e42562
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/wireguard.nix
View File

@ -13,7 +13,7 @@ in {
after = [ "network.target" "network-online.target" ]; after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
environment.DEVICE = "wg0"; environment.DEVICE = "wg0";
path = [ pkgs.kmod pkgs.wireguard-tools pkgs.iptables ]; path = [ pkgs.kmod pkgs.wireguard-tools pkgs.iptables pkgs.iproute ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@ -26,15 +26,19 @@ in {
''; '';
postStart = lib.mkIf cfg.killswitch '' postStart = lib.mkIf cfg.killswitch ''
iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && && iptables -I OUTPUT -s 192.168.0.0/24 -j ACCEPT iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && iptables -I OUTPUT -s 192.168.0.0/24 -j ACCEPT
${lib.strings.optionalString (config.virtualisation.docker.enable) "iptables -I OUTPUT -s 172.17.0.0/16 -j ACCEPT"} ${lib.strings.optionalString (config.virtualisation.docker.enable) "iptables -I OUTPUT -s 172.17.0.0/16 -j ACCEPT"}
''; '';
preStop = '' preStop = ''
${lib.strings.optionalString (cfg.killswitch) "iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && && iptables -D OUTPUT -s 192.168.0.0/24"} ${lib.strings.optionalString (cfg.killswitch) "iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && iptables -D OUTPUT -s 192.168.0.0/24"}
${lib.strings.optionalString (cfg.killswitch && config.virtualisation.docker.enable) "iptables -D OUTPUT -s 172.17.0.0/16"} ${lib.strings.optionalString (cfg.killswitch && config.virtualisation.docker.enable) "iptables -D OUTPUT -s 172.17.0.0/16"}
wg-quick down /root/wg0.conf wg-quick down /root/wg0.conf
''; '';
postStop = ''
ip link delete wg0
'';
}; };
# systemd.services."iptables-docker" = lib.mkIf (config.virtualisation.docker.enable) { # systemd.services."iptables-docker" = lib.mkIf (config.virtualisation.docker.enable) {