fixed wireguard (don't know how)

2025-11-13 18:29:45 +01:00 · 2025-11-13 18:29:45 +01:00 · 3fd6838367
commit 3fd6838367
parent 83dbc8465f
1 changed files with 5 additions and 11 deletions
--- a/configs/services/wg_server.nix
+++ b/configs/services/wg_server.nix
@ -34,7 +34,6 @@ in {
    };
    # Open ports in the firewall
    firewall = {
      rejectPackets = true;
      allowedTCPPorts = [ 53 ];
      allowedUDPPorts = [ 53 wg_port ];
    };
@ -53,21 +52,16 @@ in {
        # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
        postUp = ''
-          ${pkgs.iptables}/bin/iptables -t nat -I POSTROUTING 1 -s 10.8.0.1/16 -o eth0 -j MASQUERADE
+          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -I FORWARD -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.0.1/16 -o eth0 -j MASQUERADE
-          ${pkgs.iptables}/bin/iptables -I INPUT 1 -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -I FORWARD 1 -i eth0 -o wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -I FORWARD 1 -i wg0 -o eth0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -I INPUT 1 -i eth0 -p udp --dport ${toString wg_port} -j ACCEPT
        '';
        # Undo the above
        preDown = ''
          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.0.1/16 -o eth0 -j MASQUERADE
-          ${pkgs.iptables}/bin/iptables -D INPUT -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -D INPUT -i eth0 -p udp --dport ${toString wg_port} -j ACCEPT
        '';
        peers = [
          {