From a3b49a0e7e35fa5e4a23ad06f2ca8fe027df11dc Mon Sep 17 00:00:00 2001
From: CDaut <git@cdaut.de>
Date: Mon, 10 Nov 2025 23:05:33 +0100
Subject: [PATCH] fix wireguard

---
 configs/services/wg_server.nix | 57 +++++++++++++++++++++++++++++++---
 1 file changed, 53 insertions(+), 4 deletions(-)

diff --git a/configs/services/wg_server.nix b/configs/services/wg_server.nix
index 2a8294c..fbe775a 100644
--- a/configs/services/wg_server.nix
+++ b/configs/services/wg_server.nix
@@ -6,6 +6,8 @@ in {
     "net.ipv6.conf.all.forwarding" = lib.mkDefault true;
   };
 
+
+
   # set up secret key
   sops = {
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
@@ -15,18 +17,65 @@ in {
   };
 
   networking = {
-    firewall.allowedUDPPorts = [ wg_port ];
-    firewall.rejectPackets = true;
-    firewall.trustedInterfaces = [ "wg0" ];
+
+    interfaces.wg0.ipv4.routes = [
+      {
+        address = "10.8.0.0";
+        prefixLength = 16;
+      }
+    ];
+
+    # Enable NAT
+    nat = {
+      enable = true;
+      enableIPv6 = true;
+      externalInterface = "eth0";
+      internalInterfaces = [ "wg0" ];
+    };
+    # Open ports in the firewall
+    firewall = {
+      rejectPackets = true;
+      allowedTCPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 wg_port ];
+    };
 
     wg-quick.interfaces = {
       wg0 = {
         # Determines the IP address and subnet of the client's end of the tunnel interface.
-        address = [ "10.8.1.1/16" ];
+        address = [ "10.8.0.1/32" ];
         listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
 
         # Path to the private key file (see sops).
         privateKeyFile = "/run/secrets/private_key";
+
+        mtu = 1360;
+
+
+        # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+        postUp = ''
+          ${pkgs.iptables}/bin/iptables -t nat -I POSTROUTING 1 -s 10.8.0.1/16 -o eth0 -j MASQUERADE
+          ${pkgs.iptables}/bin/iptables -I FORWARD -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -I INPUT 1 -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -I FORWARD 1 -i eth0 -o wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -I FORWARD 1 -i wg0 -o eth0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -I INPUT 1 -i eth0 -p udp --dport ${toString wg_port} -j ACCEPT
+        '';
+
+        # Undo the above
+        preDown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.0.1/16 -o eth0 -j MASQUERADE
+          ${pkgs.iptables}/bin/iptables -D INPUT -i wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -D INPUT -i eth0 -p udp --dport ${toString wg_port} -j ACCEPT
+        '';
+        peers = [
+          {
+            # Clara@nixpad
+            publicKey = "msJJwTPHuxLd1KddbNeLscGgiY7r9sQ3vkUnDtb2Fh4=";
+            allowedIPs = [ "10.8.0.2/32" ];
+          }
+        ];
       };
     };
   };