Skip to content

Instantly share code, notes, and snippets.

@Gonzih

Gonzih/wireguard.nix

Last active February 1, 2020 16:33
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Gonzih/298c8bc6e4e3acdb6d984cf2d9d427f0 to your computer and use it in GitHub Desktop.
Save Gonzih/298c8bc6e4e3acdb6d984cf2d9d427f0 to your computer and use it in GitHub Desktop.
Download ZIP
NixOs WIREGUARD full traffic forwarding config
Raw
wireguard.nix
{ config, pkgs, ... }:
let
secrets = import /opt/nix/secrets.nix;
externalInterface = "enp2s0";
internalInterface = "wg0";
externalPort = 51820;
externalNetMask = "10.200.200.1/24";
in
{
# enable NAT
networking.nat.enable = true;
networking.nat.externalInterface = externalInterface;
networking.nat.internalInterfaces = [ internalInterface ];
networking.firewall = {
allowedUDPPorts = [ externalPort ];
};
networking.wireguard.interfaces = {
wg0 = {
ips = [ externalNetMask ];
listenPort = externalPort;
privateKey = "${secrets.wireguard.servers.wg.privateKey}";
postSetup = ''
/run/current-system/sw/bin/iptables -A FORWARD -i ${internalInterface} -j ACCEPT
/run/current-system/sw/bin/iptables -A FORWARD -o ${internalInterface} -j ACCEPT
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${externalInterface} -j MASQUERADE
'';
postShutdown = ''
/run/current-system/sw/bin/iptables -D FORWARD -i ${internalInterface} -j ACCEPT
/run/current-system/sw/bin/iptables -D FORWARD -o ${internalInterface} -j ACCEPT
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${externalInterface} -j MASQUERADE
'';
peers = [
{
publicKey = "${secrets.wireguard.clients.phone.publicKey}";
allowedIPs = [ "10.200.200.2/32" ];
}
];
};
};
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment