NixOs WIREGUARD full traffic forwarding config

wireguard.nix

{ config, pkgs, ... }:

let
  secrets = import /opt/nix/secrets.nix;
  externalInterface = "enp2s0";
  internalInterface = "wg0";
  externalPort = 51820;
  externalNetMask = "10.200.200.1/24";
in
{
  # enable NAT
  networking.nat.enable = true;
  networking.nat.externalInterface = externalInterface;
  networking.nat.internalInterfaces = [ internalInterface ];
  networking.firewall = {
    allowedUDPPorts = [ externalPort ];
  };

  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ externalNetMask ];

      listenPort = externalPort;

      privateKey = "${secrets.wireguard.servers.wg.privateKey}";

      postSetup = ''
        /run/current-system/sw/bin/iptables -A FORWARD -i ${internalInterface} -j ACCEPT
        /run/current-system/sw/bin/iptables -A FORWARD -o ${internalInterface} -j ACCEPT
        /run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${externalInterface} -j MASQUERADE
      '';

      postShutdown = ''
        /run/current-system/sw/bin/iptables -D FORWARD -i ${internalInterface} -j ACCEPT
        /run/current-system/sw/bin/iptables -D FORWARD -o ${internalInterface} -j ACCEPT
        /run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${externalInterface} -j MASQUERADE
      '';

      peers = [
        {
          publicKey = "${secrets.wireguard.clients.phone.publicKey}";
          allowedIPs = [ "10.200.200.2/32" ];
        }
      ];
    };
  };
}