{ pkgs, config, ... }: { age.secrets.mullvad.file = ../secrets/mullvad.age; environment.shellAliases = { mullvad-up = "systemctl start wg-quick-wg0.service"; mullvad-down = "systemctl stop wg-quick-wg0.service"; }; networking.wg-quick.interfaces = let server_ip = "146.70.198.194"; in { wg0 = { autostart = false; # IP address of this machine in the *tunnel network* address = [ "10.70.139.192/32" "fc00:bbbb:bbbb:bb01::7:8bbf/128" ]; # To match firewall allowedUDPPorts (without this wg # uses random port numbers). listenPort = 51820; # Path to the private key file. privateKeyFile = config.age.secrets.mullvad.path; peers = [ { publicKey = "57Zu2qPzRScZWsoC2NhXgz0FiC0HiKkbEa559sbxB3k="; allowedIPs = ["0.0.0.0/0"]; endpoint = "${server_ip}:51820"; persistentKeepalive = 25; } ]; postUp = '' wg set wg0 fwmark 51820 ${pkgs.iptables}/bin/iptables -I OUTPUT \ ! -o wg0 \ -m mark ! --mark $(wg show wg0 fwmark) \ -m addrtype ! --dst-type LOCAL \ -j REJECT ${pkgs.iptables}/bin/ip6tables -I OUTPUT \ ! -o wg0 \ -m mark ! --mark $(wg show wg0 fwmark) \ -m addrtype ! --dst-type LOCAL \ -j REJECT ''; preDown = '' ${pkgs.iptables}/bin/iptables -D OUTPUT \ ! -o wg0 \ -m mark ! --mark $(wg show wg0 fwmark) \ -m addrtype ! --dst-type LOCAL \ -j REJECT ${pkgs.iptables}/bin/ip6tables -D OUTPUT \ ! -o wg0 -m mark \ ! --mark $(wg show wg0 fwmark) \ -m addrtype ! --dst-type LOCAL \ -j REJECT ''; }; }; }