{ pkgs, config, ... }: let interface = "wg0"; listenPort = 51821; tcpPort = 82; in { systemd.services."udp2raw-${interface}" = { after = [ "network.target" ]; before = [ "wg-quick-${interface}.service" ]; wantedBy = [ "wg-quick-${interface}.service" ]; serviceConfig = { ExecStart = "${pkgs.udp2raw}/bin/udp2raw -s -l 0.0.0.0:${builtins.toString tcpPort} -r 127.0.0.1:${builtins.toString listenPort} -a"; }; }; services.dnsmasq = { enable = true; settings = { inherit interface; }; }; networking = { nat = { enable = true; externalInterface = "eth0"; internalInterfaces = [ interface ]; enableIPv6 = true; }; firewall = { allowedUDPPorts = [ listenPort ]; allowedTCPPorts = [ tcpPort ]; interfaces.${interface} = { allowedUDPPorts = [ 53 ]; allowedTCPPorts = [ 53 ]; }; }; wg-quick.interfaces = { ${interface} = { address = [ "10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64" ]; inherit listenPort; privateKeyFile = config.age.secrets.wg-groceries.path; postUp = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE ''; preDown = '' ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE ''; peers = [ { publicKey = "mX5cMCXQbnovPOHDFdcV3egG3u9Xd3sci+mqUhFSz1Q="; allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ]; } { publicKey = "Hkk76wQQ3dYY31GYUSHMIOBgiKDPqm00cKBLMzwTO1s="; allowedIPs = [ "10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128" ]; } ]; }; }; }; }