Route all traffic through Wireguard

modules/networking.nix

@@ -1,6 +1,8 @@
 { config, lib, pkgs, ... }:
 
-{
+let wireguard_port = "51902";
+
+in {
   # Set hostname, hostid and enable WiFi
   networking = {
     hostName = "panacea";
@@ -52,7 +54,11 @@
       Kind = "wireguard";
       Name = "wg0";
     };
-    wireguardConfig.PrivateKeyFile = config.age.secrets.wireguard.path;
+    wireguardConfig = {
+      ListenPort = wireguard_port;
+      PrivateKeyFile = config.age.secrets.wireguard.path;
+      FirewallMark = 34952;
+    };
     wireguardPeers = [{
       wireguardPeerConfig = {
         PublicKey = "GN8lqPBZYOulh6xD4GhkoEWI65HMMCpSxJSH5871YnU=";
@@ -63,11 +69,28 @@
   };
   systemd.network.networks."wg0" = {
     matchConfig.Name = "wg0";
+    linkConfig.ActivationPolicy = "manual";
     networkConfig = {
       Address = "10.8.0.2/32";
       DNS = "10.8.0.1";
+      DNSDefaultRoute = true;
+      Domains = "~.";
     };
-    routes = [{ routeConfig.Destination = "10.8.0.1"; }];
+    routingPolicyRules = [{
+      routingPolicyRuleConfig = {
+        FirewallMark = 34952;
+        InvertRule = true;
+        Table = 1000;
+        Priority = 10;
+      };
+    }];
+    routes = [{
+      routeConfig = {
+        Gateway = "10.8.0.1";
+        GatewayOnLink = true;
+        Table = 1000;
+      };
+    }];
   };
 
   # Firewall configuration
@@ -78,5 +101,14 @@
     allowedUDPPorts = [
       54982 # Calibre Wireless
     ];
+    # Allow wireguard traffic
+    extraCommands = ''
+      ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN
+      ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN
+    '';
+    extraStopCommands = ''
+      ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport ${wireguard_port} -j RETURN || true
+      ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport ${wireguard_port} -j RETURN || true
+    '';
   };
 }