{ pkgs, ... }: { networking.useDHCP = false; networking.bridges = { "br0" = { interfaces = [ "eno2" "enp23s0" ]; }; }; networking.interfaces.br0.ipv4.addresses = [ { address = "192.168.0.42"; prefixLength = 22; } ]; networking.defaultGateway = "192.168.0.1"; networking.nameservers = [ "192.168.0.1" ]; networking.firewall.enable = false; networking.wireguard.interfaces = { wg0 = { ips = [ "10.175.197.82/32" "fd7d:76ee:e68f:a993:f6b2:9dab:ddd3:a02/128" ]; privateKeyFile = "/run/secrets/services/wireguard/airvpn.private"; allowedIPsAsRoutes = false; peers = [ { publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk="; presharedKeyFile = "/run/secrets/services/wireguard/airvpn.psk"; allowedIPs = [ "0.0.0.0/0" ]; endpoint = "134.19.179.213:1637"; persistentKeepalive = 25; } ]; postSetup = [ # Force traffic from container networks through wg0 "ip route add table 2 default dev wg0" "ip rule add from 192.168.100.0/24 table 2" "ip rule add from 192.168.5.0/24 table 2" # NAT "${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o wg0 -j MASQUERADE" # Port forwarding "${pkgs.iptables}/bin/iptables -A PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506" ]; }; }; systemd.services.wireguard-wg0.preStop = [ # Force traffic from container networks through wg0 "ip rule del from 192.168.100.0/24 table 2" "ip rule del from 192.168.5.0/24 table 2" "ip route del table 2 default dev wg0" # NAT "${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o wg0 -j MASQUERADE" # Port forwarding "${pkgs.iptables}/bin/iptables -D PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506" ]; }