From 14b49443f8db9bd968f52ad838d878d89d890945 Mon Sep 17 00:00:00 2001
From: Ingolf Wagner <contact@ingolf-wagner.de>
Date: Thu, 19 Jan 2023 13:08:12 +0100
Subject: [PATCH] working wireguard including forwarding

---
 nixos/machines/pepe/hass.nix        |  1 -
 nixos/machines/pepe/wireguard.nix   |  4 +++-
 nixos/machines/robi/wireguard.nix   | 15 +++++++--------
 nixos/machines/sterni/wireguard.nix |  4 +++-
 4 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/nixos/machines/pepe/hass.nix b/nixos/machines/pepe/hass.nix
index f7e9913..df28c65 100644
--- a/nixos/machines/pepe/hass.nix
+++ b/nixos/machines/pepe/hass.nix
@@ -13,7 +13,6 @@
 
   backup.dirs = [ "/var/lib/home-assistant" ];
 
-
   networking.firewall.allowedTCPPorts = [ 8123 ];
   networking.firewall.allowedUDPPorts = [ 8123 ];
 
diff --git a/nixos/machines/pepe/wireguard.nix b/nixos/machines/pepe/wireguard.nix
index 96cbad7..982f8ec 100644
--- a/nixos/machines/pepe/wireguard.nix
+++ b/nixos/machines/pepe/wireguard.nix
@@ -13,12 +13,14 @@
       address = [ "10.100.0.2/32" ];
       listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
       privateKeyFile = config.sops.secrets.wireguard_private.path;
+      mtu = 1280;
+
       # server
       peers = [
         {
           # robi
           publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
-          allowedIPs = [ "10.100.0.1/32" ];
+          allowedIPs = [ "10.100.0.1/24" ];
           endpoint = "ingolf-wagner.de:51820";
           persistentKeepalive = 25;
         }
diff --git a/nixos/machines/robi/wireguard.nix b/nixos/machines/robi/wireguard.nix
index e2523d0..9c6f2c7 100644
--- a/nixos/machines/robi/wireguard.nix
+++ b/nixos/machines/robi/wireguard.nix
@@ -13,15 +13,14 @@
       address = [ "10.100.0.1/32" ];
       listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
       privateKeyFile = config.sops.secrets.wireguard_private.path;
+      mtu = 1280;
 
-      #postUp = ''
-      #  ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
-      #  ${pkgs.iptables}/bin/iptables -A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-      #'';
-      #postDown = ''
-      #  ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
-      #  ${pkgs.iptables}/bin/iptables -D INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-      #'';
+      postUp = ''
+        ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+      '';
+      postDown = ''
+        ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+      '';
 
       # clients
       peers = [
diff --git a/nixos/machines/sterni/wireguard.nix b/nixos/machines/sterni/wireguard.nix
index cb1615f..682651d 100644
--- a/nixos/machines/sterni/wireguard.nix
+++ b/nixos/machines/sterni/wireguard.nix
@@ -11,11 +11,13 @@
       address = [ "10.100.0.3/32" ];
       listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
       privateKeyFile = config.sops.secrets.wireguard_private.path;
+      mtu = 1280;
+
       peers = [
         {
           # robi
           publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
-          allowedIPs = [ "10.100.0.1/32" ];
+          allowedIPs = [ "10.100.0.1/24" ];
           endpoint = "ingolf-wagner.de:51820";
         }
       ];