Commit 3dcc8b00fd90

Vincent Demeester <vincent@sbr.pm>
2018-10-18 19:01:08
firewall: wg0 is safe
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent 26588b9
Changed files (2)
modules
services
wireguard.client.nix
profiles
wireguard.server.nix
modules/services/wireguard.client.nix
@@ -51,6 +51,7 @@ in
   config = mkIf cfg.enable {
     boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
     environment.systemPackages = [ pkgs.wireguard ];
+    networking.firewall.trustedInterfaces = "wg0";
     networking.wireguard.interfaces = {
       wg0 = {
         ips = cfg.ips;
profiles/wireguard.server.nix
@@ -8,6 +8,7 @@
     iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE
   '';
   networking.firewall.allowedUDPPorts = [ 51820 ];
+  networking.firewall.trustedInterfaces = "wg0";
   networking.wireguard.interfaces = with import ../assets/machines.nix; {
     "wg0" = {
       ips = wireguard.kerkouane.allowedIPs;