2 files changed, 20 insertions, 3 deletions

diff --git a/machines/dragon.nix b/machines/dragon.nix
index d37ddd8..9174c15 100644
--- a/machines/dragon.nix
+++ b/machines/dragon.nix
@@ -48,6 +48,14 @@ in {
     };
   };
 
+  services.transmission = {
+    enable = true;
+    openPeerPorts = true;
+    openRPCPort = true;
+    settings.download-dir = "/storage/upload";
+    settings.peer-port = 51413;
+  };
+  systemd.services.transmission.serviceConfig.NetworkNamespacePath = "/var/run/netns/vpn";
   # services.tailscale.enable = true;
 
   # virtualisation.lxd.enable = true;
diff --git a/modules/router.nix b/modules/router.nix
index 5eb8131..65b8ea7 100644
--- a/modules/router.nix
+++ b/modules/router.nix
@@ -79,6 +79,7 @@ let
     };
     networking.interfaces.vpnlan-vport = {
       ipv4.addresses = [{address = "172.20.30.1"; prefixLength = 24;}];
+      ipv6.addresses = [{address = "2001:470:8e2e:30::1"; prefixLength = 64;}];
     };
     networking.sits.he0 = {
      dev = "wan-vport";
@@ -107,7 +108,9 @@ let
         ip -6 route flush cache
 
         ip rule add fwmark ${toString mullvadMark} table mullvad || true
+        ip -6 rule add fwmark ${toString mullvadMark} table mullvad || true
         ip route replace default dev mullvad table mullvad
+        ip -6 route replace default dev mullvad table mullvad
         ip route flush cache
       '';
     };
@@ -144,6 +147,8 @@ let
         dhcp-range=tag:vpnlan-vport,172.20.30.10,172.20.30.254,5m
         dhcp-option=tag:vpnlan-vport,option:router,172.20.30.1
         dhcp-option=tag:vpnlan-vport,option:dns-server,193.138.218.74
+        dhcp-range=tag:vpnlan-vport,::2,::1000,constructor:vpnlan-vport,ra-only
+        dhcp-host=id:00:04:33:32:31:37:37:31:58:4d:32:35:31:37:30:30:4a:44,tag:vpnlan-vport,[::2]
       '';
     };
 
@@ -205,6 +210,7 @@ let
             oifname wan-vport counter accept
             oifname mullvad counter accept
 
+            ip6 daddr 2001:470:8e2e:30::2 th dport 9091 counter accept;
             oifname servers-vport meta l4proto {tcp, udp} th dport $SERVER_WAN_PORTS counter accept
             iifname lan-vport oifname servers-vport meta l4proto {tcp, udp} th dport $SERVER_LAN_PORTS counter accept
             iifname servers-vport counter accept
@@ -218,19 +224,22 @@ let
             type filter hook prerouting priority -150
             # ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta nftrace set 1
             ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark}
-            iifname vpnlan-vport meta mark set ${toString mullvadMark}
+            meta nfproto ipv4 iifname vpnlan-vport meta mark set ${toString mullvadMark}
+            ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/60 iifname vpnlan-vport meta mark set ${toString mullvadMark}
           }
         }
 
-        table ip nat {
+        table inet nat {
           chain prerouting {
             type nat hook prerouting priority -100; policy accept
-            iifname wan-vport tcp dport $SERVER_WAN_PORTS dnat to 172.20.20.2
+            meta nfproto ipv4 iifname wan-vport tcp dport $SERVER_WAN_PORTS dnat to 172.20.20.2
           }
           chain postrouting {
             type nat hook postrouting priority 100; policy accept
             ip saddr 172.16.0.0/12 oifname {"wan-vport"} masquerade
             ip saddr 172.16.0.0/12 oifname {"mullvad"} masquerade
+            # Nat66 on VPN :(
+            meta nfproto ipv6 oifname {"mullvad"} masquerade
           }
         }
       '';