From 5631d50db8d9aaa76dfaf8cfd3cc8b0f7f12d0a6 Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kj@orbekk.com>
Date: Sat, 7 Oct 2023 10:45:22 -0400
Subject: vpn routing

---
 modules/router.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/modules/router.nix b/modules/router.nix
index 9de3700..61fe023 100644
--- a/modules/router.nix
+++ b/modules/router.nix
@@ -4,6 +4,7 @@ let
   cfg = config.orbekk.router;
 
   devices = ["eno1" "eno2"];
+  vpnMark = 3;
   mullvadMark = 2;
   heMark = 1;
 
@@ -94,6 +95,7 @@ let
 
     networking.iproute2.enable = true;
     networking.iproute2.rttablesExtraConfig = ''
+      ${toString vpnMark} vpn
       ${toString mullvadMark} mullvad
       ${toString heMark} he
     '';
@@ -107,10 +109,18 @@ let
         ip -6 rule add fwmark ${toString heMark} table he || true
         ip -6 route replace default dev he0 table he
 
+        ip rule add fwmark ${toString vpnMark} table vpn || true
+        ip -6 rule add fwmark ${toString vpnMark} table vpn || true
+
         ip rule add fwmark ${toString mullvadMark} table mullvad || true
         ip -6 rule add fwmark ${toString mullvadMark} table mullvad || true
+
         ip route replace default dev mullvad table mullvad
         ip -6 route replace default dev mullvad table mullvad
+
+        ip route replace default dev mullvad table vpn
+        ip -6 route replace default dev mullvad table vpn
+
         ip -6 route flush cache
         ip route flush cache
       '';
@@ -322,6 +332,8 @@ in {
     age.secrets.dragon-wireguard-key.file = ./.
         + "/../secrets/dragon-wireguard-key.age";
     networking.wireguard.interfaces.wg-vpn = {
+      fwmark = "${toString vpnMark}";
+      table = "vpn";
       socketNamespace = "router";
       interfaceNamespace = "router";
       ips = [ "${vpnPrefix}::1/128" ];
-- 
cgit v1.2.3