From fad1bfd2df306e0a9f734ca3ae7d89b7a5d2ad61 Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kj@orbekk.com>
Date: Mon, 8 Mar 2021 21:00:56 -0500
Subject: Routing for mullvad

---
 config/router.nix | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'config')

diff --git a/config/router.nix b/config/router.nix
index ffffeed..a802886 100644
--- a/config/router.nix
+++ b/config/router.nix
@@ -3,6 +3,7 @@ let
   wan-dev = "eno1";
   lan-dev = "eno2";
   mullvadPort = config.orbekk.mullvad.listenPort;
+  mullvadMark = 30;
 in
 {
   orbekk.mullvad.enable = true;
@@ -52,6 +53,8 @@ in
           mod state state INVALID DROP;
           mod state state (ESTABLISHED RELATED) ACCEPT;
 
+          interface mullvad mark 30;
+
           interface lo ACCEPT;
           proto icmp ACCEPT;
 
@@ -190,6 +193,7 @@ in
   networking.iproute2.enable = true;
   networking.iproute2.rttablesExtraConfig = ''
     200 he
+     ${mullvadMark} mullvad
   '';
 
   networking.localCommands = ''
@@ -197,6 +201,9 @@ in
     ip -6 route flush cache
     ip -6 route replace default dev he0 src 2001:470:8e2e:20::d table he
     ip -6 route flush cache
+
+    ip rule add fwmark ${toString mullvadMark} table mullvad
+    ip route add default dev mullvad table mullvad
   '';
 
   # boot.kernel.sysctl."net.ipv6.conf.${wan-dev}.disable_ipv6" = true;
-- 
cgit v1.2.3