From c9949fe7273ee6bb107a0389ca32b6b64087154d Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kj@orbekk.com>
Date: Sun, 23 Apr 2023 09:46:21 -0400
Subject: fix

---
 modules/router.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'modules/router.nix')

diff --git a/modules/router.nix b/modules/router.nix
index 63eaa37..836f037 100644
--- a/modules/router.nix
+++ b/modules/router.nix
@@ -105,12 +105,12 @@ let
       script = ''
         ip -6 rule add fwmark ${toString heMark} table he || true
         ip -6 route replace default dev he0 table he
-        ip -6 route flush cache
 
         ip rule add fwmark ${toString mullvadMark} table mullvad || true
         ip -6 rule add fwmark ${toString mullvadMark} table mullvad || true
         ip route replace default dev mullvad table mullvad
         ip -6 route replace default dev mullvad table mullvad
+        ip -6 route flush cache
         ip route flush cache
       '';
     };
@@ -208,6 +208,8 @@ let
             ip6 nexthdr ipv6-icmp limit rate 4/second counter accept comment "accept all ICMP types"
 
             ct state vmap { established : accept, related : accept, invalid : drop }
+            # Don't allow accidental vpn forwarding to wan.
+            iifname vpnlan-vport oifname wan-vport counter deny
             oifname he0 counter accept
             oifname wan-vport counter accept
             oifname mullvad counter accept
-- 
cgit v1.2.3