zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

restore port option

Browse Source
This commit is contained in:
Zuckerberg
2026-02-26 00:16:39 -08:00
parent 6466406975
commit 3365a1652c
2 changed files with 17 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
common/network/pia-vpn/default.nix
View File

@@ -51,6 +51,15 @@ let
receiveForwardedPort = mkOption { receiveForwardedPort = mkOption {
type = types.nullOr (types.submodule { type = types.nullOr (types.submodule {
options = { options = {
port = mkOption {
type = types.nullOr types.port;
default = null;
description = ''
Target port to forward to. If null, forwards to the same PIA-assigned port.
PIA-assigned ports below 1000 are rejected to avoid accidentally
forwarding traffic to privileged services.
'';
};
protocol = mkOption { protocol = mkOption {
type = types.enum [ "tcp" "udp" "both" ]; type = types.enum [ "tcp" "udp" "both" ];
default = "both"; default = "both";

14
common/network/pia-vpn/vpn-container.nix
View File

@@ -24,15 +24,17 @@ let
let let
fwd = forwardingContainer.receiveForwardedPort; fwd = forwardingContainer.receiveForwardedPort;
targetIp = forwardingContainer.ip; targetIp = forwardingContainer.ip;
dnatTarget = if fwd.port != null then "${targetIp}:${toString fwd.port}" else targetIp;
targetPort = if fwd.port != null then toString fwd.port else "$PORT";
tcpRules = optionalString (fwd.protocol == "tcp" || fwd.protocol == "both") '' tcpRules = optionalString (fwd.protocol == "tcp" || fwd.protocol == "both") ''
echo "Setting up TCP DNAT: port $PORT ${targetIp}:$PORT" echo "Setting up TCP DNAT: port $PORT ${targetIp}:${targetPort}"
iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p tcp --dport $PORT -j DNAT --to ${targetIp} iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p tcp --dport $PORT -j DNAT --to ${dnatTarget}
iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p tcp --dport $PORT -j ACCEPT iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p tcp --dport ${targetPort} -j ACCEPT
''; '';
udpRules = optionalString (fwd.protocol == "udp" || fwd.protocol == "both") '' udpRules = optionalString (fwd.protocol == "udp" || fwd.protocol == "both") ''
echo "Setting up UDP DNAT: port $PORT ${targetIp}:$PORT" echo "Setting up UDP DNAT: port $PORT ${targetIp}:${targetPort}"
iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p udp --dport $PORT -j DNAT --to ${targetIp} iptables -t nat -A PREROUTING -i ${cfg.interfaceName} -p udp --dport $PORT -j DNAT --to ${dnatTarget}
iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p udp --dport $PORT -j ACCEPT iptables -A FORWARD -i ${cfg.interfaceName} -d ${targetIp} -p udp --dport ${targetPort} -j ACCEPT
''; '';
onPortForwarded = optionalString (forwardingContainer.onPortForwarded != null) '' onPortForwarded = optionalString (forwardingContainer.onPortForwarded != null) ''
TARGET_IP="${targetIp}" TARGET_IP="${targetIp}"