diff --git a/common/network/pia-vpn/scripts.nix b/common/network/pia-vpn/scripts.nix index 0180681..e5fabb1 100644 --- a/common/network/pia-vpn/scripts.nix +++ b/common/network/pia-vpn/scripts.nix @@ -135,6 +135,17 @@ in echo "Loaded server info from $serverFile: $WG_HOSTNAME ($WG_SERVER_IP:$WG_SERVER_PORT)" } + # Reset WG interface and tear down NAT/forwarding rules. + # Called on startup (clear stale state) and on exit via trap. + cleanupVpn() { + local interfaceName=$1 + wg set "$interfaceName" listen-port 0 2>/dev/null || true + ip -4 address flush dev "$interfaceName" 2>/dev/null || true + ip route del default dev "$interfaceName" 2>/dev/null || true + iptables -t nat -F 2>/dev/null || true + iptables -F FORWARD 2>/dev/null || true + } + connectToServer() { local wgFile=$1 local interfaceName=$2 diff --git a/common/network/pia-vpn/vpn-container.nix b/common/network/pia-vpn/vpn-container.nix index e2d7f43..ed6b081 100644 --- a/common/network/pia-vpn/vpn-container.nix +++ b/common/network/pia-vpn/vpn-container.nix @@ -141,12 +141,8 @@ in set -euo pipefail ${scripts.scriptCommon} - # Clean up stale state from previous attempts - wg set ${cfg.interfaceName} listen-port 0 2>/dev/null || true - ip -4 address flush dev ${cfg.interfaceName} 2>/dev/null || true - ip route del default dev ${cfg.interfaceName} 2>/dev/null || true - iptables -t nat -F 2>/dev/null || true - iptables -F FORWARD 2>/dev/null || true + trap 'cleanupVpn ${cfg.interfaceName}' EXIT + cleanupVpn ${cfg.interfaceName} proxy="${proxy}" @@ -200,16 +196,6 @@ in exec sleep infinity ''; - preStop = '' - echo "Tearing down PIA VPN..." - ip -4 address flush dev ${cfg.interfaceName} 2>/dev/null || true - ip route del default dev ${cfg.interfaceName} 2>/dev/null || true - iptables -t nat -F POSTROUTING 2>/dev/null || true - iptables -F FORWARD 2>/dev/null || true - ${optionalString portForwarding '' - iptables -t nat -F PREROUTING 2>/dev/null || true - ''} - ''; }; # Port refresh timer (every 10 min) — keeps PIA port forwarding alive