From 3b71f4b1fd2b7dbeade7cea413f7fa2e0a8894f0 Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Thu, 26 Feb 2026 19:42:38 -0800
Subject: [PATCH] dedupe

---
 common/network/pia-vpn/scripts.nix       | 11 +++++++++++
 common/network/pia-vpn/vpn-container.nix | 18 ++----------------
 2 files changed, 13 insertions(+), 16 deletions(-)

diff --git a/common/network/pia-vpn/scripts.nix b/common/network/pia-vpn/scripts.nix
index 0180681..e5fabb1 100644
--- a/common/network/pia-vpn/scripts.nix
+++ b/common/network/pia-vpn/scripts.nix
@@ -135,6 +135,17 @@ in
       echo "Loaded server info from $serverFile: $WG_HOSTNAME ($WG_SERVER_IP:$WG_SERVER_PORT)"
     }
 
+    # Reset WG interface and tear down NAT/forwarding rules.
+    # Called on startup (clear stale state) and on exit via trap.
+    cleanupVpn() {
+      local interfaceName=$1
+      wg set "$interfaceName" listen-port 0 2>/dev/null || true
+      ip -4 address flush dev "$interfaceName" 2>/dev/null || true
+      ip route del default dev "$interfaceName" 2>/dev/null || true
+      iptables -t nat -F 2>/dev/null || true
+      iptables -F FORWARD 2>/dev/null || true
+    }
+
     connectToServer() {
       local wgFile=$1
       local interfaceName=$2
diff --git a/common/network/pia-vpn/vpn-container.nix b/common/network/pia-vpn/vpn-container.nix
index e2d7f43..ed6b081 100644
--- a/common/network/pia-vpn/vpn-container.nix
+++ b/common/network/pia-vpn/vpn-container.nix
@@ -141,12 +141,8 @@ in
               set -euo pipefail
               ${scripts.scriptCommon}
 
-              # Clean up stale state from previous attempts
-              wg set ${cfg.interfaceName} listen-port 0 2>/dev/null || true
-              ip -4 address flush dev ${cfg.interfaceName} 2>/dev/null || true
-              ip route del default dev ${cfg.interfaceName} 2>/dev/null || true
-              iptables -t nat -F 2>/dev/null || true
-              iptables -F FORWARD 2>/dev/null || true
+              trap 'cleanupVpn ${cfg.interfaceName}' EXIT
+              cleanupVpn ${cfg.interfaceName}
 
               proxy="${proxy}"
 
@@ -200,16 +196,6 @@ in
               exec sleep infinity
             '';
 
-            preStop = ''
-              echo "Tearing down PIA VPN..."
-              ip -4 address flush dev ${cfg.interfaceName} 2>/dev/null || true
-              ip route del default dev ${cfg.interfaceName} 2>/dev/null || true
-              iptables -t nat -F POSTROUTING 2>/dev/null || true
-              iptables -F FORWARD 2>/dev/null || true
-              ${optionalString portForwarding ''
-                iptables -t nat -F PREROUTING 2>/dev/null || true
-              ''}
-            '';
           };
 
           # Port refresh timer (every 10 min) — keeps PIA port forwarding alive