Use the NixOS firewall instead to block unwanted PIA VPN traffic

2023-03-12 20:49:39 -06:00 · 2023-03-12 20:49:39 -06:00 · 83e9280bb4
commit 83e9280bb4
parent 478235fe32
2 changed files with 7 additions and 3 deletions
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@ -213,8 +213,8 @@ in {
        echo $payload >> /tmp/${cfg.interfaceName}-port-renewal

        # Block all traffic from VPN interface except for traffic that is from the forwarded port
-        iptables -I INPUT -i ${cfg.interfaceName} -j DROP
-        iptables -I INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
+        iptables -I nixos-fw -p tcp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
+        iptables -I nixos-fw -p udp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}

        # The first port refresh triggers the port to be actually allocated
        ${refreshPIAPort}
--- a/common/network/vpn.nix
+++ b/common/network/vpn.nix
@ -75,7 +75,11 @@ in
        # speeds up evaluation
        nixpkgs.pkgs = pkgs;

-        networking.firewall.enable = mkForce false;
+        # networking.firewall.enable = mkForce false;
+        networking.firewall.trustedInterfaces = [
+          # completely trust internal interface to host
+          "eth0"
+        ];

        pia.openvpn.enable = cfg.useOpenVPN;
        pia.openvpn.server = "swiss.privacy.network"; # swiss vpn