From 83e9280bb4a7b81a2ed85d14563dd52fd9d5819c Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Sun, 12 Mar 2023 20:49:39 -0600
Subject: [PATCH] Use the NixOS firewall instead to block unwanted PIA VPN
 traffic

---
 common/network/pia-wireguard.nix | 4 ++--
 common/network/vpn.nix           | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/common/network/pia-wireguard.nix b/common/network/pia-wireguard.nix
index 399f487..d9d2023 100644
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@@ -213,8 +213,8 @@ in {
         echo $payload >> /tmp/${cfg.interfaceName}-port-renewal
 
         # Block all traffic from VPN interface except for traffic that is from the forwarded port
-        iptables -I INPUT -i ${cfg.interfaceName} -j DROP
-        iptables -I INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
+        iptables -I nixos-fw -p tcp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
+        iptables -I nixos-fw -p udp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
 
         # The first port refresh triggers the port to be actually allocated
         ${refreshPIAPort}
diff --git a/common/network/vpn.nix b/common/network/vpn.nix
index 5854692..a107a35 100644
--- a/common/network/vpn.nix
+++ b/common/network/vpn.nix
@@ -75,7 +75,11 @@ in
         # speeds up evaluation
         nixpkgs.pkgs = pkgs;
 
-        networking.firewall.enable = mkForce false;
+        # networking.firewall.enable = mkForce false;
+        networking.firewall.trustedInterfaces = [
+          # completely trust internal interface to host
+          "eth0"
+        ];
 
         pia.openvpn.enable = cfg.useOpenVPN;
         pia.openvpn.server = "swiss.privacy.network"; # swiss vpn