zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Use the NixOS firewall instead to block unwanted PIA VPN traffic

Browse Source
This commit is contained in:
Zuckerberg 2023-03-12 20:49:39 -06:00
parent 478235fe32
commit 83e9280bb4
2 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
common/network/pia-wireguard.nix
View File

@ -213,8 +213,8 @@ in {
echo $payload >> /tmp/${cfg.interfaceName}-port-renewal echo $payload >> /tmp/${cfg.interfaceName}-port-renewal
# Block all traffic from VPN interface except for traffic that is from the forwarded port # Block all traffic from VPN interface except for traffic that is from the forwarded port
iptables -I INPUT -i ${cfg.interfaceName} -j DROP iptables -I nixos-fw -p tcp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
iptables -I INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT iptables -I nixos-fw -p udp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
# The first port refresh triggers the port to be actually allocated # The first port refresh triggers the port to be actually allocated
${refreshPIAPort} ${refreshPIAPort}

6
common/network/vpn.nix
View File

@ -75,7 +75,11 @@ in
# speeds up evaluation # speeds up evaluation
nixpkgs.pkgs = pkgs; nixpkgs.pkgs = pkgs;
networking.firewall.enable = mkForce false; # networking.firewall.enable = mkForce false;
networking.firewall.trustedInterfaces = [
# completely trust internal interface to host
"eth0"
];
pia.openvpn.enable = cfg.useOpenVPN; pia.openvpn.enable = cfg.useOpenVPN;
pia.openvpn.server = "swiss.privacy.network"; # swiss vpn pia.openvpn.server = "swiss.privacy.network"; # swiss vpn