diff --git a/nix/nixos-module/container/bird.nix b/nix/nixos-module/container/bird.nix index d7d2aed..33a2f98 100644 --- a/nix/nixos-module/container/bird.nix +++ b/nix/nixos-module/container/bird.nix @@ -97,15 +97,15 @@ in hostName == "flpk-gw" ) '' # BIRD routing table for Wireguard transport - ipv4 table vpn4_table; + ipv4 table vpn_table; # Kernel routing table for Wireguard transport - protocol kernel VPN4 { - # "vpn4_table" configured on anon routers + protocol kernel VPN { + # "vpn_table" configured on anon routers kernel table 100; ipv4 { export all; - table vpn4_table; + table vpn_table; }; } ''} @@ -220,7 +220,7 @@ in builtins.match "anon.*" hostName != null || hostName == "flpk-gw" ) '' - table vpn4_table; + table vpn_table; ''} }; area 0 { diff --git a/nix/nixos-module/container/wireguard.nix b/nix/nixos-module/container/wireguard.nix index 122fe7d..88813cb 100644 --- a/nix/nixos-module/container/wireguard.nix +++ b/nix/nixos-module/container/wireguard.nix @@ -14,8 +14,7 @@ let privateKeyFile = ifName: "/run/wireguard-keys/${ifName}.key"; - wireguardMark = 3; - vpn4Table = 100; + vpnTable = 100; in { systemd.services = builtins.foldl' (services: ifName: services // { @@ -51,8 +50,7 @@ in }; wireguardConfig = { PrivateKeyFile = privateKeyFile ifName; - # Mark for routing with another routing table - FirewallMark = wireguardMark; + RouteTable = "vpn"; }; wireguardPeers = [ { wireguardPeerConfig = { @@ -67,10 +65,9 @@ in # Wireguard transported through another routing table # (containing upstream by bird ospf) core.routingPolicyRules = [ { - # Marked wireguard packets take the vpn4 routing table + # Marked wireguard packets take the vpn routing table routingPolicyRuleConfig = { - Table = vpn4Table; - FirewallMark = wireguardMark; + Table = vpnTable; }; } ]; } // builtins.mapAttrs (ifName: { wireguard, upstream, ... }: { @@ -109,7 +106,7 @@ in networking.iproute2 = lib.mkIf enabled { enable = true; rttablesExtraConfig = '' - ${toString vpn4Table} vpn4 + ${toString vpnTable} vpn ''; };