From 805ef47f70c281fdaedb01d1f0236ad6b5ea3d41 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Tue, 13 Jun 2023 13:20:00 +0800
Subject: [PATCH] hosts/plover: update Wireguard firewall rules

---
 hosts/plover/modules/services/wireguard.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/hosts/plover/modules/services/wireguard.nix b/hosts/plover/modules/services/wireguard.nix
index d48b0fad..26819823 100644
--- a/hosts/plover/modules/services/wireguard.nix
+++ b/hosts/plover/modules/services/wireguard.nix
@@ -24,15 +24,19 @@ in
     # IP forwarding for specific interfaces.
     filterForward = true;
     extraForwardRules = ''
-      iifname ${wireguardIFName} oifname ${lanIFName} accept comment "IP forward from Wireguard interface to LAN"
+      iifname ${wireguardIFName} accept comment "IP forward from Wireguard interface to LAN"
     '';
   };
 
   networking.nftables.ruleset = ''
     table ip wireguard-${wireguardIFName} {
+      chain prerouting {
+        type nat hook prerouting priority filter; policy accept;
+      }
+
       chain postrouting {
         type nat hook postrouting priority srcnat; policy accept;
-        iifname ${wireguardIFName} oifname ${lanIFName} masquerade comment "Masquerade packets from Wireguard interface to LAN"
+        iifname ${wireguardIFName} snat to ip ${interfaces.internal.IPv4.address} comment "Make packets from Wireguard interface appear as coming from the LAN interface"
       }
     }
   '';