{ config, lib, ... }: { systemd.network = let pubkey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk="; endpoint = "169.150.196.15"; port = "51820"; addr = [ "10.74.16.48/32" "fc00:bbbb:bbbb:bb01::b:102f/128" ]; in { netdevs."10-wg-mullvad" = { netdevConfig = { Kind = "wireguard"; Name = "wg-mullvad"; }; wireguardConfig = { PrivateKeyFile = config.sops.secrets."wg/mullvad".path; FirewallMark = 34952; # 0x8888 RouteTable = "off"; }; wireguardPeers = [ { PublicKey = pubkey; Endpoint = "${endpoint}:${port}"; AllowedIPs = [ "0.0.0.0/0" "::0/0" ]; } ]; }; networks."10-wg-mullvad" = { matchConfig.Name = "wg-mullvad"; address = addr; networkConfig = { DNS = "10.64.0.1"; DNSDefaultRoute = true; Domains = [ "~." ]; }; routes = map (gate: { Gateway = gate; Table = 1000; }) [ "0.0.0.0" "::" ]; routingPolicyRules = [ { Family = "both"; FirewallMark = 34952; # 0x8888 InvertRule = true; Table = "1000"; Priority = 100; } { Family = "both"; SuppressPrefixLength = 0; Table = "main"; Priority = 90; } ] ++ map (net: { # only route global addresses over VPN Priority = 80; To = net; }) [ # Mullvad endpoint "${endpoint}/32" # zw endpoint "81.201.149.152/32" # oxalab/oxa endpoint "188.245.196.27/32" # "10.0.0.0/8" "10.13.37.0/24" # 0xa-mgmt "10.89.87.0/24" # "172.16.0.0/12" "172.16.0.0/12" # "182.168.0.0/16" "182.168.0.0/16" # "fc00::/7" ]; }; }; }