feat: fixed vpn on defiant

configurations/nixos/defiant/configuration.nix

@@ -132,23 +132,24 @@
         };
       };
 
-      # "20-wg0" = {
-      #   netdevConfig = {
-      #     Kind = "wireguard";
-      #     Name = "wg0";
-      #   };
-      #   wireguardConfig = {
-      #     PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path;
-      #     ListenPort = 51820;
-      #   };
-      #   wireguardPeers = [
-      #     {
-      #       PublicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0=";
-      #       Endpoint = "185.230.126.146:51820";
-      #       AllowedIPs = ["0.0.0.0/0"];
-      #     }
-      #   ];
-      # };
+      "20-wg0" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "wg0";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path;
+          ListenPort = 51820;
+        };
+        wireguardPeers = [
+          {
+            PublicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0=";
+            Endpoint = "185.230.126.146:51820";
+            # Allow all traffic but use policy routing to prevent system-wide VPN
+            AllowedIPs = ["0.0.0.0/0"];
+          }
+        ];
+      };
     };
     networks = {
       "40-bond0" = {
@@ -163,36 +164,67 @@
           "192.168.1.10/32"
         ];
 
-        gateway = ["192.168.1.1"];
+        # Set lower priority for default gateway to allow WireGuard interface binding
+        routes = [
+          {
+            Destination = "0.0.0.0/0";
+            Gateway = "192.168.1.1";
+            Metric = 100;
+          }
+        ];
         dns = ["192.168.1.1"];
       };
 
-      # For some reason this isn't working. It looks like traffic goes out and comes back but doesn't get correctly routed back to the wg interface on the return trip
-      # debugging steps:
-      # try sending data on the interface `ping -I wg0 8.8.8.8`
-      # view all traffic on the interface `sudo tshark -i wg0`
-      # see what applications are listening to port 14666 (thats what we currently have qbittorent set up to use) `ss -tuln | grep 14666`
-      # "50-wg0" = {
-      #   matchConfig.Name = "wg0";
-      #   networkConfig = {
-      #     DHCP = "no";
-      #   };
-      #   address = [
-      #     "10.2.0.2/32"
-      #   ];
-      #   # routes = [
-      #   #   {
-      #   #     Destination = "10.2.0.2/32";
-      #   #     Gateway = "10.2.0.1";
-      #   #   }
-      #   # ];
-      # };
+      "50-wg0" = {
+        matchConfig.Name = "wg0";
+        networkConfig = {
+          DHCP = "no";
+        };
+        address = [
+          "10.2.0.2/32"
+        ];
+        # Configure routing for application binding
+        routingPolicyRules = [
+          {
+            # Route traffic from VPN interface through VPN table
+            From = "10.2.0.2/32";
+            Table = 200;
+            Priority = 100;
+          }
+        ];
+        routes = [
+          {
+            # Direct route to VPN gateway
+            Destination = "10.2.0.1/32";
+            Scope = "link";
+          }
+          {
+            # Route VPN subnet through VPN gateway in custom table
+            Destination = "10.2.0.0/16";
+            Gateway = "10.2.0.1";
+            Table = 200;
+          }
+          {
+            # Route all traffic through VPN gateway in custom table
+            Destination = "0.0.0.0/0";
+            Gateway = "10.2.0.1";
+            Table = 200;
+          }
+        ];
+      };
     };
   };
 
   # limit arc usage to 50gb because ollama doesn't play nice with zfs using up all of the memory
   boot.kernelParams = ["zfs.zfs_arc_max=53687091200"];
 
+  # Enable policy routing and source routing for application-specific VPN binding
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.rp_filter" = 2;
+    "net.ipv4.conf.default.rp_filter" = 2;
+    "net.ipv4.conf.wg0.rp_filter" = 2;
+  };
+
   services = {
     # temp enable desktop environment for setup
     # Enable the X11 windowing system.