NixOS Wiki

WireGuard: Difference between revisions

← Older editNewer edit →
VisualWikitext
Tie-ling (talk | contribs)
69 edits
Tie-ling (talk | contribs)
69 edits
Proxy client setup: Route for specific user
Line 522: Line 522:
           # we specify that the routing table 1000 must be used  
           # we specify that the routing table 1000 must be used  
           # (which is the wireguard routing table). This rule routes all traffic through wireguard.
           # (which is the wireguard routing table). This rule routes all traffic through wireguard.
           RouteTable = 1000;
           # inside routingPolicyRules section is called Table, not RouteTable
          Table = 1000;


           # this routing policy rule has a lower priority (10) than
           # this routing policy rule has a lower priority (10) than
Line 545: Line 546:
     };
     };
   };
   };
</syntaxhighlight>
=== Exempting specific addresses ===
In order to exempt specific addresses (such as private LAN addresses) from routing over the WireGuard tunnel, add them to another RoutingPolicyRule with higher priority.
<syntaxhighlight lang="nix">
  systemd.network.networks."50-wg0".routingPolicyRules =
  [
    {
      To = "192.168.0.0/24";
      Priority = 9;
    }
  ]
</syntaxhighlight>
=== Route for specific user ===
It may be desirable to route WAN traffic over the tunnel only for a specific user, for example, the transmission user in order to use the tunnel for torrent traffic.
Replace catch-all rules above, with user-specific rules below.
<syntaxhighlight lang="nix">
  systemd.network.networks."50-wg0".routingPolicyRules =
  [
    {
      # The lower priority rule (30001), matches all traffic generated
      # by the transmission user and routes it through table 1000 which is the wireguard table.
      Table = 1000;
      User = "transmission";
      Priority = 30001;
      Family = "both";
    }
    {
      # The higher priority rule (30000), matches all traffic
      # generated by the transmission user
      # and routes it through the main table (no wireguard)
      # BUT only using rules with a prefix length larger than 0.
      #
      # This means the default 0.0.0.0/0 and ::/0 rules still apply
      #
      # Therefore, only traffic matching specific rules with non-zero prefix
      # (such as those defining the subnet of your local home network) of the main table
      # are routed through the main table.
      Table = "main";
      User = "transmission";
      SuppressPrefixLength = 0;
      Priority = 30000;
      Family = "both";
    }
  ]
</syntaxhighlight>
</syntaxhighlight>


Retrieved from "https://wiki.nixos.org/wiki/WireGuard"