From 1fd29a5f4f574489ee7ce102079ef768baba7b09 Mon Sep 17 00:00:00 2001
From: Danilo Reyes <danilo.reyes.251@proton.me>
Date: Fri, 6 Feb 2026 06:44:47 -0600
Subject: [PATCH] nat table

---
 hosts/server/configuration.nix |   1 +
 hosts/vps/configuration.nix    | 101 +++++++++++++++++++--------------
 modules/modules.nix            |   2 +-
 3 files changed, 59 insertions(+), 45 deletions(-)

diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index ed05d39..2e05411 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -79,6 +79,7 @@ in
           allowedIPs = [
             "${config.my.ips.wg-vps}/32"
             "${config.my.ips.wg-friends}/24" # all friends
+            "${config.my.ips.wg-gs}/24" # all friends
           ];
           persistentKeepalive = 25;
         }
diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix
index aa4ae7f..91c8376 100644
--- a/hosts/vps/configuration.nix
+++ b/hosts/vps/configuration.nix
@@ -47,57 +47,70 @@ in
     };
   };
   image.modules.linode = { };
-  networking.hostName = "vps";
   services.smartd.enable = lib.mkForce false;
   environment.systemPackages = [ ];
-  networking.nftables.enable = true;
-  networking.firewall = {
-    enable = true;
-    filterForward = true;
-    checkReversePath = "loose";
-    allowedTCPPorts = [ sshPort ] ++ webPorts;
-    allowedUDPPorts = [ wgPort ];
-    extraForwardRules = ''
-      iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
-      iifname "${wgInterface}" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
-      iifname "${wgInterface}" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
-      iifname "${wgInterface}" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
-      iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
-      iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
-      iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
-      iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
+  networking = {
+    hostName = "vps";
+    nat = {
+      inherit externalInterface;
+      enable = true;
+      internalInterfaces = [ "wg0" ];
+      forwardPorts = [
+        {
+          sourcePort = giteaSshPort;
+          proto = "tcp";
+          destination = "${homeServer}:${giteaSshPortStr}";
+        }
+      ];
+    };
+    nftables = {
+      enable = true;
+      tables."vps-snat" = {
+        family = "ip";
+        content = ''
+          chain postrouting {
+            type nat hook postrouting priority srcnat;
+            iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} masquerade comment "snat ssh forward"
+          }
+        '';
+      };
+    };
+    firewall = {
+      enable = true;
+      filterForward = true;
+      checkReversePath = "loose";
+      allowedTCPPorts = [ sshPort ] ++ webPorts;
+      allowedUDPPorts = [ wgPort ];
+      extraForwardRules = ''
+        iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
+        iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
 
-      iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
+        iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
 
-      iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
-      iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
-      iifname "${wgInterface}" ip saddr ${wgGuest1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
-      iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
+        iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
+        iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
+        iifname "${wgInterface}" ip saddr ${wgGuest1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
+        iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
 
-      iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
-      iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
+        iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
+        iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
 
-      iifname "${externalInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} accept
+        iifname "${externalInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} accept
 
-      ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
-      ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
-      ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
-      ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop
-      ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
-      ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
-    '';
-  };
-  networking.nat = {
-    enable = true;
-    inherit externalInterface;
-    internalInterfaces = [ "wg0" ];
-    forwardPorts = [
-      {
-        sourcePort = giteaSshPort;
-        proto = "tcp";
-        destination = "${homeServer}:${giteaSshPortStr}";
-      }
-    ];
+        ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
+        ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
+        ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
+        ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop
+        ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
+        ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
+      '';
+    };
   };
   security.sudo-rs.extraRules = [
     {
diff --git a/modules/modules.nix b/modules/modules.nix
index 7fc4f5e..048623c 100644
--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -56,12 +56,12 @@ in
         wg-gs = "10.9.0.0";
         wg-g0 = "10.9.0.1";
         wg-g1 = "10.9.0.2";
+        wg-friends = "10.8.0.0";
         wg-friend0 = "10.8.0.1";
         wg-friend1 = "10.8.0.2";
         wg-friend2 = "10.8.0.3";
         wg-friend3 = "10.8.0.4";
         wg-friend4 = "10.8.0.5";
-        wg-friends = "10.8.0.0";
       };
       description = "Set of IP's for all my computers.";
     };