From de00d86dc4a05266bd80388bb1422b44be69f68d Mon Sep 17 00:00:00 2001
From: Magic_RB <magic_rb@redalder.org>
Date: Sun, 9 Jul 2023 23:44:15 +0200
Subject: [PATCH] Accept wireguard on the WAN interface

Signed-off-by: Magic_RB <magic_rb@redalder.org>
---
 nixos/systems/blowhole/firewall.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nixos/systems/blowhole/firewall.nix b/nixos/systems/blowhole/firewall.nix
index b6d7de9..12be43e 100644
--- a/nixos/systems/blowhole/firewall.nix
+++ b/nixos/systems/blowhole/firewall.nix
@@ -142,6 +142,9 @@ in
             tcp dport 22 accept comment "Accept SSH traffic always"
             iifname != "lo" tcp dport 5353 drop comment "Drop traffic to dnscrypt-proxy always except for localhost to localhost traffic"
 
+            # Accept WireGuard
+            iifname "${wan}" udp dport 6666 accept;
+
             iifname { "nomad", "ve-monitor", "ve-klipper" } oifname { "nomad", "ve-monitor", "ve-klipper" } accept comment "Allow Nomad to do whatever it wants in its interface"
             iifname { "${wlan}", "${lan}", "lo" } accept comment "Allow local network to access the router"
             iifname { "${wan}", "${doVPN}", "nomad", "docker0", "ve-monitor", "ve-klipper" } jump input_out