From 2bbd83627c0ee5f86e01f65df189220fd01540a6 Mon Sep 17 00:00:00 2001
From: Steffen <steffen.illium@gmail.com>
Date: Mon, 5 Jan 2026 13:09:22 +0100
Subject: [PATCH] corrected hybrid swarm routing

---
 wireguard.nix | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/wireguard.nix b/wireguard.nix
index c745de8..00e9dd4 100644
--- a/wireguard.nix
+++ b/wireguard.nix
@@ -10,12 +10,11 @@
       mtu = 1400;
       autostart = true;
       postUp = ''
-        ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ${lib.head config.vars.interfaces} -j MASQUERADE
+        ${pkgs.procps}/bin/sysctl -w net.ipv4.conf.wg0.rp_filter=2
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o wg0 -d 10.6.0.1 -j SNAT --to-source ${config.vars.local_ip}
       '';
       postDown = ''
-        ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
-        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ${lib.head config.vars.interfaces}
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o wg0 -d 10.6.0.1 -j SNAT --to-source ${config.vars.local_ip}
       '';
       privateKey = config.vars.wg_privateKey;
       peers = [{