From f71cbedf14cb5d5a46fe34b77e131054ae7d86f4 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Tue, 8 Aug 2023 14:20:21 +0200
Subject: [PATCH] shinobu/router: Exclude vueko from VPN

---
 machines/shinobu/services/router.nix | 32 +++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/machines/shinobu/services/router.nix b/machines/shinobu/services/router.nix
index 3a29508..bb2cd2d 100644
--- a/machines/shinobu/services/router.nix
+++ b/machines/shinobu/services/router.nix
@@ -26,6 +26,8 @@
 { config, lib, pkgs, ... }:
 let
   domain = "home.sbruder.de";
+
+  noVpnFwMark = 10000;
 in
 {
   sops.secrets.wg-upstream-private-key = {
@@ -49,6 +51,11 @@ in
       ruleset = ''
         define NAT_LAN_IFACES = { "br-lan" }
         define NAT_WAN_IFACES = { "wg-upstream" }
+        define PHYSICAL_WAN = "enp1s0"
+        define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN }
+        define VUEKO_V4 = 168.119.176.53
+        define VUEKO_V6 = 2a01:4f8:c012:2f4::
+        define VUEKO_PORT = 51820
 
         table inet filter {
           chain forward {
@@ -56,6 +63,11 @@ in
 
             iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
             iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;
+
+            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $VUEKO_V4 udp dport $VUEKO_PORT counter accept;
+            iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $VUEKO_V4 udp sport $VUEKO_PORT ct state established,related counter accept;
+            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT counter accept;
+            iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip6 saddr $VUEKO_V6 udp sport $VUEKO_PORT ct state established,related counter accept;
           }
         }
 
@@ -66,7 +78,17 @@ in
 
           chain postrouting {
             type nat hook postrouting priority filter; policy accept;
-            oifname $NAT_WAN_IFACES masquerade;
+            oifname $MASQUERADE_IFACES masquerade;
+          }
+        }
+
+        table inet mangle {
+          chain output {
+            type route hook output priority mangle;
+
+            # Add fwmark noVpnMark to packets to vueko, so it will get routed correctly
+            ip daddr $VUEKO_V4 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter;
+            ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter;
           }
         }
       '';
@@ -162,6 +184,14 @@ in
               Priority = 9;
             };
           }
+          {
+            routingPolicyRuleConfig = {
+              To = "168.119.176.53";
+
+              FirewallMark = noVpnFwMark;
+              Priority = 9;
+            };
+          }
         ];
         routes = [
           {