From e355f7044d7efaa49761bc4d4f43e94b0f2f3ab2 Mon Sep 17 00:00:00 2001
From: evujumenuk <evujumenuk@mailinator.com>
Date: Fri, 4 Aug 2017 18:30:53 +0200
Subject: [PATCH 1/3] wireguard: add per-peer routing table option

This adds a convenient per-peer option to set the routing table that associated routes are added to. This functionality is very useful for isolating interfaces from the kernel's global routing and forcing all traffic of a virtual interface (or a group of processes, via e.g. "ip rule add uidrange 10000-10009 lookup 42") through Wireguard.
---
 .../modules/services/networking/wireguard.nix | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
index be832ea45d8f..f76909af4caa 100644
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -160,6 +160,14 @@ let
         interval of 25 seconds; however, most users will not need this.'';
       };
 
+      table = mkOption {
+        default = "main";
+        type = types.str;
+        description = ''The kernel routing table to add this peer's associated
+        routes to. Setting this is useful for e.g. policy routing ("ip rule")
+        or virtual routing and forwarding ("ip vrf"). Both numeric table IDs
+        and table names (/etc/rt_tables) can be used. Defaults to "main".'';
+      };
     };
 
   };
@@ -207,9 +215,11 @@ let
 
             "${ipCommand} link set up dev ${name}"
 
-            (map (peer: (map (ip:
-            "${ipCommand} route replace ${ip} dev ${name}"
-            ) peer.allowedIPs)) values.peers)
+            (map (peer:
+            (map (allowedIP:
+            "${ipCommand} route replace ${allowedIP} dev ${name} table ${peer.table}"
+            ) peer.allowedIPs)
+            ) values.peers)
 
             values.postSetup
           ]);
@@ -240,7 +250,8 @@ in
             peers = [
               { allowedIPs = [ "192.168.20.1/32" ];
                 publicKey  = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=";
-                endpoint   = "demo.wireguard.io:12913"; }
+                endpoint   = "demo.wireguard.io:12913";
+                table      = "42"; }
             ];
           };
         };

From 6070d91e93c29dc53a2d71c7a9505255f1a48459 Mon Sep 17 00:00:00 2001
From: evujumenuk <evujumenuk@mailinator.com>
Date: Fri, 4 Aug 2017 21:00:45 +0200
Subject: [PATCH 2/3] wireguard: remove "table" option from example

Most users will be served well by the default "table" setting ("main").
---
 nixos/modules/services/networking/wireguard.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
index f76909af4caa..5aa4f13d4529 100644
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -250,8 +250,7 @@ in
             peers = [
               { allowedIPs = [ "192.168.20.1/32" ];
                 publicKey  = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=";
-                endpoint   = "demo.wireguard.io:12913";
-                table      = "42"; }
+                endpoint   = "demo.wireguard.io:12913"; }
             ];
           };
         };

From eaab02b94f729c8e230c6b7f52ad83091f6fc0d6 Mon Sep 17 00:00:00 2001
From: evujumenuk <evujumenuk@mailinator.com>
Date: Tue, 8 Aug 2017 01:45:19 +0200
Subject: [PATCH 3/3] wireguard: convert "table" to an interface option

Do the right thing, and use multiple interfaces for policy routing. For example, WireGuard interfaces do not allow multiple routes for the same CIDR range.
---
 .../modules/services/networking/wireguard.nix | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
index 5aa4f13d4529..4f54b45639f6 100644
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -79,6 +79,16 @@ let
         description = "A list of commands called after shutting down the interface.";
       };
 
+      table = mkOption {
+        default = "main";
+        type = types.str;
+        description = ''The kernel routing table to add this interface's
+        associated routes to. Setting this is useful for e.g. policy routing
+        ("ip rule") or virtual routing and forwarding ("ip vrf"). Both numeric
+        table IDs and table names (/etc/rt_tables) can be used. Defaults to
+        "main".'';
+      };
+
       peers = mkOption {
         default = [];
         description = "Peers linked to the interface.";
@@ -160,14 +170,6 @@ let
         interval of 25 seconds; however, most users will not need this.'';
       };
 
-      table = mkOption {
-        default = "main";
-        type = types.str;
-        description = ''The kernel routing table to add this peer's associated
-        routes to. Setting this is useful for e.g. policy routing ("ip rule")
-        or virtual routing and forwarding ("ip vrf"). Both numeric table IDs
-        and table names (/etc/rt_tables) can be used. Defaults to "main".'';
-      };
     };
 
   };
@@ -217,7 +219,7 @@ let
 
             (map (peer:
             (map (allowedIP:
-            "${ipCommand} route replace ${allowedIP} dev ${name} table ${peer.table}"
+            "${ipCommand} route replace ${allowedIP} dev ${name} table ${values.table}"
             ) peer.allowedIPs)
             ) values.peers)