nixos/wireguard: add option to set firewall mark

Wireguard can tag its packets with a firewall mark. This can be used for firewalls or policy routing. This is very useful in some setups where all traffic should go through a wireguard interface. The wireguard packets cannot go through the wireguard interface and must be routed differently, which can be done via the Firewall Mark. The nixos option `config.networking.wireguard.interface.<name>.fwMark` is of type `types.str` and not `types.int` to allow for specifying the mark as a hexadecimal value.
NixOS · Sep 28, 2022 · 084509a · 084509a
1 parent 5d7d4a2
commit 084509a
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
@@ -137,6 +137,20 @@ let
         See [documentation](https://www.wireguard.com/netns/).
         '';
       };
+
+      fwMark = mkOption {
+        default = null;
+        type = with types; nullOr str;
+        example = "0x6e6978";
+        description = lib.mdDoc ''
+          Mark all wireguard packets originating from
+          this interface with the given firewall mark. The firewall mark can be
+          used in firewalls or policy routing to filter the wireguard packets.
+          This can be useful for setup where all traffic goes through the
+          wireguard tunnel, because the wireguard packets need to be routed
+          differently.
+        '';
+      };
     };
 
   };
@@ -406,6 +420,7 @@ let
           ${concatStringsSep " " (
             [ ''${wg} set "${name}" private-key "${privKey}"'' ]
             ++ optional (values.listenPort != null) ''listen-port "${toString values.listenPort}"''
+            ++ optional (values.fwMark != null) ''fwmark "${values.fwMark}"''
           )}
 
           ${ipPostMove} link set up dev "${name}"