A NixOS module which lets you route traffic from systemd services through a VPN while preventing DNS leaks.
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
vpn-confinement.url = "github:Maroka-chan/VPN-Confinement";
};
outputs = { self, nixpkgs, vpn-confinement, ... }:
{
# Change hostname, system, etc. as needed.
nixosConfigurations.hostname = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./configuration.nix
vpn-confinement.nixosModules.default
];
};
};
}vpnNamespaces.<name> = { # The name is limited to 7 characters
enable = true;
wireguardConfigFile = <path to secret wireguard config file>;
accessibleFrom = [
"<ip or subnet>"
];
portMappings = [{
from = <port on host>;
to = <port in VPN network namespace>;
protocol = "<transport protocol>"; # protocol = "tcp"(default), "udp", or "both"
}];
openVPNPorts = [{
port = <port to access through VPN interface>;
protocol = "<transport protocol>"; # protocol = "tcp"(default), "udp", or "both"
}];
};systemd.services.<name>.vpnConfinement = {
enable = true;
vpnNamespace = "<network namespace name>";
};# configuration.nix
{ pkgs, lib, config, ... }:
{
# Define VPN network namespace
vpnNamespaces.wg = {
enable = true;
wireguardConfigFile = /. + "/secrets/wg0.conf";
accessibleFrom = [
"192.168.0.0/24"
];
portMappings = [
{ from = 9091; to = 9091; }
];
openVPNPorts = [{
port = 60729;
protocol = "both";
}];
};
# Add systemd service to VPN network namespace.
systemd.services.transmission.vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
services.transmission = {
enable = true;
settings = {
"rpc-bind-address" = "192.168.15.1"; # Bind RPC/WebUI to bridge address
};
};
}See all options and their descriptions in the module file.