From 8679912bfb8a2349599002ec93af4c4ee2ffcedb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Wed, 27 Dec 2023 15:50:17 +0100
Subject: [PATCH] fix(vpn): exclude tailscale from Mullvad VPN routing

---
 system/vpn.nix | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/system/vpn.nix b/system/vpn.nix
index a64460f..63fd1ee 100644
--- a/system/vpn.nix
+++ b/system/vpn.nix
@@ -34,4 +34,28 @@
       fi
     '';
   };
+
+  # Exclude Tailscale from Mullvad VPN
+  networking.firewall.extraCommands = ''
+    ${pkgs.nftables}/bin/nft -f ${
+      pkgs.writeText "mullvad-incoming" ''
+        table inet allow-tailscale {
+          chain exclude-dns {
+            type filter hook output priority -10; policy accept;
+            ip daddr 100.00.100.100 udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+            ip daddr 100.00.100.100 tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          }
+          chain exclude-outgoing {
+            type route hook output priority 0; policy accept;
+            ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+            ip6 daddr fd7a:115c:a1e0::/48 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          }
+          chain allow-incoming {
+            type filter hook input priority -100; policy accept;
+            iifname "tailscale0" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+          }
+        }
+      ''
+    }
+  '';
 }