feat(vpn): improve compatibility with other wireguard networks

2025-06-06 20:01:22 +02:00 · 2025-06-06 20:01:22 +02:00 · 9b9e8d5ee6
commit 9b9e8d5ee6
parent ae62bb5cb9
2 changed files with 28 additions and 2 deletions
--- a/system/networking.nix
+++ b/system/networking.nix
@ -50,7 +50,6 @@ in

  systemd.network = {
    enable = true;
-    wait-online.ignoredInterfaces = [ "tailscale0" ];
    networks = {
      "10-lan" = {
        matchConfig.Name = interfaces.lan;
--- a/system/vpn.nix
+++ b/system/vpn.nix
@ -15,6 +15,27 @@ in
  networking.wireguard.enable = true;
  networking.firewall.trustedInterfaces = [ tailscaleInterface ];

+  systemd.network = {
+    # Fixes issues with other systemd networks when tailscale exist nodes are used
+    config.networkConfig = {
+      ManageForeignRoutes = false;
+      ManageForeignRoutingPolicyRules = false;
+    };
+    wait-online.ignoredInterfaces = [ "tailscale0" ];
+  };
+
+  services.networkd-dispatcher = {
+    enable = true;
+    rules."50-tailscale" = {
+      onState = [ "routable" ];
+      script = ''
+        for dev in $(${pkgs.iproute2}/bin/ip route show 0/0 | cut -f5 -d' '); do
+          ${lib.getExe pkgs.ethtool} -K "$dev" rx-udp-gro-forwarding on rx-gro-list off
+        done
+      '';
+    };
+  };
+
  services.tailscale = {
    enable = true;
    package = pkgs.unstable.tailscale;
@ -27,7 +48,13 @@ in
    ];
  };

-  systemd.services.tailscaled.serviceConfig.Environment = [ "TS_DEBUG_FIREWALL_MODE=auto" ];
+  systemd.services.tailscaled = {
+    serviceConfig.Environment = [ "TS_DEBUG_FIREWALL_MODE=auto" ];
+    after = [
+      "network-online.target"
+      "systemd-resolved.service"
+    ];
+  };

  # call taiscale up without --auth-key
  systemd.services.tailscaled-autoconnect = lib.mkIf (cfg.authKeyFile == null) {