How to have all internet traffic run over WireGuard (Mullvad VPN) except for specific services?

Help
1

Now that my VPN provider Mullvad has removed support for forwarded ports I need a new solution for two services: plex and ssh.

I am not very knowledgeable about networking stuff, but I guess what I want is for plex and ssh to be the only two services not connecting to the outside world via Mullvad (currently configured, by trial and error, using networking.wg-quick).

Any help and pointers much appreciated!

My NixOS network configuration (with some details changed or removed) below, with the port forwarding solution that worked until Mullvad dropped support. (I use both Zerotier and Mullvad which has worked without problems—that I have noticed—so far.)

  networking.hostName = "my-hostname";
  networking.hostId = "my-host-id";

  networking.firewall.enable = true;

  networking.defaultGateway = "192.168.1.1";

  networking.nameservers = [
    "192.168.1.1"
    "8.8.8.8"
  ];


  # LOCAL NETWORK

  networking.interfaces.enp8s0.ipv4.addresses = [
    { address = "192.168.1.76"; prefixLength = 24; }
  ];


  # ZEROTIER

  services.zerotierone.enable = true;
  services.zerotierone.joinNetworks = ["my-zerotier-network"];

  networking.firewall.interfaces.zt0.allowedTCPPorts = [
    9999 # for a service I only want accessible on my Zerotier network
  ];


  # MULLVAD VPN VIA WIREGUARD

  # wireguard configuration
  networking.wg-quick.interfaces.mullvad = {
    privateKeyFile = "path/to/private/key-file";
    dns = [ "dns-from-mullvad-wg-server.conf-file" ];
    address = [
      "IPv4-address-from-mullvad-wg-server.conf-file"
      "IPv6-address-from-mullvad-wg-server.conf-file"
    ];
    peers = [{
      allowedIPs = [
        "0.0.0.0/0"
        "::/0"
      ];
    publicKey = "publickey-from-mullvad-wg-server.conf-file";
    endpoint = "endpoint-from-mullvad-wg-server.conf-file";
    }];
  };

  # ports assigned by mullvad
  networking.firewall.interfaces.mullvad.allowedTCPPorts = [
    56100 # for ssh, redirect below
    56101 # for plex, redirected below
  ];

  # redirect mullvad ports
  networking.firewall.extraCommands = ''
    iptables -t nat -I PREROUTING 1 -p tcp --dport 56101 -j REDIRECT --to 32400 # plex
    iptables -t nat -I PREROUTING 2 -p tcp --dport 56100 -j REDIRECT --to 22 # ssh
  '';
  networking.firewall.extraStopCommands = ''
    iptables -t nat -D PREROUTING 2
    iptables -t nat -D PREROUTING 1
  '';
1 Like