{ config, lib, pkgs, ... }: { networking.firewall.allowedUDPPorts = [ 3478 # Headscale DERP UDP ]; networking.firewall.allowedTCPPorts = [ 80 # HTTP 443 # HTTPS 42420 # Vintage Story 25565 # Minecraft 1443 # Headscale DERP ]; networking = { nftables = { enable = true; ruleset = '' table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; iifname "enp0s4" tcp dport 80 dnat to 10.100.0.2:80 # HTTP iifname "enp0s4" tcp dport 443 dnat to 10.100.0.2:443 # HTTPS iifname "enp0s4" tcp dport 42420 dnat to 10.100.0.2:42420 # Vintage Story iifname "enp0s4" tcp dport 25565 dnat to 10.100.0.2:25565 # Minecraft iifname "enp0s4" tcp dport 1443 dnat to 10.100.0.2:1443 # Headscale DERP (tcp) iifname "enp0s4" tcp dport 3478 dnat to 10.100.0.2:3478 # Headscale DERP (udp) } } ''; }; nat = { enable = true; internalInterfaces = [ "wireguard0" ]; externalInterface = "enp0s4"; forwardPorts = [ { destination = "10.100.0.2:3478"; proto = "udp"; sourcePort = 3478; } # HTTP { destination = "10.100.0.2:80"; proto = "tcp"; sourcePort = 80; } # HTTPS { destination = "10.100.0.2:443"; proto = "tcp"; sourcePort = 443; } # Vintage Story { destination = "10.100.0.2:42420"; proto = "tcp"; sourcePort = 42420; } # Minecraft { destination = "10.100.0.2:25565"; proto = "tcp"; sourcePort = 25565; } # Headscale DERP (tcp) { destination = "10.100.0.2:1443"; proto = "tcp"; sourcePort = 1443; } # Headscale DERP (udp) ]; }; }; }