From 97067691f3694a190ad007d1c61d01a0b862c140 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Fri, 19 Sep 2025 14:08:05 +0200
Subject: [PATCH] Forward traffic from apex to ethernet via NAT

---
 m/apex/wireguard.nix    |  2 +-
 m/raccoon/wireguard.nix | 12 ++++++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/m/apex/wireguard.nix b/m/apex/wireguard.nix
index 6cb42bb7..14a03036 100644
--- a/m/apex/wireguard.nix
+++ b/m/apex/wireguard.nix
@@ -28,7 +28,7 @@
         {
           name = "raccoon";
           publicKey = "QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI=";
-          allowedIPs = [ "10.106.0.236/32" ];
+          allowedIPs = [ "10.106.0.236/32" "192.168.0.0/16" ];
         }
       ];
     };
diff --git a/m/raccoon/wireguard.nix b/m/raccoon/wireguard.nix
index 31f7d699..1549c1ed 100644
--- a/m/raccoon/wireguard.nix
+++ b/m/raccoon/wireguard.nix
@@ -1,6 +1,13 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 
 {
+  networking.nat = {
+    enable = true;
+    enableIPv6 = false;
+    externalInterface = "eno0";
+    internalInterfaces = [ "wg0" ];
+  };
+
   networking.firewall = {
     allowedUDPPorts = [ 666 ];
   };
@@ -25,8 +32,9 @@
         {
           name = "apex";
           publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=";
-          allowedIPs = [ "10.106.0.30/32" ];
+          allowedIPs = [ "10.106.0.30/32" "192.168.0.0/16" ];
           endpoint = "ssfhead.bsc.es:666";
+          persistentKeepalive = 25;
         }
       ];
     };