From 1d2cb130cf672b74400ade0184c8d6005b0c1c31 Mon Sep 17 00:00:00 2001
From: Lyn <lynatic@noreply.git.shibe.pro>
Date: Thu, 14 Nov 2024 03:49:23 +0100
Subject: [PATCH] update firewall rules to allow upnp requests

---
 modules/services/wgautomesh.nix | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/modules/services/wgautomesh.nix b/modules/services/wgautomesh.nix
index e42c6b8..435ea7e 100644
--- a/modules/services/wgautomesh.nix
+++ b/modules/services/wgautomesh.nix
@@ -40,9 +40,19 @@ in {
     default = true;
   };
   config = {
-    networking.firewall.allowedUDPPorts = [
-      wireguardPort
-    ];
+    networking.firewall = {
+      allowedUDPPorts = [
+        wireguardPort
+      ];
+      extraCommands = ''
+        # Allow UDP packets comming from port 1900 from a local address,
+        # these are necessary for UPnP/IGD
+        iptables -A INPUT -s 192.168.0.0/16 -p udp --sport 1900 -j ACCEPT
+      '';
+      extraStopCommands = ''
+        iptables -D INPUT -s 192.168.0.0/16 -p udp --sport 1900 -j ACCEPT
+      '';
+    };
 
     networking.wireguard.interfaces.wg0 = {
       ips =