diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
index 28cdcb220f4..b256521c3d4 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@@ -647,6 +647,12 @@
guide on how to migrate your Neo4j instance.
+
+
+ The networking.wireguard module now can set
+ the mtu on interfaces and tag its packets with an fwmark.
+
+
The services.matrix-synapse systemd unit
diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md
index f956c56ffb5..5e98e1fde75 100644
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@@ -217,6 +217,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance.
+- The `networking.wireguard` module now can set the mtu on interfaces and tag its packets with an fwmark.
+
- The `services.matrix-synapse` systemd unit has been hardened.
- Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
index 23b3008f02d..6a5d7c6b041 100644
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -137,6 +137,33 @@ let
See [documentation](https://www.wireguard.com/netns/).
'';
};
+
+ fwMark = mkOption {
+ default = null;
+ type = with types; nullOr str;
+ example = "0x6e6978";
+ description = lib.mdDoc ''
+ Mark all wireguard packets originating from
+ this interface with the given firewall mark. The firewall mark can be
+ used in firewalls or policy routing to filter the wireguard packets.
+ This can be useful for setup where all traffic goes through the
+ wireguard tunnel, because the wireguard packets need to be routed
+ differently.
+ '';
+ };
+
+ mtu = mkOption {
+ default = null;
+ type = with types; nullOr int;
+ example = 1280;
+ description = lib.mdDoc ''
+ Set the maximum transmission unit in bytes for the wireguard
+ interface. Beware that the wireguard packets have a header that may
+ add up to 80 bytes to the mtu. By default, the MTU is (1500 - 80) =
+ 1420. However, if the MTU of the upstream network is lower, the MTU
+ of the wireguard network has to be adjusted as well.
+ '';
+ };
};
};
@@ -398,6 +425,7 @@ let
${ipPreMove} link add dev "${name}" type wireguard
${optionalString (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) ''${ipPreMove} link set "${name}" netns "${ns}"''}
+ ${optionalString (values.mtu != null) ''${ipPreMove} link set "${name}" mtu ${toString values.mtu}''}
${concatMapStringsSep "\n" (ip:
''${ipPostMove} address add "${ip}" dev "${name}"''
@@ -406,6 +434,7 @@ let
${concatStringsSep " " (
[ ''${wg} set "${name}" private-key "${privKey}"'' ]
++ optional (values.listenPort != null) ''listen-port "${toString values.listenPort}"''
+ ++ optional (values.fwMark != null) ''fwmark "${values.fwMark}"''
)}
${ipPostMove} link set up dev "${name}"