From 9a8090dac2e4108962052fde42a4f897ae4eee14 Mon Sep 17 00:00:00 2001
From: aaron <aaron@0x29a.ch>
Date: Sat, 21 Mar 2026 16:45:09 +0100
Subject: [PATCH] refactor(wireguard): set checkReversePath to loose instead of
 false

---
 modules/nixos/protonvpn.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/modules/nixos/protonvpn.nix b/modules/nixos/protonvpn.nix
index 19e8af8..956f120 100644
--- a/modules/nixos/protonvpn.nix
+++ b/modules/nixos/protonvpn.nix
@@ -1,9 +1,13 @@
 { config, lib, pkgs, ... }:
 
 {
-  networking.firewall.checkReversePath = false;
+  # protonvpn uses wireguard tunnels, which break strict reverse path filtering
+  # because packets arrive on the tunnel interface but may be routed back differently.
+  # "loose" checks that the source is routable through *any* interface (not necessarily
+  # the same one), which is sufficient for wireguard while still preventing IP spoofing.
+  networking.firewall.checkReversePath = "loose";
+
   environment.systemPackages = with pkgs; [
-    wireguard-tools
     protonvpn-gui
   ];
 }