modules/nixos/protonvpn.nix

@@ -1,9 +1,13 @@
 { config, lib, pkgs, ... }:
 
 {
-  networking.firewall.checkReversePath = false;
+  # protonvpn uses wireguard tunnels, which break strict reverse path filtering
+  # because packets arrive on the tunnel interface but may be routed back differently.
+  # "loose" checks that the source is routable through *any* interface (not necessarily
+  # the same one), which is sufficient for wireguard while still preventing IP spoofing.
+  networking.firewall.checkReversePath = "loose";
+
   environment.systemPackages = with pkgs; [
-    wireguard-tools
     protonvpn-gui
   ];
 }