generalized not masquerade

hosts/Alaska/modules/protonvpn.nix

@@ -34,6 +34,10 @@ in
       flush chain ip tailscale-wg preraw;
       delete chain ip tailscale-wg preraw;
 
+      add chain ip tailscale-wg postrouting;
+      flush chain ip tailscale-wg postrouting;
+      delete chain ip tailscale-wg postrouting;
+
       table ip tailscale-wg {
         chain preraw {
           type filter hook prerouting priority raw; policy accept;
@@ -44,14 +48,13 @@ in
         }
         chain postrouting {
           type nat hook postrouting priority srcnat; policy accept;
-          iifname "tailscale0" oifname "protonvpn" ip daddr != 100.64.0.1 masquerade;
+          iifname "tailscale0" oifname "protonvpn" ip daddr != 100.64.0.0/16 masquerade;
         }
       }
       EOF
 
       ${pkgs.wireguard-tools}/bin/wg set protonvpn fwmark off
 
-      # ${pkgs.iproute2}/bin/ip route add default via 10.2.0.2 dev tailscale0 table 51820
       # table inet tailscale-wg { for ipv4 + ipv6
       ${pkgs.iproute2}/bin/ip -4 rule del not fwmark 51820 table 51820
       # ${pkgs.iproute2}/bin/ip -6 rule del not fwmark 51820 table 51820
@@ -70,6 +73,10 @@ in
       flush chain ip tailscale-wg preraw;
       delete chain ip tailscale-wg preraw;
 
+      add chain ip tailscale-wg postrouting;
+      flush chain ip tailscale-wg postrouting;
+      delete chain ip tailscale-wg postrouting;
+
       delete table ip tailscale-wg;
       EOF