Re: Wireguard

[crodges <crodges@csphy.pw>]

On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote:
> crodges schreef op zo 29-08-2021 om 14:53 [-0700]:
> > Hello everyone,
> > 
> > Let me start thanking you for developing such a interesting project in GNU
> > Guix. Also, I don't want to take up anyone's time, so you can just point
> > to
> > documentation or other resource succinctly and I'll do my best. I'm
> > writing
> > here because I tried the help list but not answer so far, after a few
> > days.
> > 
> > I managed to configure wireguard on a vps running guix and created clients
> > for my desktop and cellphone. What I want to do (and did already in a
> > Debian vps) is to make wireguard's lan accessible to anyone connected and
> > also browse the internet using this vpn.
> 
> The Wireguard service as defined in Guix System doesn't currently support
> the forwarding you appear to describe ...
> 
> > As I remember, I need to allow ip forwarding using
> > 
> > sysctl net.ipv4.ip_forward=1
> > 
> > and I also need to put these rules into wireguard (the server) under
> > [interface],
> > 
> > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > 
> > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> 
> However, I don't see why this couldn't be implemented in Guix System
> (after some changes to wireguard-service-type).
> 
> > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't
> > seem to exist yet. Do they exist but are still undocumented?
> 
> Guix uses "wg-quick", so it would seem they do exist, but are inaccessible
> from Guix.  The configuration file is created in
> wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can
> modify that.
> 
> > If they don't exist, where should be a reasonable place to add this
> > configurations?
> 
> <wireguard-configuration> and wireguard-configuration-file in (gnu services
> vpn) it would seem.  Also, sysctl-service-type would need to be extended
> (in the ‘service-extension’ meaning of the word) to set net.ipv4.ip_forward
> appropriately.
> 
> > I'm trying to do everything the guix way, when I finish this
> > machine configuration, I'd like it to be fully replicable.
> > 
> > Also, is this something that I could solve modifying the wireguard service
> > definition itself?
> 
> If replicability is all you need, you could add ‘postdown’ and ‘postup’
> options to <wireguard-configuration>, which would need to be set to the
> commands above.  However, these strings seem rather complicated for the
> uninitiated, so I'd recommend something more high-level instead.  Some
> interface like
> 
>   (wireguard-configuration
>     [...]
>     (addresses ...)
>     (peers ...)
>     (forward? #t))
> 
> perhaps?  Make sure to add some documentation to ‘Wireguard’ in (guix)VPN
> Services. (Maybe add some example situations on how forward? can be used
> and how it functions.)
> 
> I want to note that I don't understand what exactly you're doing, I only
> understand that there is some forwarding going on, and I'm not unfamiliar
> with networking issue (e.g. I recently figured out why I couldn't connect
> to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken). 
> So explaining forward? to laypeople might take some care.
> 
> Writing a corresponding ‘system test’ in gnu/tests/networking.scm is
> recommended.
> 
> Greetings,
> Maxime.
Thanks for the pointers Maxime.

I'm not an expert in networking but I can briefly tell about my use case here.
basically my setup accomplishes two things: any machine connected to the 
server running guix and wireguard should be able to browse the internet like a 
normal vpn (using the server's ip address) and any client theoretically could 
see each other. Right now I use this capability to play 0ad with friends, in 
the future there will be apps running in different clients, accessible to 
anyone inside vpn.

That said, I'm back here to ask one more thing. I cloned guix and followed the 
manual to create an --pure environment and authenticated the commits. This 
machine is a different one from my server, here I have guix running on top of 
manjaro (an arch gnu/linux flavor).

I started changing code inside vpn.scm and my approach was to "make && make 
check" after changes to see if it would still build. But this week, after a 
git pull to update the repo and using make, I'm now greeted with

error: failed to load 'gnu/packages/perl.scm':
ice-9/eval.scm:293:34: In procedure abi-check: #<record-type <package>>: 
record ABI mismatch; recompilation needed

I will still spend some time with this error, but I found worth to ask: is 
this approach of "make && make check" a reasonable one? Is there a way to test 
a guix system without installing it? Packages I know we can, but system 
capabilities like vpn I'm not sure. Finally, where can I get more information 
about submitting patches, including the proper way to do it, to guix?

thanks again,
crodges