* Wireguard
@ 2021-08-29 21:53 crodges
2021-09-01 7:07 ` Wireguard Maxime Devos
0 siblings, 1 reply; 8+ messages in thread
From: crodges @ 2021-08-29 21:53 UTC (permalink / raw)
To: guix-devel
Hello everyone,
Let me start thanking you for developing such a interesting project in GNU
Guix. Also, I don't want to take up anyone's time, so you can just point to
documentation or other resource succinctly and I'll do my best. I'm writing
here because I tried the help list but not answer so far, after a few days.
I managed to configure wireguard on a vps running guix and created clients for
my desktop and cellphone. What I want to do (and did already in a Debian vps)
is to make wireguard's lan accessible to anyone connected and also browse the
internet using this vpn.
As I remember, I need to allow ip forwarding using
sysctl net.ipv4.ip_forward=1
and I also need to put these rules into wireguard (the server) under
[interface],
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING
-o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat
-A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Problem is, looking at the latest guix manual, PostUp and PostDown doesn't
seem to exist yet. Do they exist but are still undocumented?
If they don't exist, where should be a reasonable place to add this
configurations? I'm trying to do everything the guix way, when I finish this
machine configuration, I'd like it to be fully replicable.
Also, is this something that I could solve modifying the wireguard service
definition itself?
Thanks,
crodges
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Wireguard
2021-08-29 21:53 Wireguard crodges
@ 2021-09-01 7:07 ` Maxime Devos
2021-09-22 16:03 ` Wireguard crodges
0 siblings, 1 reply; 8+ messages in thread
From: Maxime Devos @ 2021-09-01 7:07 UTC (permalink / raw)
To: crodges, guix-devel
[-- Attachment #1: Type: text/plain, Size: 3522 bytes --]
crodges schreef op zo 29-08-2021 om 14:53 [-0700]:
> Hello everyone,
>
> Let me start thanking you for developing such a interesting project in GNU
> Guix. Also, I don't want to take up anyone's time, so you can just point to
> documentation or other resource succinctly and I'll do my best. I'm writing
> here because I tried the help list but not answer so far, after a few days.
>
> I managed to configure wireguard on a vps running guix and created clients for
> my desktop and cellphone. What I want to do (and did already in a Debian vps)
> is to make wireguard's lan accessible to anyone connected and also browse the
> internet using this vpn.
The Wireguard service as defined in Guix System doesn't currently support the
forwarding you appear to describe ...
> As I remember, I need to allow ip forwarding using
>
> sysctl net.ipv4.ip_forward=1
>
> and I also need to put these rules into wireguard (the server) under
> [interface],
>
> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING
> -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat
> -A POSTROUTING -o eth0 -j MASQUERADE
>
> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
> ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
However, I don't see why this couldn't be implemented in Guix System
(after some changes to wireguard-service-type).
> Problem is, looking at the latest guix manual, PostUp and PostDown doesn't
> seem to exist yet. Do they exist but are still undocumented?
Guix uses "wg-quick", so it would seem they do exist, but are inaccessible
from Guix. The configuration file is created in wireguard-configuration-file
(in gnu/services/vpn.scm), maybe you can modify that.
> If they don't exist, where should be a reasonable place to add this
> configurations?
<wireguard-configuration> and wireguard-configuration-file in (gnu services vpn)
it would seem. Also, sysctl-service-type would need to be extended (in
the ‘service-extension’ meaning of the word) to set net.ipv4.ip_forward
appropriately.
> I'm trying to do everything the guix way, when I finish this
> machine configuration, I'd like it to be fully replicable.
>
> Also, is this something that I could solve modifying the wireguard service
> definition itself?
If replicability is all you need, you could add ‘postdown’ and ‘postup’
options to <wireguard-configuration>, which would need to be set to the
commands above. However, these strings seem rather complicated for the
uninitiated, so I'd recommend something more high-level instead. Some
interface like
(wireguard-configuration
[...]
(addresses ...)
(peers ...)
(forward? #t))
perhaps? Make sure to add some documentation to ‘Wireguard’ in (guix)VPN Services.
(Maybe add some example situations on how forward? can be used and how it functions.)
I want to note that I don't understand what exactly you're doing, I only understand
that there is some forwarding going on, and I'm not unfamiliar with networking issue
(e.g. I recently figured out why I couldn't connect to the Internet with the
ISP-provided ‘4G minimodem’ -- DNS was b0rken). So explaining forward? to laypeople
might take some care.
Writing a corresponding ‘system test’ in gnu/tests/networking.scm is recommended.
Greetings,
Maxime.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Wireguard
2021-09-01 7:07 ` Wireguard Maxime Devos
@ 2021-09-22 16:03 ` crodges
2021-09-22 16:27 ` Wireguard crodges
2021-09-22 17:23 ` Wireguard Maxime Devos
0 siblings, 2 replies; 8+ messages in thread
From: crodges @ 2021-09-22 16:03 UTC (permalink / raw)
To: guix-devel, Maxime Devos
On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote:
> crodges schreef op zo 29-08-2021 om 14:53 [-0700]:
> > Hello everyone,
> >
> > Let me start thanking you for developing such a interesting project in GNU
> > Guix. Also, I don't want to take up anyone's time, so you can just point
> > to
> > documentation or other resource succinctly and I'll do my best. I'm
> > writing
> > here because I tried the help list but not answer so far, after a few
> > days.
> >
> > I managed to configure wireguard on a vps running guix and created clients
> > for my desktop and cellphone. What I want to do (and did already in a
> > Debian vps) is to make wireguard's lan accessible to anyone connected and
> > also browse the internet using this vpn.
>
> The Wireguard service as defined in Guix System doesn't currently support
> the forwarding you appear to describe ...
>
> > As I remember, I need to allow ip forwarding using
> >
> > sysctl net.ipv4.ip_forward=1
> >
> > and I also need to put these rules into wireguard (the server) under
> > [interface],
> >
> > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> >
> > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>
> However, I don't see why this couldn't be implemented in Guix System
> (after some changes to wireguard-service-type).
>
> > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't
> > seem to exist yet. Do they exist but are still undocumented?
>
> Guix uses "wg-quick", so it would seem they do exist, but are inaccessible
> from Guix. The configuration file is created in
> wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can
> modify that.
>
> > If they don't exist, where should be a reasonable place to add this
> > configurations?
>
> <wireguard-configuration> and wireguard-configuration-file in (gnu services
> vpn) it would seem. Also, sysctl-service-type would need to be extended
> (in the ‘service-extension’ meaning of the word) to set net.ipv4.ip_forward
> appropriately.
>
> > I'm trying to do everything the guix way, when I finish this
> > machine configuration, I'd like it to be fully replicable.
> >
> > Also, is this something that I could solve modifying the wireguard service
> > definition itself?
>
> If replicability is all you need, you could add ‘postdown’ and ‘postup’
> options to <wireguard-configuration>, which would need to be set to the
> commands above. However, these strings seem rather complicated for the
> uninitiated, so I'd recommend something more high-level instead. Some
> interface like
>
> (wireguard-configuration
> [...]
> (addresses ...)
> (peers ...)
> (forward? #t))
>
> perhaps? Make sure to add some documentation to ‘Wireguard’ in (guix)VPN
> Services. (Maybe add some example situations on how forward? can be used
> and how it functions.)
>
> I want to note that I don't understand what exactly you're doing, I only
> understand that there is some forwarding going on, and I'm not unfamiliar
> with networking issue (e.g. I recently figured out why I couldn't connect
> to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken).
> So explaining forward? to laypeople might take some care.
>
> Writing a corresponding ‘system test’ in gnu/tests/networking.scm is
> recommended.
>
> Greetings,
> Maxime.
Thanks for the pointers Maxime.
I'm not an expert in networking but I can briefly tell about my use case here.
basically my setup accomplishes two things: any machine connected to the
server running guix and wireguard should be able to browse the internet like a
normal vpn (using the server's ip address) and any client theoretically could
see each other. Right now I use this capability to play 0ad with friends, in
the future there will be apps running in different clients, accessible to
anyone inside vpn.
That said, I'm back here to ask one more thing. I cloned guix and followed the
manual to create an --pure environment and authenticated the commits. This
machine is a different one from my server, here I have guix running on top of
manjaro (an arch gnu/linux flavor).
I started changing code inside vpn.scm and my approach was to "make && make
check" after changes to see if it would still build. But this week, after a
git pull to update the repo and using make, I'm now greeted with
error: failed to load 'gnu/packages/perl.scm':
ice-9/eval.scm:293:34: In procedure abi-check: #<record-type <package>>:
record ABI mismatch; recompilation needed
I will still spend some time with this error, but I found worth to ask: is
this approach of "make && make check" a reasonable one? Is there a way to test
a guix system without installing it? Packages I know we can, but system
capabilities like vpn I'm not sure. Finally, where can I get more information
about submitting patches, including the proper way to do it, to guix?
thanks again,
crodges
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Wireguard
2021-09-22 16:03 ` Wireguard crodges
@ 2021-09-22 16:27 ` crodges
2021-09-22 17:23 ` Wireguard Maxime Devos
1 sibling, 0 replies; 8+ messages in thread
From: crodges @ 2021-09-22 16:27 UTC (permalink / raw)
To: guix-devel, Maxime Devos
On Wednesday, September 22, 2021 9:03:58 A.M. PDT crodges wrote:
> On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote:
> > crodges schreef op zo 29-08-2021 om 14:53 [-0700]:
> > > Hello everyone,
> > >
> > > Let me start thanking you for developing such a interesting project in
> > > GNU
> > > Guix. Also, I don't want to take up anyone's time, so you can just point
> > > to
> > > documentation or other resource succinctly and I'll do my best. I'm
> > > writing
> > > here because I tried the help list but not answer so far, after a few
> > > days.
> > >
> > > I managed to configure wireguard on a vps running guix and created
> > > clients
> > > for my desktop and cellphone. What I want to do (and did already in a
> > > Debian vps) is to make wireguard's lan accessible to anyone connected
> > > and
> > > also browse the internet using this vpn.
> >
> > The Wireguard service as defined in Guix System doesn't currently support
> > the forwarding you appear to describe ...
> >
> > > As I remember, I need to allow ip forwarding using
> > >
> > > sysctl net.ipv4.ip_forward=1
> > >
> > > and I also need to put these rules into wireguard (the server) under
> > > [interface],
> > >
> > > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j
> > > ACCEPT;
> > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > >
> > > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j
> > > ACCEPT;
> > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> >
> > However, I don't see why this couldn't be implemented in Guix System
> > (after some changes to wireguard-service-type).
> >
> > > Problem is, looking at the latest guix manual, PostUp and PostDown
> > > doesn't
> > > seem to exist yet. Do they exist but are still undocumented?
> >
> > Guix uses "wg-quick", so it would seem they do exist, but are inaccessible
> > from Guix. The configuration file is created in
> > wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can
> > modify that.
> >
> > > If they don't exist, where should be a reasonable place to add this
> > > configurations?
> >
> > <wireguard-configuration> and wireguard-configuration-file in (gnu
> > services
> > vpn) it would seem. Also, sysctl-service-type would need to be extended
> > (in the ‘service-extension’ meaning of the word) to set
> > net.ipv4.ip_forward
> > appropriately.
> >
> > > I'm trying to do everything the guix way, when I finish this
> > > machine configuration, I'd like it to be fully replicable.
> > >
> > > Also, is this something that I could solve modifying the wireguard
> > > service
> > > definition itself?
> >
> > If replicability is all you need, you could add ‘postdown’ and ‘postup’
> > options to <wireguard-configuration>, which would need to be set to the
> > commands above. However, these strings seem rather complicated for the
> > uninitiated, so I'd recommend something more high-level instead. Some
> > interface like
> >
> > (wireguard-configuration
> >
> > [...]
> > (addresses ...)
> > (peers ...)
> > (forward? #t))
> >
> > perhaps? Make sure to add some documentation to ‘Wireguard’ in (guix)VPN
> > Services. (Maybe add some example situations on how forward? can be used
> > and how it functions.)
> >
> > I want to note that I don't understand what exactly you're doing, I only
> > understand that there is some forwarding going on, and I'm not unfamiliar
> > with networking issue (e.g. I recently figured out why I couldn't connect
> > to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken).
> > So explaining forward? to laypeople might take some care.
> >
> > Writing a corresponding ‘system test’ in gnu/tests/networking.scm is
> > recommended.
> >
> > Greetings,
> > Maxime.
>
> Thanks for the pointers Maxime.
>
> I'm not an expert in networking but I can briefly tell about my use case
> here. basically my setup accomplishes two things: any machine connected to
> the server running guix and wireguard should be able to browse the internet
> like a normal vpn (using the server's ip address) and any client
> theoretically could see each other. Right now I use this capability to play
> 0ad with friends, in the future there will be apps running in different
> clients, accessible to anyone inside vpn.
>
> That said, I'm back here to ask one more thing. I cloned guix and followed
> the manual to create an --pure environment and authenticated the commits.
> This machine is a different one from my server, here I have guix running on
> top of manjaro (an arch gnu/linux flavor).
>
> I started changing code inside vpn.scm and my approach was to "make && make
> check" after changes to see if it would still build. But this week, after a
> git pull to update the repo and using make, I'm now greeted with
>
> error: failed to load 'gnu/packages/perl.scm':
> ice-9/eval.scm:293:34: In procedure abi-check: #<record-type <package>>:
> record ABI mismatch; recompilation needed
>
> I will still spend some time with this error, but I found worth to ask: is
> this approach of "make && make check" a reasonable one? Is there a way to
> test a guix system without installing it? Packages I know we can, but
> system capabilities like vpn I'm not sure. Finally, where can I get more
> information about submitting patches, including the proper way to do it, to
> guix?
>
> thanks again,
> crodges
Ignore the patches question, I found it very well explained in the manual :)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Wireguard
2021-09-22 16:03 ` Wireguard crodges
2021-09-22 16:27 ` Wireguard crodges
@ 2021-09-22 17:23 ` Maxime Devos
2021-10-06 16:28 ` Wireguard crodges
1 sibling, 1 reply; 8+ messages in thread
From: Maxime Devos @ 2021-09-22 17:23 UTC (permalink / raw)
To: crodges, guix-devel
[-- Attachment #1: Type: text/plain, Size: 6092 bytes --]
crodges schreef op wo 22-09-2021 om 09:03 [-0700]:
> On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote:
> > crodges schreef op zo 29-08-2021 om 14:53 [-0700]:
> > > Hello everyone,
> > >
> > > Let me start thanking you for developing such a interesting project in GNU
> > > Guix. Also, I don't want to take up anyone's time, so you can just point
> > > to
> > > documentation or other resource succinctly and I'll do my best. I'm
> > > writing
> > > here because I tried the help list but not answer so far, after a few
> > > days.
> > >
> > > I managed to configure wireguard on a vps running guix and created clients
> > > for my desktop and cellphone. What I want to do (and did already in a
> > > Debian vps) is to make wireguard's lan accessible to anyone connected and
> > > also browse the internet using this vpn.
> >
> > The Wireguard service as defined in Guix System doesn't currently support
> > the forwarding you appear to describe ...
> >
> > > As I remember, I need to allow ip forwarding using
> > >
> > > sysctl net.ipv4.ip_forward=1
> > >
> > > and I also need to put these rules into wireguard (the server) under
> > > [interface],
> > >
> > > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
> > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > >
> > > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
> > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> >
> > However, I don't see why this couldn't be implemented in Guix System
> > (after some changes to wireguard-service-type).
> >
> > > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't
> > > seem to exist yet. Do they exist but are still undocumented?
> >
> > Guix uses "wg-quick", so it would seem they do exist, but are inaccessible
> > from Guix. The configuration file is created in
> > wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can
> > modify that.
> >
> > > If they don't exist, where should be a reasonable place to add this
> > > configurations?
> >
> > <wireguard-configuration> and wireguard-configuration-file in (gnu services
> > vpn) it would seem. Also, sysctl-service-type would need to be extended
> > (in the ‘service-extension’ meaning of the word) to set net.ipv4.ip_forward
> > appropriately.
> >
> > > I'm trying to do everything the guix way, when I finish this
> > > machine configuration, I'd like it to be fully replicable.
> > >
> > > Also, is this something that I could solve modifying the wireguard service
> > > definition itself?
> >
> > If replicability is all you need, you could add ‘postdown’ and ‘postup’
> > options to <wireguard-configuration>, which would need to be set to the
> > commands above. However, these strings seem rather complicated for the
> > uninitiated, so I'd recommend something more high-level instead. Some
> > interface like
> >
> > (wireguard-configuration
> > [...]
> > (addresses ...)
> > (peers ...)
> > (forward? #t))
> >
> > perhaps? Make sure to add some documentation to ‘Wireguard’ in (guix)VPN
> > Services. (Maybe add some example situations on how forward? can be used
> > and how it functions.)
> >
> > I want to note that I don't understand what exactly you're doing, I only
> > understand that there is some forwarding going on, and I'm not unfamiliar
> > with networking issue (e.g. I recently figured out why I couldn't connect
> > to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken).
> > So explaining forward? to laypeople might take some care.
> >
> > Writing a corresponding ‘system test’ in gnu/tests/networking.scm is
> > recommended.
> >
> > Greetings,
> > Maxime.
> Thanks for the pointers Maxime.
>
> I'm not an expert in networking but I can briefly tell about my use case here.
> basically my setup accomplishes two things: any machine connected to the
> server running guix and wireguard should be able to browse the internet like a
> normal vpn (using the server's ip address) and any client theoretically could
> see each other. Right now I use this capability to play 0ad with friends, in
> the future there will be apps running in different clients, accessible to
> anyone inside vpn.
>
> That said, I'm back here to ask one more thing. I cloned guix and followed the
> manual to create an --pure environment and authenticated the commits. This
> machine is a different one from my server, here I have guix running on top of
> manjaro (an arch gnu/linux flavor).
>
> I started changing code inside vpn.scm and my approach was to "make && make
> check" after changes to see if it would still build. But this week, after a
> git pull to update the repo and using make, I'm now greeted with
>
> error: failed to load 'gnu/packages/perl.scm':
> ice-9/eval.scm:293:34: In procedure abi-check: #<record-type <package>>:
> record ABI mismatch; recompilation needed
>
> I will still spend some time with this error, but I found worth to ask: is
> this approach of "make && make check" a reasonable one?
If you see ‘recompilation needed’, recompile with "make clean && make".
> Is there a way to test
> a guix system without installing it? Packages I know we can, but system
> capabilities like vpn I'm not sure.
You could create a VM: "./pre-inst-env guix system vm the-configuration.scm --root=run-the-vm.sh
&& ./run-the-vm.sh". Or possibly "./pre-inst-env guix system reconfigure the-config.scm",
if you only don't want to install guix, but reconfiguring the system is fine.
(You can do almost everything from ./pre-inst-env that can be done without.
The exception is if you modify the guix daemon (code under nix/), then you
may need to restart it from the local checkout.)
Greetings,
Maxime.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Wireguard
2021-09-22 17:23 ` Wireguard Maxime Devos
@ 2021-10-06 16:28 ` crodges
2021-10-06 18:35 ` Wireguard Maxime Devos
0 siblings, 1 reply; 8+ messages in thread
From: crodges @ 2021-10-06 16:28 UTC (permalink / raw)
To: guix-devel, Maxime Devos
On Wednesday, September 22, 2021 10:23:11 A.M. PDT Maxime Devos wrote:
> crodges schreef op wo 22-09-2021 om 09:03 [-0700]:
> > On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote:
> > > crodges schreef op zo 29-08-2021 om 14:53 [-0700]:
> > > > Hello everyone,
> > > >
> > > > Let me start thanking you for developing such a interesting project in
> > > > GNU
> > > > Guix. Also, I don't want to take up anyone's time, so you can just
> > > > point
> > > > to
> > > > documentation or other resource succinctly and I'll do my best. I'm
> > > > writing
> > > > here because I tried the help list but not answer so far, after a few
> > > > days.
> > > >
> > > > I managed to configure wireguard on a vps running guix and created
> > > > clients
> > > > for my desktop and cellphone. What I want to do (and did already in a
> > > > Debian vps) is to make wireguard's lan accessible to anyone connected
> > > > and
> > > > also browse the internet using this vpn.
> > >
> > > The Wireguard service as defined in Guix System doesn't currently
> > > support
> > > the forwarding you appear to describe ...
> > >
> > > > As I remember, I need to allow ip forwarding using
> > > >
> > > > sysctl net.ipv4.ip_forward=1
> > > >
> > > > and I also need to put these rules into wireguard (the server) under
> > > > [interface],
> > > >
> > > > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j
> > > > ACCEPT;
> > > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > > >
> > > > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j
> > > > ACCEPT;
> > > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> > >
> > > However, I don't see why this couldn't be implemented in Guix System
> > > (after some changes to wireguard-service-type).
> > >
> > > > Problem is, looking at the latest guix manual, PostUp and PostDown
> > > > doesn't
> > > > seem to exist yet. Do they exist but are still undocumented?
> > >
> > > Guix uses "wg-quick", so it would seem they do exist, but are
> > > inaccessible
> > > from Guix. The configuration file is created in
> > > wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can
> > > modify that.
> > >
> > > > If they don't exist, where should be a reasonable place to add this
> > > > configurations?
> > >
> > > <wireguard-configuration> and wireguard-configuration-file in (gnu
> > > services
> > > vpn) it would seem. Also, sysctl-service-type would need to be extended
> > > (in the ‘service-extension’ meaning of the word) to set
> > > net.ipv4.ip_forward
> > > appropriately.
> > >
> > > > I'm trying to do everything the guix way, when I finish this
> > > > machine configuration, I'd like it to be fully replicable.
> > > >
> > > > Also, is this something that I could solve modifying the wireguard
> > > > service
> > > > definition itself?
> > >
> > > If replicability is all you need, you could add ‘postdown’ and ‘postup’
> > > options to <wireguard-configuration>, which would need to be set to the
> > > commands above. However, these strings seem rather complicated for the
> > > uninitiated, so I'd recommend something more high-level instead. Some
> > > interface like
> > >
> > > (wireguard-configuration
> > >
> > > [...]
> > > (addresses ...)
> > > (peers ...)
> > > (forward? #t))
> > >
> > > perhaps? Make sure to add some documentation to ‘Wireguard’ in
> > > (guix)VPN
> > > Services. (Maybe add some example situations on how forward? can be used
> > > and how it functions.)
> > >
> > > I want to note that I don't understand what exactly you're doing, I only
> > > understand that there is some forwarding going on, and I'm not
> > > unfamiliar
> > > with networking issue (e.g. I recently figured out why I couldn't
> > > connect
> > > to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken).
> > > So explaining forward? to laypeople might take some care.
> > >
> > > Writing a corresponding ‘system test’ in gnu/tests/networking.scm is
> > > recommended.
> > >
> > > Greetings,
> > > Maxime.
> >
> > Thanks for the pointers Maxime.
> >
> > I'm not an expert in networking but I can briefly tell about my use case
> > here. basically my setup accomplishes two things: any machine connected
> > to the server running guix and wireguard should be able to browse the
> > internet like a normal vpn (using the server's ip address) and any client
> > theoretically could see each other. Right now I use this capability to
> > play 0ad with friends, in the future there will be apps running in
> > different clients, accessible to anyone inside vpn.
> >
> > That said, I'm back here to ask one more thing. I cloned guix and followed
> > the manual to create an --pure environment and authenticated the commits.
> > This machine is a different one from my server, here I have guix running
> > on top of manjaro (an arch gnu/linux flavor).
> >
> > I started changing code inside vpn.scm and my approach was to "make &&
> > make
> > check" after changes to see if it would still build. But this week, after
> > a
> > git pull to update the repo and using make, I'm now greeted with
> >
> > error: failed to load 'gnu/packages/perl.scm':
> > ice-9/eval.scm:293:34: In procedure abi-check: #<record-type <package>>:
> > record ABI mismatch; recompilation needed
> >
> > I will still spend some time with this error, but I found worth to ask: is
> > this approach of "make && make check" a reasonable one?
>
> If you see ‘recompilation needed’, recompile with "make clean && make".
>
> > Is there a way to test
> >
> > a guix system without installing it? Packages I know we can, but system
> > capabilities like vpn I'm not sure.
>
> You could create a VM: "./pre-inst-env guix system vm the-configuration.scm
> --root=run-the-vm.sh && ./run-the-vm.sh". Or possibly "./pre-inst-env guix
> system reconfigure the-config.scm", if you only don't want to install guix,
> but reconfiguring the system is fine.
>
> (You can do almost everything from ./pre-inst-env that can be done without.
> The exception is if you modify the guix daemon (code under nix/), then you
> may need to restart it from the local checkout.)
>
> Greetings,
> Maxime.
Thanks again Maxime,
I was able to create and run the vm. How can I build a .iso image with my code
changes to install in a vps? I tried to change the code, compile, run
guix system image -t iso9660 gnu/system/install.scm
then I grabbed the .iso from the /gnu/store
but after installing it, it didn't contain my changes. Am I grabbing the wrong
iso, if so, how should I do this? I may be confusing guix installed in my pc
with the one I'm making changes.
Thanks,
crodges.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Wireguard
2021-10-06 16:28 ` Wireguard crodges
@ 2021-10-06 18:35 ` Maxime Devos
2021-10-15 16:26 ` Wireguard crodges
0 siblings, 1 reply; 8+ messages in thread
From: Maxime Devos @ 2021-10-06 18:35 UTC (permalink / raw)
To: crodges, guix-devel
[-- Attachment #1: Type: text/plain, Size: 1294 bytes --]
crodges schreef op wo 06-10-2021 om 09:28 [-0700]:
> [...]
> I was able to create and run the vm. How can I build a .iso image with my code
> changes to install in a vps? I tried to change the code, compile, run
>
> guix system image -t iso9660 gnu/system/install.scm
Don't forget ./pre-inst-env:
make && ./pre-inst-env guix system image -t iso9660 gnu/system/install.scm
Also, the installer won't use your locally modified guix. IIUC,
it will use the 'guix' package, which is normally only used by a few services
like cuirass and guix-daemon, and for the initial installation.
It shouldn't be necessary to reinstall Guix System, I'd recommend sending a copy of
the locally-modified guix repo to your VM, build it, and reconfigure inside the VM
(./pre-inst-env guix system reconfigure ...) instead.
However, it should also be possible to modify the guix used by the installer, using the
procedure (current-guix) and and the macro modify-services, see gnu/tests/install.scm
for an example.
> then I grabbed the .iso from the /gnu/store
>
> but after installing it, it didn't contain my changes. Am I grabbing the wrong
> iso, if so, how should I do this? I may be confusing guix installed in my pc
> with the one I'm making changes.
Greetins,
Maxime.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Wireguard
2021-10-06 18:35 ` Wireguard Maxime Devos
@ 2021-10-15 16:26 ` crodges
0 siblings, 0 replies; 8+ messages in thread
From: crodges @ 2021-10-15 16:26 UTC (permalink / raw)
To: Maxime Devos; +Cc: guix-devel
On Wednesday, October 6, 2021 11:35:02 A.M. PDT you wrote:
> crodges schreef op wo 06-10-2021 om 09:28 [-0700]:
> > [...]
> > I was able to create and run the vm. How can I build a .iso image with my
> > code changes to install in a vps? I tried to change the code, compile,
> > run
> >
> > guix system image -t iso9660 gnu/system/install.scm
>
> Don't forget ./pre-inst-env:
>
> make && ./pre-inst-env guix system image -t iso9660 gnu/system/install.scm
>
> Also, the installer won't use your locally modified guix. IIUC,
> it will use the 'guix' package, which is normally only used by a few
> services like cuirass and guix-daemon, and for the initial installation.
>
> It shouldn't be necessary to reinstall Guix System, I'd recommend sending a
> copy of the locally-modified guix repo to your VM, build it, and
> reconfigure inside the VM (./pre-inst-env guix system reconfigure ...)
> instead.
>
> However, it should also be possible to modify the guix used by the
> installer, using the procedure (current-guix) and and the macro
> modify-services, see gnu/tests/install.scm for an example.
>
> > then I grabbed the .iso from the /gnu/store
> >
> > but after installing it, it didn't contain my changes. Am I grabbing the
> > wrong iso, if so, how should I do this? I may be confusing guix installed
> > in my pc with the one I'm making changes.
>
> Greetins,
> Maxime.
Maxime,
I'm getting closer. I'm reading up on how the kernel treats networks, guile
and guix. After I solve this issue I'll definitely do a write up to pass on
the acquired knowledge, it'll be good for someone that is starting with guix,
like myself.
That said, I have additional questions. First, in my wireguard configuration I
need to call iptables. It was suggested to me that I should modify wireguard
to accept iptables-service as a extension, and also modify iptables for it to
be extended. Do you know any other way, or this looks like most appropriate?
Also, there are several wg0.conf generated at /gnu/store (because of many
generations). How do I know which one is the most recent one, so I can check
if my configuration is parsing correctly from guile? I tried a simple ls -lt
but everything is showing Jan 1, 1970.
Thanks Maxime.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-10-15 16:28 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-29 21:53 Wireguard crodges
2021-09-01 7:07 ` Wireguard Maxime Devos
2021-09-22 16:03 ` Wireguard crodges
2021-09-22 16:27 ` Wireguard crodges
2021-09-22 17:23 ` Wireguard Maxime Devos
2021-10-06 16:28 ` Wireguard crodges
2021-10-06 18:35 ` Wireguard Maxime Devos
2021-10-15 16:26 ` Wireguard crodges
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).