unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / Atom feed
* Wireguard
@ 2021-08-29 21:53 crodges
  2021-09-01  7:07 ` Wireguard Maxime Devos
  0 siblings, 1 reply; 2+ messages in thread
From: crodges @ 2021-08-29 21:53 UTC (permalink / raw)
  To: guix-devel

Hello everyone,

Let me start thanking you for developing such a interesting project in GNU 
Guix. Also, I don't want to take up anyone's time, so you can just point to 
documentation or other resource succinctly and I'll do my best. I'm writing 
here because I tried the help list but not answer so far, after a few days.

I managed to configure wireguard on a vps running guix and created clients for 
my desktop and cellphone. What I want to do (and did already in a Debian vps) 
is to make wireguard's lan accessible to anyone connected and also browse the 
internet using this vpn.

As I remember, I need to allow ip forwarding using

sysctl net.ipv4.ip_forward=1

and I also need to put these rules into wireguard (the server) under 
[interface],

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING 
-o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat 
-A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D 
POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; 
ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Problem is, looking at the latest guix manual, PostUp and PostDown doesn't 
seem to exist yet. Do they exist but are still undocumented?

If they don't exist, where should be a reasonable place to add this 
configurations? I'm trying to do everything the guix way, when I finish this 
machine configuration, I'd like it to be fully replicable.

Also, is this something that I could solve modifying the wireguard service 
definition itself?

Thanks,

crodges 




^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Wireguard
  2021-08-29 21:53 Wireguard crodges
@ 2021-09-01  7:07 ` Maxime Devos
  0 siblings, 0 replies; 2+ messages in thread
From: Maxime Devos @ 2021-09-01  7:07 UTC (permalink / raw)
  To: crodges, guix-devel

[-- Attachment #1: Type: text/plain, Size: 3522 bytes --]

crodges schreef op zo 29-08-2021 om 14:53 [-0700]:
> Hello everyone,
> 
> Let me start thanking you for developing such a interesting project in GNU 
> Guix. Also, I don't want to take up anyone's time, so you can just point to 
> documentation or other resource succinctly and I'll do my best. I'm writing 
> here because I tried the help list but not answer so far, after a few days.
> 
> I managed to configure wireguard on a vps running guix and created clients for 
> my desktop and cellphone. What I want to do (and did already in a Debian vps) 
> is to make wireguard's lan accessible to anyone connected and also browse the 
> internet using this vpn.

The Wireguard service as defined in Guix System doesn't currently support the
forwarding you appear to describe ...

> As I remember, I need to allow ip forwarding using
> 
> sysctl net.ipv4.ip_forward=1
> 
> and I also need to put these rules into wireguard (the server) under 
> [interface],
> 
> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING 
> -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat 
> -A POSTROUTING -o eth0 -j MASQUERADE
> 
> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D 
> POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; 
> ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

However, I don't see why this couldn't be implemented in Guix System
(after some changes to wireguard-service-type).

> Problem is, looking at the latest guix manual, PostUp and PostDown doesn't 
> seem to exist yet. Do they exist but are still undocumented?

Guix uses "wg-quick", so it would seem they do exist, but are inaccessible
from Guix.  The configuration file is created in wireguard-configuration-file
(in gnu/services/vpn.scm), maybe you can modify that.

> If they don't exist, where should be a reasonable place to add this 
> configurations?

<wireguard-configuration> and wireguard-configuration-file in (gnu services vpn)
it would seem.  Also, sysctl-service-type would need to be extended (in
the ‘service-extension’ meaning of the word) to set net.ipv4.ip_forward
appropriately.

> I'm trying to do everything the guix way, when I finish this 
> machine configuration, I'd like it to be fully replicable.
> 
> Also, is this something that I could solve modifying the wireguard service 
> definition itself?

If replicability is all you need, you could add ‘postdown’ and ‘postup’
options to <wireguard-configuration>, which would need to be set to the
commands above.  However, these strings seem rather complicated for the
uninitiated, so I'd recommend something more high-level instead.  Some
interface like

  (wireguard-configuration
    [...]
    (addresses ...)
    (peers ...)
    (forward? #t))

perhaps?  Make sure to add some documentation to ‘Wireguard’ in (guix)VPN Services.
(Maybe add some example situations on how forward? can be used and how it functions.)

I want to note that I don't understand what exactly you're doing, I only understand
that there is some forwarding going on, and I'm not unfamiliar with networking issue
(e.g. I recently figured out why I couldn't connect to the Internet with the
ISP-provided ‘4G minimodem’ -- DNS was b0rken).  So explaining forward? to laypeople
might take some care.

Writing a corresponding ‘system test’ in gnu/tests/networking.scm is recommended.

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-09-01  7:08 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-29 21:53 Wireguard crodges
2021-09-01  7:07 ` Wireguard Maxime Devos

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).