From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id iMXzGOUmL2H4ZQEAgWs5BA (envelope-from ) for ; Wed, 01 Sep 2021 09:08:21 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id GLOiFOUmL2HYYAAAB5/wlQ (envelope-from ) for ; Wed, 01 Sep 2021 07:08:21 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6F09F55F2 for ; Wed, 1 Sep 2021 09:08:20 +0200 (CEST) Received: from localhost ([::1]:46810 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mLKM7-0005UN-GX for larch@yhetil.org; Wed, 01 Sep 2021 03:08:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58124) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mLKLo-0005UF-Eo for guix-devel@gnu.org; Wed, 01 Sep 2021 03:08:00 -0400 Received: from andre.telenet-ops.be ([2a02:1800:120:4::f00:15]:38100) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mLKLj-00040f-QH for guix-devel@gnu.org; Wed, 01 Sep 2021 03:08:00 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by andre.telenet-ops.be with bizsmtp id oX7q2500K0mfAB401X7qn9; Wed, 01 Sep 2021 09:07:51 +0200 Message-ID: Subject: Re: Wireguard From: Maxime Devos To: crodges , guix-devel@gnu.org Date: Wed, 01 Sep 2021 09:07:43 +0200 In-Reply-To: <2301909.g8HzRWBaYy@sceadufaex> References: <2301909.g8HzRWBaYy@sceadufaex> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-21TPQRsQgl+uriuy/9vj" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1630480071; bh=3nRwLQuR0Cmr53JuPtMcZbSOg4jNPXsTUqCxDJ57TFs=; h=Subject:From:To:Date:In-Reply-To:References; b=pXmwAMAjj5/bJF6rxwVjiVXhUdEvGKqD35hoHI2VQT0FuO+83hv7XA+rvVE+extJn iP2z2vaAGYCSEmILj4+e/2bIG3J8Xc1l18hvO0cEbX25unmlIuL5DOFzhp7OpyBU8Y lJiOp+OEuknENnJm19k194FgiuAt+KOBYXawOS+4XPU0jAuaU77Roqfqix4QbaSk5w FotiOdT8zBE8K0UcMSJDSOJ3OAh4R/gwXhrKrSEip6k9Ctbn7XKMt879Jq3OrDawgN TOYRSH0vRAwRdc7trkXFuIW/aSUv+Q4zJAFDH1+JUgwiG3xPCYoEDYdB1p2C2H7Rht c/HQYIWXl7ceQ== Received-SPF: pass client-ip=2a02:1800:120:4::f00:15; envelope-from=maximedevos@telenet.be; helo=andre.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1630480101; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=3nRwLQuR0Cmr53JuPtMcZbSOg4jNPXsTUqCxDJ57TFs=; b=tCfWiyWx3LxfdAIHUdHO4qZTG8+mFinVEpi4HBaDnroHsAtJuFMHHbAxfe/XSV6oG0/R6r SdSDd91uSVJibG+0E4JSV5s46oWOEsguMiaExsCWp4XZFXnJ2x5o+EWXD8iW2fZ/rrDLcO wNaxfsa86supuxOTT17BBuN2iicwv3I7uTU/Pbuokv96u9RwQ94R4IR1zix+nQJEvpZWxm w8Nxtj7rQopY9BcFoUtSkett5BNqYXgB/m03o+89wiS26YDQ4XLqUbpGt5MQ9C40E+0Vgz iCzCCxR0NddWnaHk5R9XGND64p+4IjXd6pXCglsCwhyBd0W3qguhe99HUPRk3A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1630480101; a=rsa-sha256; cv=none; b=Cwz0RgGbDorYjvFWq5cf4vIhyTDdDcyPw1NT+3+flb3JjBv+5NX3/93bHhZtOadYPdaQoY rlaL14H8WwEIzHfuyq2i/U7A2qgTb2/c7K7tkfoVGcqDm+EFmKQPTAFF2lj1OBayH7jzNT vKuCIMf0DoUy0nZGhOnAZzWqdrZScx6+eXEryvv5FWdLqwDq2vpusycesN9xe9JK7axKRP Ilv2i6B1X94R8sBFFvoMPsXiHkdbK24P2z5mcaJi3LPUeoIPb9qR8M4XWUEV//VbueZSfY 1H18wKK+VjEoU+ZxoWcw8qm7vl7N4bij5Is4gWGPxbXU2QtdU29Y9waPbB+TnQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r21 header.b=pXmwAMAj; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.22 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r21 header.b=pXmwAMAj; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 6F09F55F2 X-Spam-Score: -5.22 X-Migadu-Scanner: scn0.migadu.com X-TUID: N3wqLFqLblsv --=-21TPQRsQgl+uriuy/9vj Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable crodges schreef op zo 29-08-2021 om 14:53 [-0700]: > Hello everyone, >=20 > Let me start thanking you for developing such a interesting project in GN= U=20 > Guix. Also, I don't want to take up anyone's time, so you can just point = to=20 > documentation or other resource succinctly and I'll do my best. I'm writi= ng=20 > here because I tried the help list but not answer so far, after a few day= s. >=20 > I managed to configure wireguard on a vps running guix and created client= s for=20 > my desktop and cellphone. What I want to do (and did already in a Debian = vps)=20 > is to make wireguard's lan accessible to anyone connected and also browse= the=20 > internet using this vpn. The Wireguard service as defined in Guix System doesn't currently support t= he forwarding you appear to describe ... > As I remember, I need to allow ip forwarding using >=20 > sysctl net.ipv4.ip_forward=3D1 >=20 > and I also need to put these rules into wireguard (the server) under=20 > [interface], >=20 > PostUp =3D iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTR= OUTING=20 > -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -= t nat=20 > -A POSTROUTING -o eth0 -j MASQUERADE >=20 > PostDown =3D iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D=20 > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;= =20 > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE However, I don't see why this couldn't be implemented in Guix System (after some changes to wireguard-service-type). > Problem is, looking at the latest guix manual, PostUp and PostDown doesn'= t=20 > seem to exist yet. Do they exist but are still undocumented? Guix uses "wg-quick", so it would seem they do exist, but are inaccessible from Guix. The configuration file is created in wireguard-configuration-fi= le (in gnu/services/vpn.scm), maybe you can modify that. > If they don't exist, where should be a reasonable place to add this=20 > configurations? and wireguard-configuration-file in (gnu services= vpn) it would seem. Also, sysctl-service-type would need to be extended (in the =E2=80=98service-extension=E2=80=99 meaning of the word) to set net.ipv= 4.ip_forward appropriately. > I'm trying to do everything the guix way, when I finish this=20 > machine configuration, I'd like it to be fully replicable. >=20 > Also, is this something that I could solve modifying the wireguard servic= e=20 > definition itself? If replicability is all you need, you could add =E2=80=98postdown=E2=80=99 = and =E2=80=98postup=E2=80=99 options to , which would need to be set to the commands above. However, these strings seem rather complicated for the uninitiated, so I'd recommend something more high-level instead. Some interface like (wireguard-configuration [...] (addresses ...) (peers ...) (forward? #t)) perhaps? Make sure to add some documentation to =E2=80=98Wireguard=E2=80= =99 in (guix)VPN Services. (Maybe add some example situations on how forward? can be used and how it f= unctions.) I want to note that I don't understand what exactly you're doing, I only un= derstand that there is some forwarding going on, and I'm not unfamiliar with network= ing issue (e.g. I recently figured out why I couldn't connect to the Internet with th= e ISP-provided =E2=80=984G minimodem=E2=80=99 -- DNS was b0rken). So explain= ing forward? to laypeople might take some care. Writing a corresponding =E2=80=98system test=E2=80=99 in gnu/tests/networki= ng.scm is recommended. Greetings, Maxime. --=-21TPQRsQgl+uriuy/9vj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYS8mwBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7hIhAP0ViREJAr3G7DxRhsxXJUeLvBdp HfN83Usm+vnQXDWA+QEA+/jOK6eJc+ETEXGJovQ7H+8Cbh2rONtgWdXjkejvoQM= =LzFH -----END PGP SIGNATURE----- --=-21TPQRsQgl+uriuy/9vj--