[bug#41080] [PATCH] doc: cookbook: add entry for Wireguard VPN connection on Guix System

[bug#41080] [PATCH] doc: cookbook: add entry for Wireguard VPN connection on Guix System

[Marcin Karpezo]

---
 doc/guix-cookbook.texi | 77 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 76 insertions(+), 1 deletion(-)

diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index f58d18d47c..598084ce65 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -327,7 +327,7 @@ package definitions.
 @item
 Inheritance makes it easy to customize a package by inheriting from it and
 modifying only what is needed.
- 
+
 @item
 Batch processing: the whole package collection can be parsed, filtered and
 processed.  Building a headless server with all graphical interfaces stripped
@@ -1324,7 +1324,9 @@ reference.
 @menu
 * Customizing the Kernel::       Creating and using a custom Linux kernel on Guix System.
 * Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
+* Connect to Wireguard VPN:: Connecting to Wireguard VPN server on Guix System.
 * Setting up a bind mount:: Setting up a bind mount in the file-systems definition.
+
 @end menu
 
 @node Customizing the Kernel
@@ -1617,6 +1619,79 @@ Then you need to add the following code to a StumpWM configuration file
 (set-font (make-instance 'xft:font :family "DejaVu Sans Mono" :subfamily "Book" :size 11))
 @end lisp
 
+@node Connect to Wireguard VPN
+@section Connect to Wireguard VPN
+@anchor{#connect-to-wireguard-vpn}
+To connect your Guix System with Wireguard VPN server you need to add
+packages @code{wireguard-linux-compat} and @code{wireguard-tools} to
+your system configuration file, e.g. @file{/etc/config.scm}.
+
+An example configuration file will look like this:
+
+@lisp
+(use-modules (gnu))
+(use-package-modules vpn)
+
+(operating-system
+;; …
+(packages
+    (append (map specification->package
+        '("wireguard-linux-compat" "wireguard-tools"))
+    %base-packages)))
+@end lisp
+
+After @code{guix system reconfigure /etc/config.scm} you'll find that
+standard @code{wg-quick up wg0} command will not work due to lack of
+package providing @code{resolvconf} command.
+
+@example
+~ % sudo wg-quick up wg0
+[#] ip link add wg0 type wireguard
+[#] wg setconf wg0 /dev/fd/63
+[#] ip -4 address add 10.200.200.2/24 dev wg0
+[#] ip link set mtu 1420 up dev wg0
+[#] resolvconf -a wg0 -m 0 -x
+/home/sirmacik/.guix-profile/bin/wg-quick: line 31: resolvconf: command not found
+[#] ip link delete dev wg0
+@end example
+
+Thanks to Network Manager support for Wireguard we can still connect to
+our VPN using @code{nmcli} command. Up to this point this guide assumes
+that you're using Network Manager service provided by
+@code{%desktop-services}. Ortherwise you need to adjust your services
+list to load @code{network-manager-service-type} and reconfigure your
+Guix system (@uref{https://guix.gnu.org/manual/en/html_node/Networking-Services.html,see Networking Services}).
+
+To import your VPN configuration execute nmcli import command:
+
+@example
+~ % sudo nmcli connection import type wireguard file wg0.conf
+Connection 'wg0' (edbee261-aa5a-42db-b032-6c7757c60fde) successfully added
+@end example
+
+Next connect to Wireguard server
+
+@example
+~ % nmcli connection up wg0
+Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
+@end example
+
+By default NM will connect automatically on system boot. To change that
+behaviour you need to edit your config:
+
+@example
+~ % sudo nmcli connection edit wg0
+nmcli> print connection.autoconnect
+connection.autoconnect: yes
+nmcli> set connection.autoconnect no
+nmcli> save
+Connection 'prv' (edbee261-aa5a-42db-b032-6c7757c60fde) successfully updated.
+@end example
+
+For more specific information about NetworkManager and wireguard
+@uref{https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/,see
+this post on GNOME blogs}.
+
 @node Setting up a bind mount
 @section Setting up a bind mount
 
-- 
2.26.2

[bug#41080] [PATCH] doc: cookbook: add entry for Wireguard VPN connection on Guix System

[Brice Waegeneire]

Hello Marcin,

Thank you for the patch!

> +@lisp
> +(use-modules (gnu))
> +(use-package-modules vpn)
> +
> +(operating-system
> +;; …
> +(packages
> +    (append (map specification->package
> +        '("wireguard-linux-compat" "wireguard-tools"))
> +    %base-packages)))
> +@end lisp

There is no use to put "wireguard-linux-compat" in the packages field,
instead it should be in the kernel-loadable-modules field to be
loadable by modprobe and an in the kernel-module-loader-service for
being autoloaded at boot with an entry like:
“(simple-service 'wireguard-module kernel-module-loader-service-type
     '("wireguard"))”
Also note that all the above is only necessary with a Linux-libre
kernel >5.6, after that wireguard is built into it.

https://issues.guix.info/issue/41192 should fix the wg-quick issue,
can you try it and update the documentation accordingly. About this
script can you specify that it's a “very quick and dirty bash script”
as wireguard's docs says and that it should probably be avoided except
for testing and such.

Also can you resend the patch as a git-patch instead of a plain diff,
you can find the related guidelines in the manual[0].

[0]: 
https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html#Submitting-Patches

Cheers,
- Brice

[bug#41080] [PATCH v2] Add wireguard connection instructions to cookbook

[Marcin Karpezo]

* doc: cookbook: add entry for Wireguard VPN connection on Guix System
---
 doc/guix-cookbook.texi | 68 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 67 insertions(+), 1 deletion(-)

diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 8651bc4429..0e0727310a 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -327,7 +327,7 @@ package definitions.
 @item
 Inheritance makes it easy to customize a package by inheriting from it and
 modifying only what is needed.
- 
+
 @item
 Batch processing: the whole package collection can be parsed, filtered and
 processed.  Building a headless server with all graphical interfaces stripped
@@ -1323,6 +1323,7 @@ reference.
 
 @menu
 * Customizing the Kernel::       Creating and using a custom Linux kernel on Guix System.
+* Connect to Wireguard VPN::     Connecting your Guix System to Wireguard VPN.
 * Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
 * Setting up a bind mount:: Setting up a bind mount in the file-systems definition.
 @end menu
@@ -1567,6 +1568,71 @@ likely that you'll need to modify the initrd on a machine using a custom
 kernel, since certain modules which are expected to be built may not be
 available for inclusion into the initrd.
 
+@node Connect to Wireguard VPN
+@section Connect to Wireguard VPN
+
+To connect your Guix system with Wireguard VPN server you need to add
+@code{wireguard-tools} package to your system configuration file and
+additional kernel line, e.g. @file{/etc/config.scm}.
+
+An example configuration file will look like this:
+
+@lisp
+(use-modules (gnu))
+(use-package-modules vpn)
+
+(operating-system
+;; …
+(packages
+    (append (map specification->package
+        '("wireguard-tools"))
+    %base-packages))
+ (kernel-loadable-modules (list wireguard-linux-compat))
+ ;; …
+@end lisp
+
+After @code{guix system reconfigure /etc/config.scm} you can either
+place your config file in @file{/etc/wireguard} and run
+@code{wg-quick up wg0} command or use NetworkManager for wireguard
+management.
+
+Thanks to Network Manager support for Wireguard we can connect to our
+VPN using @code{nmcli} command. Up to this point this guide assumes that
+you're using Network Manager service provided by
+@code{%desktop-services}. Ortherwise you need to adjust your services
+list to load @code{network-manager-service-type} and reconfigure your
+Guix system.
+
+To import your VPN configuration execute nmcli import command:
+
+@example shell
+~ % sudo nmcli connection import type wireguard file wg0.conf
+Connection 'wg0' (edbee261-aa5a-42db-b032-6c7757c60fde) successfully added
+@end example
+
+Next connect to Wireguard server
+
+@example shell
+~ % nmcli connection up wg0
+Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
+@end example
+
+By default NM will connect automatically on system boot. To change that
+behaviour you need to edit your config:
+
+@example shell
+~ % sudo nmcli connection edit wg0
+nmcli> print connection.autoconnect
+connection.autoconnect: yes
+nmcli> set connection.autoconnect no
+nmcli> save
+Connection 'prv' (edbee261-aa5a-42db-b032-6c7757c60fde) successfully updated.
+@end example
+
+For more specific information about NetworkManager and wireguard
+@uref{https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/,see
+this post by thaller}.
+
 @node Customizing a Window Manager
 @section Customizing a Window Manager
 @cindex wm
-- 
2.26.2