unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
From: crodges <crodges@csphy.pw>
To: Pierre Langlois <pierre.langlois@gmx.com>
Cc: help-guix@gnu.org
Subject: Re: Wireguard configuration - PostUp and PostDown
Date: Tue, 31 Aug 2021 09:16:46 -0700	[thread overview]
Message-ID: <3079000.V12rREZbn0@sceadufaex> (raw)
In-Reply-To: <87fsurnkeq.fsf@gmx.com>

[-- Attachment #1: Type: text/plain, Size: 4364 bytes --]

On Monday, August 30, 2021 5:25:10 A.M. PDT Pierre Langlois wrote:
> Hi there,
> 
> crodges <crodges@csphy.pw> writes:
> > Hello everyone,
> > 
> > I managed to configure wireguard on a vps running guix and created clients
> > for my desktop and cellphone. What I want to do (and did already in a
> > Debian vps) is to make wireguard's lan accessible to anyone connected and
> > also browse the internet using this vpn.
> 
> I also have a similar setup with Guix, maybe I can help.
> 
> > As I remember, I need to allow ip forwarding using
> > 
> > sysctl net.ipv4.ip_forward=1
> 
> That one is pretty easy, you find exactly that example in the manual:
> https://guix.gnu.org/manual/en/html_node/Miscellaneous-Services.html#System-> Control-Service
> > and I also need to put these rules into wireguard (the server) under
> > [interface],
> > 
> > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > 
> > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> > 
> > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't
> > seem to exist yet. Do they exist but are still undocumented?
> > 
> > If they don't exist, where should be a reasonable place to add this
> > configurations? I'm trying to do everything the guix way, when I finish
> > this machine configuration, I'd like it to be fully replicable.
> 
> Yeah, I don't think wireguard-configuration supports doing this, we
> could probably add it although I think the "Guix way" here would
> probably be to specify iptables in another service:
> https://guix.gnu.org/manual/en/html_node/Networking-Services.html#index-ipta
> bles
> 
> Probably something like this? Although I'm really not an iptables
> expert:
> 
> --8<---------------cut here---------------start------------->8---
> (service iptables-service-type
>          (iptables-configuration
>           (ipv4-rules (plain-file "iptables.rules" "*filter
> 
> :INPUT ACCEPT
> :FORWARD ACCEPT
> :OUTPUT ACCEPT
> 
> -A FORWARD -i wg0 -j ACCEPT
> -A POSTROUTING -t nat -o eth0 -j MASQUERADE
> COMMIT
> "))
>           (ipv6-rules (plain-file "ip6tables.rules" "*filter
> 
> :INPUT ACCEPT
> :FORWARD ACCEPT
> :OUTPUT ACCEPT
> 
> -A FORWARD -i wg0 -j ACCEPT
> -A POSTROUTING -t nat -o eth0 -j MASQUERADE
> COMMIT
> "))))
> --8<---------------cut here---------------end--------------->8---
> 
> That being said, it's not exactly the same as doing this with
> PostUp/PostDown, the rules will be applied independently and it would be
> good for them to be setup only when wireguard comes up, and removed when
> you bring it down.
> 
> AFAIK, there isn't a way to do this without hacking on the wireguard and
> iptables services themselves. The way to compose services together in
> Guix is to use a list of service-extension, at the moment wireguard
> doesn't have any other than itself:
> 
> --8<---------------cut here---------------start------------->8---
> (define wireguard-service-type
>   (service-type
>    (name 'wireguard)
>    (extensions
>     (list (service-extension shepherd-root-service-type
>                              wireguard-shepherd-service)
>           (service-extension activation-service-type
>                              wireguard-activation)))))
> --8<---------------cut here---------------end--------------->8---
> 
> Maybe we could have the iptable-service-type here as an extension as
> well, however that requires the iptable service itself to be modified to
> allow extensibilty. See the manual for more information
> https://guix.gnu.org/manual/en/html_node/Service-Composition.html
> 
> Hope this helps!
> 
> Thanks,
> Pierre
Pierre, 

That actually helped! I was able to enable ip forwarding using modify-services 
(after I realized that sysctl is part of base-services). As for iptables, I 
tried pasting the config but I'm getting an error when I reconfigure the 
system and restart iptables. I am not an iptables expert either! But now I 
have something to work with.

Regarding service-extension, thanks for the pointer, I'll read it carefully 
and try to make the necessary extensions.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

      reply	other threads:[~2021-08-31 16:17 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-28 22:55 Wireguard configuration - PostUp and PostDown crodges
2021-08-30 12:25 ` Pierre Langlois
2021-08-31 16:16   ` crodges [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3079000.V12rREZbn0@sceadufaex \
    --to=crodges@csphy.pw \
    --cc=help-guix@gnu.org \
    --cc=pierre.langlois@gmx.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).