From: crodges <crodges@csphy.pw>
To: Pierre Langlois <pierre.langlois@gmx.com>
Cc: help-guix@gnu.org
Subject: Re: Wireguard configuration - PostUp and PostDown
Date: Tue, 31 Aug 2021 09:16:46 -0700 [thread overview]
Message-ID: <3079000.V12rREZbn0@sceadufaex> (raw)
In-Reply-To: <87fsurnkeq.fsf@gmx.com>
[-- Attachment #1: Type: text/plain, Size: 4364 bytes --]
On Monday, August 30, 2021 5:25:10 A.M. PDT Pierre Langlois wrote:
> Hi there,
>
> crodges <crodges@csphy.pw> writes:
> > Hello everyone,
> >
> > I managed to configure wireguard on a vps running guix and created clients
> > for my desktop and cellphone. What I want to do (and did already in a
> > Debian vps) is to make wireguard's lan accessible to anyone connected and
> > also browse the internet using this vpn.
>
> I also have a similar setup with Guix, maybe I can help.
>
> > As I remember, I need to allow ip forwarding using
> >
> > sysctl net.ipv4.ip_forward=1
>
> That one is pretty easy, you find exactly that example in the manual:
> https://guix.gnu.org/manual/en/html_node/Miscellaneous-Services.html#System-> Control-Service
> > and I also need to put these rules into wireguard (the server) under
> > [interface],
> >
> > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> >
> > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> >
> > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't
> > seem to exist yet. Do they exist but are still undocumented?
> >
> > If they don't exist, where should be a reasonable place to add this
> > configurations? I'm trying to do everything the guix way, when I finish
> > this machine configuration, I'd like it to be fully replicable.
>
> Yeah, I don't think wireguard-configuration supports doing this, we
> could probably add it although I think the "Guix way" here would
> probably be to specify iptables in another service:
> https://guix.gnu.org/manual/en/html_node/Networking-Services.html#index-ipta
> bles
>
> Probably something like this? Although I'm really not an iptables
> expert:
>
> --8<---------------cut here---------------start------------->8---
> (service iptables-service-type
> (iptables-configuration
> (ipv4-rules (plain-file "iptables.rules" "*filter
>
> :INPUT ACCEPT
> :FORWARD ACCEPT
> :OUTPUT ACCEPT
>
> -A FORWARD -i wg0 -j ACCEPT
> -A POSTROUTING -t nat -o eth0 -j MASQUERADE
> COMMIT
> "))
> (ipv6-rules (plain-file "ip6tables.rules" "*filter
>
> :INPUT ACCEPT
> :FORWARD ACCEPT
> :OUTPUT ACCEPT
>
> -A FORWARD -i wg0 -j ACCEPT
> -A POSTROUTING -t nat -o eth0 -j MASQUERADE
> COMMIT
> "))))
> --8<---------------cut here---------------end--------------->8---
>
> That being said, it's not exactly the same as doing this with
> PostUp/PostDown, the rules will be applied independently and it would be
> good for them to be setup only when wireguard comes up, and removed when
> you bring it down.
>
> AFAIK, there isn't a way to do this without hacking on the wireguard and
> iptables services themselves. The way to compose services together in
> Guix is to use a list of service-extension, at the moment wireguard
> doesn't have any other than itself:
>
> --8<---------------cut here---------------start------------->8---
> (define wireguard-service-type
> (service-type
> (name 'wireguard)
> (extensions
> (list (service-extension shepherd-root-service-type
> wireguard-shepherd-service)
> (service-extension activation-service-type
> wireguard-activation)))))
> --8<---------------cut here---------------end--------------->8---
>
> Maybe we could have the iptable-service-type here as an extension as
> well, however that requires the iptable service itself to be modified to
> allow extensibilty. See the manual for more information
> https://guix.gnu.org/manual/en/html_node/Service-Composition.html
>
> Hope this helps!
>
> Thanks,
> Pierre
Pierre,
That actually helped! I was able to enable ip forwarding using modify-services
(after I realized that sysctl is part of base-services). As for iptables, I
tried pasting the config but I'm getting an error when I reconfigure the
system and restart iptables. I am not an iptables expert either! But now I
have something to work with.
Regarding service-extension, thanks for the pointer, I'll read it carefully
and try to make the necessary extensions.
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2021-08-31 16:17 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-28 22:55 Wireguard configuration - PostUp and PostDown crodges
2021-08-30 12:25 ` Pierre Langlois
2021-08-31 16:16 ` crodges [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3079000.V12rREZbn0@sceadufaex \
--to=crodges@csphy.pw \
--cc=help-guix@gnu.org \
--cc=pierre.langlois@gmx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).