On Monday, August 30, 2021 5:25:10 A.M. PDT Pierre Langlois wrote: > Hi there, > > crodges writes: > > Hello everyone, > > > > I managed to configure wireguard on a vps running guix and created clients > > for my desktop and cellphone. What I want to do (and did already in a > > Debian vps) is to make wireguard's lan accessible to anyone connected and > > also browse the internet using this vpn. > > I also have a similar setup with Guix, maybe I can help. > > > As I remember, I need to allow ip forwarding using > > > > sysctl net.ipv4.ip_forward=1 > > That one is pretty easy, you find exactly that example in the manual: > https://guix.gnu.org/manual/en/html_node/Miscellaneous-Services.html#System-> Control-Service > > and I also need to put these rules into wireguard (the server) under > > [interface], > > > > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE > > > > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't > > seem to exist yet. Do they exist but are still undocumented? > > > > If they don't exist, where should be a reasonable place to add this > > configurations? I'm trying to do everything the guix way, when I finish > > this machine configuration, I'd like it to be fully replicable. > > Yeah, I don't think wireguard-configuration supports doing this, we > could probably add it although I think the "Guix way" here would > probably be to specify iptables in another service: > https://guix.gnu.org/manual/en/html_node/Networking-Services.html#index-ipta > bles > > Probably something like this? Although I'm really not an iptables > expert: > > --8<---------------cut here---------------start------------->8--- > (service iptables-service-type > (iptables-configuration > (ipv4-rules (plain-file "iptables.rules" "*filter > > :INPUT ACCEPT > :FORWARD ACCEPT > :OUTPUT ACCEPT > > -A FORWARD -i wg0 -j ACCEPT > -A POSTROUTING -t nat -o eth0 -j MASQUERADE > COMMIT > ")) > (ipv6-rules (plain-file "ip6tables.rules" "*filter > > :INPUT ACCEPT > :FORWARD ACCEPT > :OUTPUT ACCEPT > > -A FORWARD -i wg0 -j ACCEPT > -A POSTROUTING -t nat -o eth0 -j MASQUERADE > COMMIT > ")))) > --8<---------------cut here---------------end--------------->8--- > > That being said, it's not exactly the same as doing this with > PostUp/PostDown, the rules will be applied independently and it would be > good for them to be setup only when wireguard comes up, and removed when > you bring it down. > > AFAIK, there isn't a way to do this without hacking on the wireguard and > iptables services themselves. The way to compose services together in > Guix is to use a list of service-extension, at the moment wireguard > doesn't have any other than itself: > > --8<---------------cut here---------------start------------->8--- > (define wireguard-service-type > (service-type > (name 'wireguard) > (extensions > (list (service-extension shepherd-root-service-type > wireguard-shepherd-service) > (service-extension activation-service-type > wireguard-activation))))) > --8<---------------cut here---------------end--------------->8--- > > Maybe we could have the iptable-service-type here as an extension as > well, however that requires the iptable service itself to be modified to > allow extensibilty. See the manual for more information > https://guix.gnu.org/manual/en/html_node/Service-Composition.html > > Hope this helps! > > Thanks, > Pierre Pierre, That actually helped! I was able to enable ip forwarding using modify-services (after I realized that sysctl is part of base-services). As for iptables, I tried pasting the config but I'm getting an error when I reconfigure the system and restart iptables. I am not an iptables expert either! But now I have something to work with. Regarding service-extension, thanks for the pointer, I'll read it carefully and try to make the necessary extensions.