From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id EDaUGylWLmG5YQEAgWs5BA (envelope-from ) for ; Tue, 31 Aug 2021 18:17:45 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id gEExFylWLmFZCAAA1q6Kng (envelope-from ) for ; Tue, 31 Aug 2021 16:17:45 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9114718D60 for ; Tue, 31 Aug 2021 18:17:44 +0200 (CEST) Received: from localhost ([::1]:39280 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mL6SF-0003Ya-JD for larch@yhetil.org; Tue, 31 Aug 2021 12:17:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40022) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mL6Rx-0003TK-I2 for help-guix@gnu.org; Tue, 31 Aug 2021 12:17:25 -0400 Received: from vps-93-95-228-136.1984.is ([93.95.228.136]:35112 helo=csphy.pw) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mL6Ru-0004sE-2Y for help-guix@gnu.org; Tue, 31 Aug 2021 12:17:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=csphy.pw; s=mail; t=1630426633; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7VnendizldwRZeXY04vhMgJkfJHJVbBXKTy0YW2r5Ok=; b=RLX/oVYfG3lZL22HeA9b9ZE6XPZ0g8X6f02gubisf1jtwtWjfgOBLoyNdm9/Jqp+yqraNI o1bw0cj0+pL/m0H/3irzQLtDPLlBInQCk/LCIAPekcZlD9/jYwc6UxVe94FRCly6FVhYtU FFEn1vVn4T0in9BWRhuRPyyiSsiRzs4= From: crodges To: Pierre Langlois Subject: Re: Wireguard configuration - PostUp and PostDown Date: Tue, 31 Aug 2021 09:16:46 -0700 Message-ID: <3079000.V12rREZbn0@sceadufaex> In-Reply-To: <87fsurnkeq.fsf@gmx.com> References: <4144851.J7mxVJ4J92@sceadufaex> <87fsurnkeq.fsf@gmx.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart14431278.WK7PUepzPH"; micalg="pgp-sha256"; protocol="application/pgp-signature" Received-SPF: pass client-ip=93.95.228.136; envelope-from=crodges@csphy.pw; helo=csphy.pw X-Spam_score_int: -4 X-Spam_score: -0.5 X-Spam_bar: / X-Spam_report: (-0.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NO_FM_NAME_IP_HOSTN=0.615, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1630426665; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=7VnendizldwRZeXY04vhMgJkfJHJVbBXKTy0YW2r5Ok=; b=Zz2nPuy1OUbjYAbQjY7xm7vbWmyjmS2GAST/0j3BHorT/iCKemDNgt3bu2jSYxIJrjXyAl vngF6yCkIFoNKeKNLgoNgl4eJFV/IfPuTe7XEpfUiGMYY1bn58BMWuDca8Qw6C+YtMf3UN Jg4MC3VpX29cdNy/By9ursjQkydi4AaqWMHXt5Lt73x4RiFGniYlZNTkeP+WTucDAdYcu9 PcdzwXq3sMexXhjuEh9/cRkb4O54j0Oi3zW8my9sIlj3Efno773AuINc8gQZnN6RCiBdE7 yK76LrdvaZ6TULdT2HiV3VjXgI/QxUvzZ9wDP4piwlc03N4LvHzSNJ8FDqPH5w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1630426665; a=rsa-sha256; cv=none; b=aTyLRD+zWWrYDCAqLvqjzgbZQn86vPs55x7WxDNzkiBq/EpOwLeGm2r+1QzmCSLvltnoVM kL4k1X+/K03KkjxriQcQwO13H4yDNfiWeiVXj88eICiDAyVInJD4N5j7BMiU32Bp8zGJ7S e8AAPPwDAbAaSF5D1ZZ58tVxraMQmyXzpXavGOSVxTlQfMeEhQP/mHQE94iASCPsImekOm 8lDsw/70+xIN9XkPGpFd0dM1ZSztymuUf5DCAtBNmKnicCr65R5FD3qChvmvX10DIc6g3M PX5QpagU7CjAL7nyYmhqsOsJojRiiCntEOEfSVB+vnfwkBvylPNm9gfS4+kzOQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=csphy.pw header.s=mail header.b="RLX/oVYf"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=csphy.pw (policy=none); spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.42 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=csphy.pw header.s=mail header.b="RLX/oVYf"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=csphy.pw (policy=none); spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: 9114718D60 X-Spam-Score: -1.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: wRggo6Oyyu8e --nextPart14431278.WK7PUepzPH Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii"; protected-headers="v1" From: crodges To: Pierre Langlois Cc: help-guix@gnu.org Subject: Re: Wireguard configuration - PostUp and PostDown Date: Tue, 31 Aug 2021 09:16:46 -0700 Message-ID: <3079000.V12rREZbn0@sceadufaex> In-Reply-To: <87fsurnkeq.fsf@gmx.com> References: <4144851.J7mxVJ4J92@sceadufaex> <87fsurnkeq.fsf@gmx.com> On Monday, August 30, 2021 5:25:10 A.M. PDT Pierre Langlois wrote: > Hi there, > > crodges writes: > > Hello everyone, > > > > I managed to configure wireguard on a vps running guix and created clients > > for my desktop and cellphone. What I want to do (and did already in a > > Debian vps) is to make wireguard's lan accessible to anyone connected and > > also browse the internet using this vpn. > > I also have a similar setup with Guix, maybe I can help. > > > As I remember, I need to allow ip forwarding using > > > > sysctl net.ipv4.ip_forward=1 > > That one is pretty easy, you find exactly that example in the manual: > https://guix.gnu.org/manual/en/html_node/Miscellaneous-Services.html#System-> Control-Service > > and I also need to put these rules into wireguard (the server) under > > [interface], > > > > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE > > > > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't > > seem to exist yet. Do they exist but are still undocumented? > > > > If they don't exist, where should be a reasonable place to add this > > configurations? I'm trying to do everything the guix way, when I finish > > this machine configuration, I'd like it to be fully replicable. > > Yeah, I don't think wireguard-configuration supports doing this, we > could probably add it although I think the "Guix way" here would > probably be to specify iptables in another service: > https://guix.gnu.org/manual/en/html_node/Networking-Services.html#index-ipta > bles > > Probably something like this? Although I'm really not an iptables > expert: > > --8<---------------cut here---------------start------------->8--- > (service iptables-service-type > (iptables-configuration > (ipv4-rules (plain-file "iptables.rules" "*filter > > :INPUT ACCEPT > :FORWARD ACCEPT > :OUTPUT ACCEPT > > -A FORWARD -i wg0 -j ACCEPT > -A POSTROUTING -t nat -o eth0 -j MASQUERADE > COMMIT > ")) > (ipv6-rules (plain-file "ip6tables.rules" "*filter > > :INPUT ACCEPT > :FORWARD ACCEPT > :OUTPUT ACCEPT > > -A FORWARD -i wg0 -j ACCEPT > -A POSTROUTING -t nat -o eth0 -j MASQUERADE > COMMIT > ")))) > --8<---------------cut here---------------end--------------->8--- > > That being said, it's not exactly the same as doing this with > PostUp/PostDown, the rules will be applied independently and it would be > good for them to be setup only when wireguard comes up, and removed when > you bring it down. > > AFAIK, there isn't a way to do this without hacking on the wireguard and > iptables services themselves. The way to compose services together in > Guix is to use a list of service-extension, at the moment wireguard > doesn't have any other than itself: > > --8<---------------cut here---------------start------------->8--- > (define wireguard-service-type > (service-type > (name 'wireguard) > (extensions > (list (service-extension shepherd-root-service-type > wireguard-shepherd-service) > (service-extension activation-service-type > wireguard-activation))))) > --8<---------------cut here---------------end--------------->8--- > > Maybe we could have the iptable-service-type here as an extension as > well, however that requires the iptable service itself to be modified to > allow extensibilty. See the manual for more information > https://guix.gnu.org/manual/en/html_node/Service-Composition.html > > Hope this helps! > > Thanks, > Pierre Pierre, That actually helped! I was able to enable ip forwarding using modify-services (after I realized that sysctl is part of base-services). As for iptables, I tried pasting the config but I'm getting an error when I reconfigure the system and restart iptables. I am not an iptables expert either! But now I have something to work with. Regarding service-extension, thanks for the pointer, I'll read it carefully and try to make the necessary extensions. --nextPart14431278.WK7PUepzPH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEOf7yS71GHywmG6fqlU7M28Re3gcFAmEuVe4ACgkQlU7M28Re 3gcJkA/+LUFgeiVD0gooV2u4C//uqzaFqF1j7pE0M3UEVNn816wSga5SjTqCZROQ 2fZ+qy/ZSem07aEFgYXmBGhC+TxePRtJewqAOHaCd6OkOl5oVZLaFWsUdPGQ3JaL LhtnDoALaCEDB9h2tYOWsQWGNptyCEUMIVngi2o/HqYBTrj8/eGFVNd+QnqYTiai ZulZBl/uuGI9G/6/oQxY5CUj7zSlaaeQ0KbwYe7XYSJxtfqHryp/910CdH+qJ4px aL32+EOM5Y/LxTOpdgbC+XEBiVUZHQXMAxirkezeFHzsGcUHhzW52pWKWZp43aC3 uLj56akLrHcUxiJ9oOFcyjG1ynDYEzwzYhUjARyp7PUxI5uZbE7nQW2Lu3OpveNT xSo9R2UYVkhYaSoBXrgg50cVwfEF7NMXAMRx9Zw8MqfUHSjEqGWqUdgl9830zhxx xG8q/Wu4FwNK+AmzXonaIL3wpxYzN6CNfLMnaeQkfmv8A/2qCayTJYPZhCyP67kF 5+FOzludtEF9y33F+hNNMd1P45UuuyiI9r3bjBt15dvf4yBcdHc/ye/OULg9EkKW SiSyUxEQI401eJM58KKoCgUV9/X8X7qlMksbxs3N1uKRaussk5j5iMb+jhQjxsfF pdX+/qJGi5E0HeDGdHhX4a5FrFjTzOpCaKcXZ3euqOxisUl5cUI= =6AqP -----END PGP SIGNATURE----- --nextPart14431278.WK7PUepzPH--