From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 4PDkISTaLGF/hQEAgWs5BA (envelope-from ) for ; Mon, 30 Aug 2021 15:16:20 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id YF94HSTaLGE5CgAAbx9fmQ (envelope-from ) for ; Mon, 30 Aug 2021 13:16:20 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B85D825BDD for ; Mon, 30 Aug 2021 15:16:19 +0200 (CEST) Received: from localhost ([::1]:40768 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mKh98-00012p-Qh for larch@yhetil.org; Mon, 30 Aug 2021 09:16:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34098) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mKh8T-00012H-Nk for help-guix@gnu.org; Mon, 30 Aug 2021 09:15:39 -0400 Received: from mout.gmx.net ([212.227.17.20]:56557) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mKh8O-0001rv-Cp for help-guix@gnu.org; Mon, 30 Aug 2021 09:15:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1630329330; bh=3OgkLmMHIKew9GpUslvnBEwETjSjR34Whwqf6bKfJZM=; h=X-UI-Sender-Class:References:From:To:Cc:Subject:Date:In-reply-to; b=X6xykuEX+DmKQZaEKrINj2GnKPHVksRYeiQYb5ZP9YwD11s3Fb8Px+FJMVAS8hisR SC1/7xQ0N4ZzAM/9TeBYInd4svUeziIm+v9OIFOw6Gb8FtuYQ+1OmN4CzzZnJeacH9 EOXMRVfbaVZmP/HHSgkrrW75pCDv3MkP+3Zj3duk= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from labiere ([82.69.64.142]) by mail.gmx.net (mrgmx105 [212.227.17.174]) with ESMTPSA (Nemesis) id 1N2E1G-1mzlct3Spy-013iU0; Mon, 30 Aug 2021 15:15:29 +0200 References: <4144851.J7mxVJ4J92@sceadufaex> User-agent: mu4e 1.6.5; emacs 27.2 From: Pierre Langlois To: crodges Subject: Re: Wireguard configuration - PostUp and PostDown Date: Mon, 30 Aug 2021 13:25:10 +0100 In-reply-to: <4144851.J7mxVJ4J92@sceadufaex> Message-ID: <87fsurnkeq.fsf@gmx.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Provags-ID: V03:K1:sZusUtJY1brxTaAo8ZatM4PaOT33ddADHmz5izrDA3MWmATA6E2 zrxlkZuejMZAJ8jKkWKzmzfx7E0ae6etsBLL4WHk2MDo533OhL3xVABHNJJ0FbhNHvPwRsz 0Vh9oX5ue0rq4a2wOVbVz1belJUbAkivmAo/bmic1Ba9RsRvIpaXcaWMpKE2Q6+puNeti2p JUX3ATcTwXiuMchPNLl3g== X-UI-Out-Filterresults: notjunk:1;V03:K0:qmRvmShgTLc=:lvFuXCOsVLDupSt8ZymPQy 1oAIqxzM5S7Eq9cpNrNFJVkBAVAfbxnRsaDrAoMBvsFWi7nAGeRhw/i014IxmM7BR6vjxMTOS ZEjHg25h3u3VfGtIl1f6jlLAT1pUuxGFuf3n3f+MkapaXvq8buIaBQ5IAzz15TUzDbpOjfRb0 GaNOi6U96NMPtRZluqVIN85P+0eAmmu8OlC9pLjR6ekaBPi+YXgyStUytQd+7fIgV5RrdLNRn wMJbQFcNrgcd9fceo8Pa8ia4BDU0iZD9XqmUKvMzjw9sU1gkCY/n7Fpao/mxJ/lx3a2QwRn4k uLC64mwSbQVY/o2/IwTBbzsls26XerUQZ43cPyL2xEXbOokc2JX0tSRPB2zifYcLDEpwjFxax GA9OHcaf9AedPOAGu3n4BuO5zXO1GbjDQuFrHULqfLE+5wHZthzuCzxmlsHwqBqYX6PhQIsW7 PC0O9oY+lcVRPzEn+LJkmlTDvqTEeV03MdxzELWWsTHuL62jDgf77Lq8duo+n+IvaxhwZHn0f DRKimYxYIDmTzTSs9DWyysjgIs2l1vowhtUJC9DdS96FGXGWeJabj+4L4p0w1m6hqHRuJx2Py iYu9M7aF3175HghaAitNUZWmPNeqKcTkcXPceCi76yZtvh+Ydjz/Hy5OyVaHX036sNhf0zLYo FOknqcVwHD1MxC/fAEXYJJBCenCaUKoZ8mmrgcwnuvXAJCTnyOxU6vfvaZrnlNMRCNg8mUIfg wzFfalaA+Xty9ziWq8EUgRqdC5tNf7xCVAq5LoXI32G2S9Em2zle/h9B+Cko+umO6RR7Neyxj V6nsCe0D9+FdlzMjhuDLOqAIcjqgZpTX+R9wEtdKUap+RCt6EBBc7mcf/GZq1RaCiB1jYe57A wVFpeMo3++pOulYz1y6xXHdQK6K1wGjyznFe86iBWsGQzYMdmHkJA38oWRuA4msVI33ULyFBo 7dkaMx/5otCFyzP5GiYgK1WEV7fT89Hrnd8ijyZlOhF9W7ICEyXMbK3p1LVVeNCd9dVFjanci lkEDvND5N10fQwC2gLp2OwgOlHZ3HQfglHStAUHDf6az5mAWIWsWd/tQhhlCh4xFuPql6uANX rhIYI1ecGeHJO9Q4CypDOAhNIUVcIWKjyFZxw7bd8G7VpXOzZ+KZrVRNA== Received-SPF: pass client-ip=212.227.17.20; envelope-from=pierre.langlois@gmx.com; helo=mout.gmx.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1630329379; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=2u1NfLzJZS2dgvAIDokUJZxXUVtNmV/20UPos0T1pu4=; b=dSoVp4CxI4Khm3IQNa1DXlMvGc5g8fnXoXFoOhNesuqTN9ML+8nMyK03dWMwJkO/8mJygN dzS6EyBYELdtRi71IKxd9xtp+6YFZZay8eeAWtmYAg1VCb0fGbxKmlfTrZwYtTubVi2gTp da3eN5WtJDyS7n3un89/+WPyMy/xyDyQbZiwviM5ZXGdKrWuhxDVknYOYnKXHh08GX1C4P CCu4nws7f8tprxI0N86tpe8FUeLwaS6UUNhcqOgGGgHJJ7qOIrpAVKT/gRQvosl4M0Mxqg NEOI8M8VeN94SkMdcHd+svnQHdixUcI3xdutlcUxFlVq3m0KEzxbCi1xsVDP/w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1630329379; a=rsa-sha256; cv=none; b=kzPNPVT03asXfLdQ7vE7puMqFyJyRNv20ohFLzYb2Kjs+5r3xjELosepdTyzXFhtLngBvo vVsF+8sdXfMbrihdOOoFhfgFVi5A56nvAoMG45/hLkqgDlCtAm30UNiQ8Fa4v8VLafAR5p 6FXAbw9QsMdPxh6cRGAOO0bVj2OC6gpaYUf89TCj7/cHd1mu37No9tRa5o9Bait0ds/OFf 7Qzj+qVEDSFan2Cfjnp93kOBFp169LrKYi2aFQhk6xAHIEYCMnDEX6n7P1God9sYZHTvNk pRC/Zh7H5QTp+Jpxwt5sJS2ZrC0SBxBRyS/p8d2uXupRbPOJpeVfmuDa1ITH2w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=X6xykuEX; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.12 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=X6xykuEX; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmx.com (policy=none); spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: B85D825BDD X-Spam-Score: -2.12 X-Migadu-Scanner: scn0.migadu.com X-TUID: ePMtzjkzAQ6D --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi there, crodges writes: > Hello everyone, > > I managed to configure wireguard on a vps running guix and created client= s for=20 > my desktop and cellphone. What I want to do (and did already in a Debian = vps)=20 > is to make wireguard's lan accessible to anyone connected and also browse= the=20 > internet using this vpn. I also have a similar setup with Guix, maybe I can help. > > As I remember, I need to allow ip forwarding using > > sysctl net.ipv4.ip_forward=3D1 That one is pretty easy, you find exactly that example in the manual: https://guix.gnu.org/manual/en/html_node/Miscellaneous-Services.html#System= -Control-Service > > and I also need to put these rules into wireguard (the server) under=20 > [interface], > > PostUp =3D iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTR= OUTING=20 > -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -= t nat=20 > -A POSTROUTING -o eth0 -j MASQUERADE > > PostDown =3D iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D=20 > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;= =20 > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE > > Problem is, looking at the latest guix manual, PostUp and PostDown doesn'= t=20 > seem to exist yet. Do they exist but are still undocumented? > > If they don't exist, where should be a reasonable place to add this=20 > configurations? I'm trying to do everything the guix way, when I finish t= his=20 > machine configuration, I'd like it to be fully replicable. Yeah, I don't think wireguard-configuration supports doing this, we could probably add it although I think the "Guix way" here would probably be to specify iptables in another service: https://guix.gnu.org/manual/en/html_node/Networking-Services.html#index-ipt= ables Probably something like this? Although I'm really not an iptables expert: =2D-8<---------------cut here---------------start------------->8--- (service iptables-service-type (iptables-configuration (ipv4-rules (plain-file "iptables.rules" "*filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT =2DA FORWARD -i wg0 -j ACCEPT =2DA POSTROUTING -t nat -o eth0 -j MASQUERADE COMMIT ")) (ipv6-rules (plain-file "ip6tables.rules" "*filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT =2DA FORWARD -i wg0 -j ACCEPT =2DA POSTROUTING -t nat -o eth0 -j MASQUERADE COMMIT ")))) =2D-8<---------------cut here---------------end--------------->8--- That being said, it's not exactly the same as doing this with PostUp/PostDown, the rules will be applied independently and it would be good for them to be setup only when wireguard comes up, and removed when you bring it down. AFAIK, there isn't a way to do this without hacking on the wireguard and iptables services themselves. The way to compose services together in Guix is to use a list of service-extension, at the moment wireguard doesn't have any other than itself: =2D-8<---------------cut here---------------start------------->8--- (define wireguard-service-type (service-type (name 'wireguard) (extensions (list (service-extension shepherd-root-service-type wireguard-shepherd-service) (service-extension activation-service-type wireguard-activation))))) =2D-8<---------------cut here---------------end--------------->8--- Maybe we could have the iptable-service-type here as an extension as well, however that requires the iptable service itself to be modified to allow extensibilty. See the manual for more information https://guix.gnu.org/manual/en/html_node/Service-Composition.html Hope this helps! Thanks, Pierre --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFMBAEBCgA2FiEEctU9gYy29KFyWDdMqPyeRH9PfVQFAmEs2e0YHHBpZXJyZS5s YW5nbG9pc0BnbXguY29tAAoJEKj8nkR/T31UtfkH/1BtPetusG/QPUpIOTSFxXtk O0UmKIKU3DSG3KQoPWrMCGkpcbX78I46zA+U7jvwPC7PCk+LnsPWmFGgvOtx+0lO yynfYxYoEdRzsTMtkAnEw1cLWAwa4CjOgfg+H/5QytM6j2Dku+zd7xP8a/gkL9hw jbTvEhHW618AvWDpifwKabjvHY+G3CCyslXul5KSnFTDtc/sZgrKDKtqvLpm5Oih hglEurrEfjSU7Jq3BSQ742T8VX/VfTKbxJjI5xZrK6Qz73soKcCK5DkzaXBrlzKL W4YkoK/KCHzinow4MTWcfBfgbdD3Sgw3piwNegYpN/hBNoZPUXRkOErsrsSpCuo= =YuN7 -----END PGP SIGNATURE----- --=-=-=--