Hi,

Continuing on the OVH VPS machine that I could successfully install Guix
System to recently [0], I wanted to run Wireguard in a way that would
allow me to tunnel all my local traffic via it to the Internet (to make
it seem as if I was browsing from the country the VPS is in, say).

[0]  https://lists.gnu.org/archive/html/help-guix/2024-08/msg00125.html

Not being too knowledgeable about networking it took some efforts, but
the result is working nicely.

First I've created the secret and public keys with the 'wg' tool, as
explained in its manpage or many tutorials, both for the VPS and for my
own local machine. Then I've configured the wireguard-service-type on
the VPS with my peers, like this:

--8<---------------cut here---------------start------------->8---
;;;
(service wireguard-service-type
                     (wireguard-configuration
                      (peers
                       (list
                        (wireguard-peer
                         (name "terra")
                         (public-key "XXXX=")
                         (allowed-ips '("10.0.0.3/32"
                                        "fdb5:995f:152c::3/128")))
                        (wireguard-peer
                         (name "x200-laptop")
                         (public-key "YYYY=")
                         (allowed-ips '("10.0.0.2/32"
                                        "fdb5:995f:152c::2/128")))))))
--8<---------------cut here---------------end--------------->8---

The important bit is using fully specified /32 IPv4 addresses or /128
IPv6 addresses to avoid any overlapping to exist, otherwise the routes
setup by Wireguard on the VPS could for example redirect the traffic
only to the first peer if both shared the same network in 'allowed-ips'.

Locally on my own machine, I've opted to define my VPN connection via
NetworkManager, as that is convenient (especially from GNOME) to turn on
and off the VPN, as needed.  Since I'm tunelling all my traffic via it,
I don't want it always on, so having a 'wireguard-service-type' on my
local machine didn't make sense for my use case here.

The important details are the private wireguard key generated on the
local machine, and the peer which should match the $host:$port in
endpoint and the public wireguard key as configured on the VPS, as well
as the special 0.0.0.0/0 and ::/0 Allowed-IPs addresses to accept all
the traffic (wg-quick, used by the service, will create the routes
automatically for you).  The last important part of the NetworkManager
VPN connection configuration is that you must set a static IPv4 as well
as a static IPv6 address if you have one; these are the address to be
associated with the WireGuard interface such as wg0 and are necessary
for the traffic to be routed. I've used an ULA IPv6 generated address;
you want it to *not* be routable to the Internet, as we'll want the VPS
to masquerade (rewrite the source IPv6 or IPv4 into its own) our
addresses.

Below is the graphical NetworkManager configuration, if that helps: