From: crodges <crodges@csphy.pw>
To: guix-devel@gnu.org, Maxime Devos <maximedevos@telenet.be>
Subject: Re: Wireguard
Date: Wed, 22 Sep 2021 09:03:58 -0700 [thread overview]
Message-ID: <5121813.v3WT2HIqr8@sceadufaex> (raw)
In-Reply-To: <a601f31f8fc4ee16ed5dd687c609e93830e31fd0.camel@telenet.be>
On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote:
> crodges schreef op zo 29-08-2021 om 14:53 [-0700]:
> > Hello everyone,
> >
> > Let me start thanking you for developing such a interesting project in GNU
> > Guix. Also, I don't want to take up anyone's time, so you can just point
> > to
> > documentation or other resource succinctly and I'll do my best. I'm
> > writing
> > here because I tried the help list but not answer so far, after a few
> > days.
> >
> > I managed to configure wireguard on a vps running guix and created clients
> > for my desktop and cellphone. What I want to do (and did already in a
> > Debian vps) is to make wireguard's lan accessible to anyone connected and
> > also browse the internet using this vpn.
>
> The Wireguard service as defined in Guix System doesn't currently support
> the forwarding you appear to describe ...
>
> > As I remember, I need to allow ip forwarding using
> >
> > sysctl net.ipv4.ip_forward=1
> >
> > and I also need to put these rules into wireguard (the server) under
> > [interface],
> >
> > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> >
> > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>
> However, I don't see why this couldn't be implemented in Guix System
> (after some changes to wireguard-service-type).
>
> > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't
> > seem to exist yet. Do they exist but are still undocumented?
>
> Guix uses "wg-quick", so it would seem they do exist, but are inaccessible
> from Guix. The configuration file is created in
> wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can
> modify that.
>
> > If they don't exist, where should be a reasonable place to add this
> > configurations?
>
> <wireguard-configuration> and wireguard-configuration-file in (gnu services
> vpn) it would seem. Also, sysctl-service-type would need to be extended
> (in the ‘service-extension’ meaning of the word) to set net.ipv4.ip_forward
> appropriately.
>
> > I'm trying to do everything the guix way, when I finish this
> > machine configuration, I'd like it to be fully replicable.
> >
> > Also, is this something that I could solve modifying the wireguard service
> > definition itself?
>
> If replicability is all you need, you could add ‘postdown’ and ‘postup’
> options to <wireguard-configuration>, which would need to be set to the
> commands above. However, these strings seem rather complicated for the
> uninitiated, so I'd recommend something more high-level instead. Some
> interface like
>
> (wireguard-configuration
> [...]
> (addresses ...)
> (peers ...)
> (forward? #t))
>
> perhaps? Make sure to add some documentation to ‘Wireguard’ in (guix)VPN
> Services. (Maybe add some example situations on how forward? can be used
> and how it functions.)
>
> I want to note that I don't understand what exactly you're doing, I only
> understand that there is some forwarding going on, and I'm not unfamiliar
> with networking issue (e.g. I recently figured out why I couldn't connect
> to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken).
> So explaining forward? to laypeople might take some care.
>
> Writing a corresponding ‘system test’ in gnu/tests/networking.scm is
> recommended.
>
> Greetings,
> Maxime.
Thanks for the pointers Maxime.
I'm not an expert in networking but I can briefly tell about my use case here.
basically my setup accomplishes two things: any machine connected to the
server running guix and wireguard should be able to browse the internet like a
normal vpn (using the server's ip address) and any client theoretically could
see each other. Right now I use this capability to play 0ad with friends, in
the future there will be apps running in different clients, accessible to
anyone inside vpn.
That said, I'm back here to ask one more thing. I cloned guix and followed the
manual to create an --pure environment and authenticated the commits. This
machine is a different one from my server, here I have guix running on top of
manjaro (an arch gnu/linux flavor).
I started changing code inside vpn.scm and my approach was to "make && make
check" after changes to see if it would still build. But this week, after a
git pull to update the repo and using make, I'm now greeted with
error: failed to load 'gnu/packages/perl.scm':
ice-9/eval.scm:293:34: In procedure abi-check: #<record-type <package>>:
record ABI mismatch; recompilation needed
I will still spend some time with this error, but I found worth to ask: is
this approach of "make && make check" a reasonable one? Is there a way to test
a guix system without installing it? Packages I know we can, but system
capabilities like vpn I'm not sure. Finally, where can I get more information
about submitting patches, including the proper way to do it, to guix?
thanks again,
crodges
next prev parent reply other threads:[~2021-09-22 16:05 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-29 21:53 Wireguard crodges
2021-09-01 7:07 ` Wireguard Maxime Devos
2021-09-22 16:03 ` crodges [this message]
2021-09-22 16:27 ` Wireguard crodges
2021-09-22 17:23 ` Wireguard Maxime Devos
2021-10-06 16:28 ` Wireguard crodges
2021-10-06 18:35 ` Wireguard Maxime Devos
2021-10-15 16:26 ` Wireguard crodges
-- strict thread matches above, loose matches on Subject: below --
2021-04-12 18:38 Wireguard amuza
2021-04-13 22:30 ` Wireguard Cameron
2021-04-14 17:36 ` Wireguard Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5121813.v3WT2HIqr8@sceadufaex \
--to=crodges@csphy.pw \
--cc=guix-devel@gnu.org \
--cc=maximedevos@telenet.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.