From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 8N3pBjBUS2G6fwEAgWs5BA (envelope-from ) for ; Wed, 22 Sep 2021 18:05:04 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id kMKgAjBUS2G+PQAA1q6Kng (envelope-from ) for ; Wed, 22 Sep 2021 16:05:04 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6F01E1AFD3 for ; Wed, 22 Sep 2021 18:05:03 +0200 (CEST) Received: from localhost ([::1]:45310 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mT4k2-0008JS-3U for larch@yhetil.org; Wed, 22 Sep 2021 12:05:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41452) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mT4jK-0008FX-7S for guix-devel@gnu.org; Wed, 22 Sep 2021 12:04:18 -0400 Received: from vps-93-95-228-136.1984.is ([93.95.228.136]:58004 helo=csphy.pw) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mT4jH-00048Z-Tg for guix-devel@gnu.org; Wed, 22 Sep 2021 12:04:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=csphy.pw; s=mail; t=1632326647; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bkV/RzurxrmSY4Lxq0AVqdgEF0PnOvXowQppg3VRv4E=; b=BjS7zJrlIJqzKUV9ZD65lQV9Fw6nBacRuzmTJ8JAhnfEwquoPZoqTBoJ/YtOsUUp8PHlBy MCqbXtgtrdIRHyR63TbTI/Zwqnvf8rsiFQM3uw3IXyz7pgMQoa3HFhMYRGgLRj3AzjZLHb 8ARzji8DAXvCOb0oBV8aCIjHho818LE= From: crodges To: guix-devel@gnu.org, Maxime Devos Subject: Re: Wireguard Date: Wed, 22 Sep 2021 09:03:58 -0700 Message-ID: <5121813.v3WT2HIqr8@sceadufaex> In-Reply-To: References: <2301909.g8HzRWBaYy@sceadufaex> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" Received-SPF: pass client-ip=93.95.228.136; envelope-from=crodges@csphy.pw; helo=csphy.pw X-Spam_score_int: 14 X-Spam_score: 1.4 X-Spam_bar: + X-Spam_report: (1.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NO_FM_NAME_IP_HOSTN=2.497, PDS_RDNS_DYNAMIC_FP=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1632326703; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=bkV/RzurxrmSY4Lxq0AVqdgEF0PnOvXowQppg3VRv4E=; b=jAVuJxRcRLs3ak56FvFnjeGXuCf7uWjF2tXXqU/x9ZvlxCYcoG2gm0uyfbAmAqVQHb9TSW +Mfwef4Xvk39bSKgfzda7y+zR2F8WhX2zdt6P9gSged8k2RQxHtN37RWr7gmOEgt/TGWPi pJ+1zIE+pSxjicqBlIeonAondHc2htHQpUY+sXdtxPO2fxgcvuqnkOrTT/BC6G9+F2lhUQ UnMs33GBRYgaRjGtiiXjcamtc7OVfh/RtJrwLpRu0f03k0k6+JE45uhJZ4Eu+FwytC7QSE gROQdz6+0bFND4hrrlX/6p1a9Aes7pq9nbK0j6b8eUMegZ3LYsJLEpiTPrtoDQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1632326703; a=rsa-sha256; cv=none; b=do4q/fMTZYoy0uBmOVKF+RRR+VaXkkvbrJd8IHIrGPDTCUOapNvP3E4H06cdGMq/oEwDcN N+zFtXLZ3DLrER5litqS/5gSbM8h67Gx4I8mKFH2ZIP5oquLPFLigEYdfwTqovpHv+z+sP RU9kjZxio60j0+PoprM0+dzi3rXVqFkKUfE+gVdn5cgeFosr4SeTxhueQ2bZ3l17stkiZv FhsYAmQF3z3b4IBIXiGk3yTqBGVPUPbxMbyl/xdKTleHbukLneIKkl0sQ1G+sWKWm5RCh6 sfDPh+WXTZsSo4VNpRUBB8oTGlCL+fpD3j/iT16VatwRl5ZD68aiyilxYZUzWg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=csphy.pw header.s=mail header.b=BjS7zJrl; dmarc=fail reason="SPF not aligned (relaxed)" header.from=csphy.pw (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -0.79 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=csphy.pw header.s=mail header.b=BjS7zJrl; dmarc=fail reason="SPF not aligned (relaxed)" header.from=csphy.pw (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 6F01E1AFD3 X-Spam-Score: -0.79 X-Migadu-Scanner: scn0.migadu.com X-TUID: ZFiSXuImLbU5 On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote: > crodges schreef op zo 29-08-2021 om 14:53 [-0700]: > > Hello everyone, > >=20 > > Let me start thanking you for developing such a interesting project in = GNU > > Guix. Also, I don't want to take up anyone's time, so you can just point > > to > > documentation or other resource succinctly and I'll do my best. I'm > > writing > > here because I tried the help list but not answer so far, after a few > > days. > >=20 > > I managed to configure wireguard on a vps running guix and created clie= nts > > for my desktop and cellphone. What I want to do (and did already in a > > Debian vps) is to make wireguard's lan accessible to anyone connected a= nd > > also browse the internet using this vpn. >=20 > The Wireguard service as defined in Guix System doesn't currently support > the forwarding you appear to describe ... >=20 > > As I remember, I need to allow ip forwarding using > >=20 > > sysctl net.ipv4.ip_forward=3D1 > >=20 > > and I also need to put these rules into wireguard (the server) under > > [interface], > >=20 > > PostUp =3D iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEP= T; > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > >=20 > > PostDown =3D iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEP= T; > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >=20 > However, I don't see why this couldn't be implemented in Guix System > (after some changes to wireguard-service-type). >=20 > > Problem is, looking at the latest guix manual, PostUp and PostDown does= n't > > seem to exist yet. Do they exist but are still undocumented? >=20 > Guix uses "wg-quick", so it would seem they do exist, but are inaccessible > from Guix. The configuration file is created in > wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can > modify that. >=20 > > If they don't exist, where should be a reasonable place to add this > > configurations? >=20 > and wireguard-configuration-file in (gnu servic= es > vpn) it would seem. Also, sysctl-service-type would need to be extended > (in the =E2=80=98service-extension=E2=80=99 meaning of the word) to set n= et.ipv4.ip_forward > appropriately. >=20 > > I'm trying to do everything the guix way, when I finish this > > machine configuration, I'd like it to be fully replicable. > >=20 > > Also, is this something that I could solve modifying the wireguard serv= ice > > definition itself? >=20 > If replicability is all you need, you could add =E2=80=98postdown=E2=80= =99 and =E2=80=98postup=E2=80=99 > options to , which would need to be set to the > commands above. However, these strings seem rather complicated for the > uninitiated, so I'd recommend something more high-level instead. Some > interface like >=20 > (wireguard-configuration > [...] > (addresses ...) > (peers ...) > (forward? #t)) >=20 > perhaps? Make sure to add some documentation to =E2=80=98Wireguard=E2=80= =99 in (guix)VPN > Services. (Maybe add some example situations on how forward? can be used > and how it functions.) >=20 > I want to note that I don't understand what exactly you're doing, I only > understand that there is some forwarding going on, and I'm not unfamiliar > with networking issue (e.g. I recently figured out why I couldn't connect > to the Internet with the ISP-provided =E2=80=984G minimodem=E2=80=99 -- D= NS was b0rken).=20 > So explaining forward? to laypeople might take some care. >=20 > Writing a corresponding =E2=80=98system test=E2=80=99 in gnu/tests/networ= king.scm is > recommended. >=20 > Greetings, > Maxime. Thanks for the pointers Maxime. I'm not an expert in networking but I can briefly tell about my use case he= re. basically my setup accomplishes two things: any machine connected to the=20 server running guix and wireguard should be able to browse the internet lik= e a=20 normal vpn (using the server's ip address) and any client theoretically cou= ld=20 see each other. Right now I use this capability to play 0ad with friends, i= n=20 the future there will be apps running in different clients, accessible to=20 anyone inside vpn. That said, I'm back here to ask one more thing. I cloned guix and followed = the=20 manual to create an --pure environment and authenticated the commits. This= =20 machine is a different one from my server, here I have guix running on top = of=20 manjaro (an arch gnu/linux flavor). I started changing code inside vpn.scm and my approach was to "make && make= =20 check" after changes to see if it would still build. But this week, after a= =20 git pull to update the repo and using make, I'm now greeted with error: failed to load 'gnu/packages/perl.scm': ice-9/eval.scm:293:34: In procedure abi-check: #>:=20 record ABI mismatch; recompilation needed I will still spend some time with this error, but I found worth to ask: is= =20 this approach of "make && make check" a reasonable one? Is there a way to t= est=20 a guix system without installing it? Packages I know we can, but system=20 capabilities like vpn I'm not sure. Finally, where can I get more informati= on=20 about submitting patches, including the proper way to do it, to guix? thanks again, crodges