From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id UKYeIp1dS2GFEwAAgWs5BA (envelope-from ) for ; Wed, 22 Sep 2021 18:45:17 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id YI/tHZ1dS2HjWAAA1q6Kng (envelope-from ) for ; Wed, 22 Sep 2021 16:45:17 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 085AC189AF for ; Wed, 22 Sep 2021 18:45:17 +0200 (CEST) Received: from localhost ([::1]:47858 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mT5My-0000cH-0U for larch@yhetil.org; Wed, 22 Sep 2021 12:45:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46910) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mT55g-0006d8-ML for guix-devel@gnu.org; Wed, 22 Sep 2021 12:27:24 -0400 Received: from vps-93-95-228-136.1984.is ([93.95.228.136]:58356 helo=csphy.pw) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mT55e-0006IZ-64 for guix-devel@gnu.org; Wed, 22 Sep 2021 12:27:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=csphy.pw; s=mail; t=1632328035; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/+XuglSse0YtGXI9NzP9CgXIR324m8IRmLt0obTAG0Y=; b=Amw6Bgo8wXgkHJjqm5pvBoISUlFq8784BScXoVf55j0kZzdKxW9VmNIqnx8sJygVhwl81O /xGQCrO0Gpwtp3BcMT4if48SOjZg8a+Mr+wzR15gf+oZx5a38JE2vgO/gr9AKxaANfBEQO HzppyL9P78Pfg+NTKCuV8VVngnVcNO8= From: crodges To: guix-devel@gnu.org, Maxime Devos Subject: Re: Wireguard Date: Wed, 22 Sep 2021 09:27:06 -0700 Message-ID: <8598372.k9Cc6LeMoa@sceadufaex> In-Reply-To: <5121813.v3WT2HIqr8@sceadufaex> References: <2301909.g8HzRWBaYy@sceadufaex> <5121813.v3WT2HIqr8@sceadufaex> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" Received-SPF: pass client-ip=93.95.228.136; envelope-from=crodges@csphy.pw; helo=csphy.pw X-Spam_score_int: 14 X-Spam_score: 1.4 X-Spam_bar: + X-Spam_report: (1.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NO_FM_NAME_IP_HOSTN=2.497, PDS_RDNS_DYNAMIC_FP=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1632329117; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=/+XuglSse0YtGXI9NzP9CgXIR324m8IRmLt0obTAG0Y=; b=MSilXnCtQdhfAICtAE0o0ogCyZzz3gTJLjh5BK6mhoAqAsQJrOUm0yIXDyiSZlsBSx00L2 NX+Z6IftPk3e2WVfle55sDdMAL+gMZGrswWvb5q1g8xINY9E+Vk/MDKDyKwwB00p7kcbc7 2EQqpihQGQ1rJAVcQwwf4CULSAvhUGShnCko85rrQKEr/u49xNeiDt0aGWB58jfAzndjSW 5l9pNYzT+Jfxa2pF6rHeEjrA0gfgOrO2Ovgn8WN5zDpkvomT492/X2g3Ye/PdSrkMzl50y Lxc8oSmVofLytbyCP5wFAPulHMsgnyigS3IpPofWIyYmtTmaWgm3QFikR3P9Eg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1632329117; a=rsa-sha256; cv=none; b=qxTYUqKTfX9AiFTJQKrnX8bIFtM2JM3Pba5PRS/NNcAZp8IhT3OJbXU9pYos2tjRVMSfJC U7opqLHbL1uCodXga1WYTQmU0LSqLzRhq0aK4ytqTGKdOSTnL020kGMTFwUth99iAo0SIb NR0i5j7bTSG75IzDzymH1yfXhAOBFx3lT201EdoHLtTvUsXsd84YHh5cZLFIbdaysaBMNf KjKZ//tzKv1yLd/RsdvEdvLjZFm1eCROHdoTVqpWbuJk9OCfTYTfFKv6ZNg94fDP7WMNLy To3HPIxPCUSMBFVU/40k4Mao4T8dMppLsnAY70j/o4GjBCALVb70J/ofXtkM6g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=csphy.pw header.s=mail header.b=Amw6Bgo8; dmarc=fail reason="SPF not aligned (relaxed)" header.from=csphy.pw (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -0.79 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=csphy.pw header.s=mail header.b=Amw6Bgo8; dmarc=fail reason="SPF not aligned (relaxed)" header.from=csphy.pw (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 085AC189AF X-Spam-Score: -0.79 X-Migadu-Scanner: scn0.migadu.com X-TUID: TtafStlqdgFv On Wednesday, September 22, 2021 9:03:58 A.M. PDT crodges wrote: > On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote: > > crodges schreef op zo 29-08-2021 om 14:53 [-0700]: > > > Hello everyone, > > >=20 > > > Let me start thanking you for developing such a interesting project in > > > GNU > > > Guix. Also, I don't want to take up anyone's time, so you can just po= int > > > to > > > documentation or other resource succinctly and I'll do my best. I'm > > > writing > > > here because I tried the help list but not answer so far, after a few > > > days. > > >=20 > > > I managed to configure wireguard on a vps running guix and created > > > clients > > > for my desktop and cellphone. What I want to do (and did already in a > > > Debian vps) is to make wireguard's lan accessible to anyone connected > > > and > > > also browse the internet using this vpn. > >=20 > > The Wireguard service as defined in Guix System doesn't currently suppo= rt > > the forwarding you appear to describe ... > >=20 > > > As I remember, I need to allow ip forwarding using > > >=20 > > > sysctl net.ipv4.ip_forward=3D1 > > >=20 > > > and I also need to put these rules into wireguard (the server) under > > > [interface], > > >=20 > > > PostUp =3D iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j > > > ACCEPT; > > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > >=20 > > > PostDown =3D iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j > > > ACCEPT; > > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE > >=20 > > However, I don't see why this couldn't be implemented in Guix System > > (after some changes to wireguard-service-type). > >=20 > > > Problem is, looking at the latest guix manual, PostUp and PostDown > > > doesn't > > > seem to exist yet. Do they exist but are still undocumented? > >=20 > > Guix uses "wg-quick", so it would seem they do exist, but are inaccessi= ble > > from Guix. The configuration file is created in > > wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can > > modify that. > >=20 > > > If they don't exist, where should be a reasonable place to add this > > > configurations? > >=20 > > and wireguard-configuration-file in (gnu > > services > > vpn) it would seem. Also, sysctl-service-type would need to be extended > > (in the =E2=80=98service-extension=E2=80=99 meaning of the word) to set > > net.ipv4.ip_forward > > appropriately. > >=20 > > > I'm trying to do everything the guix way, when I finish this > > > machine configuration, I'd like it to be fully replicable. > > >=20 > > > Also, is this something that I could solve modifying the wireguard > > > service > > > definition itself? > >=20 > > If replicability is all you need, you could add =E2=80=98postdown=E2=80= =99 and =E2=80=98postup=E2=80=99 > > options to , which would need to be set to the > > commands above. However, these strings seem rather complicated for the > > uninitiated, so I'd recommend something more high-level instead. Some > > interface like > >=20 > > (wireguard-configuration > > =20 > > [...] > > (addresses ...) > > (peers ...) > > (forward? #t)) > >=20 > > perhaps? Make sure to add some documentation to =E2=80=98Wireguard=E2= =80=99 in (guix)VPN > > Services. (Maybe add some example situations on how forward? can be used > > and how it functions.) > >=20 > > I want to note that I don't understand what exactly you're doing, I only > > understand that there is some forwarding going on, and I'm not unfamili= ar > > with networking issue (e.g. I recently figured out why I couldn't conne= ct > > to the Internet with the ISP-provided =E2=80=984G minimodem=E2=80=99 --= DNS was b0rken). > > So explaining forward? to laypeople might take some care. > >=20 > > Writing a corresponding =E2=80=98system test=E2=80=99 in gnu/tests/netw= orking.scm is > > recommended. > >=20 > > Greetings, > > Maxime. >=20 > Thanks for the pointers Maxime. >=20 > I'm not an expert in networking but I can briefly tell about my use case > here. basically my setup accomplishes two things: any machine connected to > the server running guix and wireguard should be able to browse the intern= et > like a normal vpn (using the server's ip address) and any client > theoretically could see each other. Right now I use this capability to pl= ay > 0ad with friends, in the future there will be apps running in different > clients, accessible to anyone inside vpn. >=20 > That said, I'm back here to ask one more thing. I cloned guix and followed > the manual to create an --pure environment and authenticated the commits. > This machine is a different one from my server, here I have guix running = on > top of manjaro (an arch gnu/linux flavor). >=20 > I started changing code inside vpn.scm and my approach was to "make && ma= ke > check" after changes to see if it would still build. But this week, after= a > git pull to update the repo and using make, I'm now greeted with >=20 > error: failed to load 'gnu/packages/perl.scm': > ice-9/eval.scm:293:34: In procedure abi-check: #>: > record ABI mismatch; recompilation needed >=20 > I will still spend some time with this error, but I found worth to ask: is > this approach of "make && make check" a reasonable one? Is there a way to > test a guix system without installing it? Packages I know we can, but > system capabilities like vpn I'm not sure. Finally, where can I get more > information about submitting patches, including the proper way to do it, = to > guix? >=20 > thanks again, > crodges Ignore the patches question, I found it very well explained in the manual :)