Wireguard

Wireguard

[amuza]

[-- Attachment #1.1: Type: text/plain, Size: 360 bytes --]

Hello!

I'm new here. Some weeks ago I installed the Guix package manager on top
of Trisquel and so far I'm very happy.

Let me say that I'm not a developer or anything similar, so I easily get
lost.

And now my question:
I have just installed wireguard through Guix, but I cannot find the
/etc/wireguard directory.

Where is it?

Thank you!!


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Wireguard

[Cameron]

IIRC the wireguard package only includes the kernel interface. Presumably you will want wireguard-tools and wg-quick to get the 'wg' and wg-quick commands. (I'm not at a terminal right now to check the exact package names so please don't take this as literal advice)

Also beware that there is not as of yet a service definition for wg-quick. I simply do a 'wg-quick up' manually but am coming to rely on it in something approaching a "production" capacity, so I was planning on dipping my toes into writing a proper service definition for it *at some point*. :^)

-Cam


On Mon, Apr 12, 2021, at 1:38 PM, amuza wrote:
> Hello!
> 
> I'm new here. Some weeks ago I installed the Guix package manager on top
> of Trisquel and so far I'm very happy.
> 
> Let me say that I'm not a developer or anything similar, so I easily get
> lost.
> 
> And now my question:
> I have just installed wireguard through Guix, but I cannot find the
> /etc/wireguard directory.
> 
> Where is it?
> 
> Thank you!!
> 
> 
> Attachments:
> * signature.asc

Re: Wireguard

[Leo Famulari]

On Mon, Apr 12, 2021 at 08:38:45PM +0200, amuza wrote:
> Hello!
> 
> I'm new here. Some weeks ago I installed the Guix package manager on top
> of Trisquel and so far I'm very happy.
> 
> Let me say that I'm not a developer or anything similar, so I easily get
> lost.
> 
> And now my question:
> I have just installed wireguard through Guix, but I cannot find the
> /etc/wireguard directory.

For your case, using Guix on another distro, I'd suggest that you need
to create the directory yourself.

When you install a package with Guix, all that happens is that the
package is made available.

It's not like on some distros, where "installation" also configures and
runs the service for you.

Wireguard

[crodges]

Hello everyone,

Let me start thanking you for developing such a interesting project in GNU 
Guix. Also, I don't want to take up anyone's time, so you can just point to 
documentation or other resource succinctly and I'll do my best. I'm writing 
here because I tried the help list but not answer so far, after a few days.

I managed to configure wireguard on a vps running guix and created clients for 
my desktop and cellphone. What I want to do (and did already in a Debian vps) 
is to make wireguard's lan accessible to anyone connected and also browse the 
internet using this vpn.

As I remember, I need to allow ip forwarding using

sysctl net.ipv4.ip_forward=1

and I also need to put these rules into wireguard (the server) under 
[interface],

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING 
-o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat 
-A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D 
POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; 
ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Problem is, looking at the latest guix manual, PostUp and PostDown doesn't 
seem to exist yet. Do they exist but are still undocumented?

If they don't exist, where should be a reasonable place to add this 
configurations? I'm trying to do everything the guix way, when I finish this 
machine configuration, I'd like it to be fully replicable.

Also, is this something that I could solve modifying the wireguard service 
definition itself?

Thanks,

crodges 

Re: Wireguard

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 3522 bytes --]

crodges schreef op zo 29-08-2021 om 14:53 [-0700]:
> Hello everyone,
> 
> Let me start thanking you for developing such a interesting project in GNU 
> Guix. Also, I don't want to take up anyone's time, so you can just point to 
> documentation or other resource succinctly and I'll do my best. I'm writing 
> here because I tried the help list but not answer so far, after a few days.
> 
> I managed to configure wireguard on a vps running guix and created clients for 
> my desktop and cellphone. What I want to do (and did already in a Debian vps) 
> is to make wireguard's lan accessible to anyone connected and also browse the 
> internet using this vpn.

The Wireguard service as defined in Guix System doesn't currently support the
forwarding you appear to describe ...

> As I remember, I need to allow ip forwarding using
> 
> sysctl net.ipv4.ip_forward=1
> 
> and I also need to put these rules into wireguard (the server) under 
> [interface],
> 
> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING 
> -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat 
> -A POSTROUTING -o eth0 -j MASQUERADE
> 
> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D 
> POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; 
> ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

However, I don't see why this couldn't be implemented in Guix System
(after some changes to wireguard-service-type).

> Problem is, looking at the latest guix manual, PostUp and PostDown doesn't 
> seem to exist yet. Do they exist but are still undocumented?

Guix uses "wg-quick", so it would seem they do exist, but are inaccessible
from Guix.  The configuration file is created in wireguard-configuration-file
(in gnu/services/vpn.scm), maybe you can modify that.

> If they don't exist, where should be a reasonable place to add this 
> configurations?

<wireguard-configuration> and wireguard-configuration-file in (gnu services vpn)
it would seem.  Also, sysctl-service-type would need to be extended (in
the ‘service-extension’ meaning of the word) to set net.ipv4.ip_forward
appropriately.

> I'm trying to do everything the guix way, when I finish this 
> machine configuration, I'd like it to be fully replicable.
> 
> Also, is this something that I could solve modifying the wireguard service 
> definition itself?

If replicability is all you need, you could add ‘postdown’ and ‘postup’
options to <wireguard-configuration>, which would need to be set to the
commands above.  However, these strings seem rather complicated for the
uninitiated, so I'd recommend something more high-level instead.  Some
interface like

  (wireguard-configuration
    [...]
    (addresses ...)
    (peers ...)
    (forward? #t))

perhaps?  Make sure to add some documentation to ‘Wireguard’ in (guix)VPN Services.
(Maybe add some example situations on how forward? can be used and how it functions.)

I want to note that I don't understand what exactly you're doing, I only understand
that there is some forwarding going on, and I'm not unfamiliar with networking issue
(e.g. I recently figured out why I couldn't connect to the Internet with the
ISP-provided ‘4G minimodem’ -- DNS was b0rken).  So explaining forward? to laypeople
might take some care.

Writing a corresponding ‘system test’ in gnu/tests/networking.scm is recommended.

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: Wireguard

[crodges]

On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote:
> crodges schreef op zo 29-08-2021 om 14:53 [-0700]:
> > Hello everyone,
> > 
> > Let me start thanking you for developing such a interesting project in GNU
> > Guix. Also, I don't want to take up anyone's time, so you can just point
> > to
> > documentation or other resource succinctly and I'll do my best. I'm
> > writing
> > here because I tried the help list but not answer so far, after a few
> > days.
> > 
> > I managed to configure wireguard on a vps running guix and created clients
> > for my desktop and cellphone. What I want to do (and did already in a
> > Debian vps) is to make wireguard's lan accessible to anyone connected and
> > also browse the internet using this vpn.
> 
> The Wireguard service as defined in Guix System doesn't currently support
> the forwarding you appear to describe ...
> 
> > As I remember, I need to allow ip forwarding using
> > 
> > sysctl net.ipv4.ip_forward=1
> > 
> > and I also need to put these rules into wireguard (the server) under
> > [interface],
> > 
> > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > 
> > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> 
> However, I don't see why this couldn't be implemented in Guix System
> (after some changes to wireguard-service-type).
> 
> > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't
> > seem to exist yet. Do they exist but are still undocumented?
> 
> Guix uses "wg-quick", so it would seem they do exist, but are inaccessible
> from Guix.  The configuration file is created in
> wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can
> modify that.
> 
> > If they don't exist, where should be a reasonable place to add this
> > configurations?
> 
> <wireguard-configuration> and wireguard-configuration-file in (gnu services
> vpn) it would seem.  Also, sysctl-service-type would need to be extended
> (in the ‘service-extension’ meaning of the word) to set net.ipv4.ip_forward
> appropriately.
> 
> > I'm trying to do everything the guix way, when I finish this
> > machine configuration, I'd like it to be fully replicable.
> > 
> > Also, is this something that I could solve modifying the wireguard service
> > definition itself?
> 
> If replicability is all you need, you could add ‘postdown’ and ‘postup’
> options to <wireguard-configuration>, which would need to be set to the
> commands above.  However, these strings seem rather complicated for the
> uninitiated, so I'd recommend something more high-level instead.  Some
> interface like
> 
>   (wireguard-configuration
>     [...]
>     (addresses ...)
>     (peers ...)
>     (forward? #t))
> 
> perhaps?  Make sure to add some documentation to ‘Wireguard’ in (guix)VPN
> Services. (Maybe add some example situations on how forward? can be used
> and how it functions.)
> 
> I want to note that I don't understand what exactly you're doing, I only
> understand that there is some forwarding going on, and I'm not unfamiliar
> with networking issue (e.g. I recently figured out why I couldn't connect
> to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken). 
> So explaining forward? to laypeople might take some care.
> 
> Writing a corresponding ‘system test’ in gnu/tests/networking.scm is
> recommended.
> 
> Greetings,
> Maxime.
Thanks for the pointers Maxime.

I'm not an expert in networking but I can briefly tell about my use case here.
basically my setup accomplishes two things: any machine connected to the 
server running guix and wireguard should be able to browse the internet like a 
normal vpn (using the server's ip address) and any client theoretically could 
see each other. Right now I use this capability to play 0ad with friends, in 
the future there will be apps running in different clients, accessible to 
anyone inside vpn.

That said, I'm back here to ask one more thing. I cloned guix and followed the 
manual to create an --pure environment and authenticated the commits. This 
machine is a different one from my server, here I have guix running on top of 
manjaro (an arch gnu/linux flavor).

I started changing code inside vpn.scm and my approach was to "make && make 
check" after changes to see if it would still build. But this week, after a 
git pull to update the repo and using make, I'm now greeted with

error: failed to load 'gnu/packages/perl.scm':
ice-9/eval.scm:293:34: In procedure abi-check: #<record-type <package>>: 
record ABI mismatch; recompilation needed

I will still spend some time with this error, but I found worth to ask: is 
this approach of "make && make check" a reasonable one? Is there a way to test 
a guix system without installing it? Packages I know we can, but system 
capabilities like vpn I'm not sure. Finally, where can I get more information 
about submitting patches, including the proper way to do it, to guix?

thanks again,
crodges

Re: Wireguard

[crodges]

On Wednesday, September 22, 2021 9:03:58 A.M. PDT crodges wrote:
> On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote:
> > crodges schreef op zo 29-08-2021 om 14:53 [-0700]:
> > > Hello everyone,
> > > 
> > > Let me start thanking you for developing such a interesting project in
> > > GNU
> > > Guix. Also, I don't want to take up anyone's time, so you can just point
> > > to
> > > documentation or other resource succinctly and I'll do my best. I'm
> > > writing
> > > here because I tried the help list but not answer so far, after a few
> > > days.
> > > 
> > > I managed to configure wireguard on a vps running guix and created
> > > clients
> > > for my desktop and cellphone. What I want to do (and did already in a
> > > Debian vps) is to make wireguard's lan accessible to anyone connected
> > > and
> > > also browse the internet using this vpn.
> > 
> > The Wireguard service as defined in Guix System doesn't currently support
> > the forwarding you appear to describe ...
> > 
> > > As I remember, I need to allow ip forwarding using
> > > 
> > > sysctl net.ipv4.ip_forward=1
> > > 
> > > and I also need to put these rules into wireguard (the server) under
> > > [interface],
> > > 
> > > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j
> > > ACCEPT;
> > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > > 
> > > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j
> > > ACCEPT;
> > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> > 
> > However, I don't see why this couldn't be implemented in Guix System
> > (after some changes to wireguard-service-type).
> > 
> > > Problem is, looking at the latest guix manual, PostUp and PostDown
> > > doesn't
> > > seem to exist yet. Do they exist but are still undocumented?
> > 
> > Guix uses "wg-quick", so it would seem they do exist, but are inaccessible
> > from Guix.  The configuration file is created in
> > wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can
> > modify that.
> > 
> > > If they don't exist, where should be a reasonable place to add this
> > > configurations?
> > 
> > <wireguard-configuration> and wireguard-configuration-file in (gnu
> > services
> > vpn) it would seem.  Also, sysctl-service-type would need to be extended
> > (in the ‘service-extension’ meaning of the word) to set
> > net.ipv4.ip_forward
> > appropriately.
> > 
> > > I'm trying to do everything the guix way, when I finish this
> > > machine configuration, I'd like it to be fully replicable.
> > > 
> > > Also, is this something that I could solve modifying the wireguard
> > > service
> > > definition itself?
> > 
> > If replicability is all you need, you could add ‘postdown’ and ‘postup’
> > options to <wireguard-configuration>, which would need to be set to the
> > commands above.  However, these strings seem rather complicated for the
> > uninitiated, so I'd recommend something more high-level instead.  Some
> > interface like
> > 
> >   (wireguard-configuration
> >   
> >     [...]
> >     (addresses ...)
> >     (peers ...)
> >     (forward? #t))
> > 
> > perhaps?  Make sure to add some documentation to ‘Wireguard’ in (guix)VPN
> > Services. (Maybe add some example situations on how forward? can be used
> > and how it functions.)
> > 
> > I want to note that I don't understand what exactly you're doing, I only
> > understand that there is some forwarding going on, and I'm not unfamiliar
> > with networking issue (e.g. I recently figured out why I couldn't connect
> > to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken).
> > So explaining forward? to laypeople might take some care.
> > 
> > Writing a corresponding ‘system test’ in gnu/tests/networking.scm is
> > recommended.
> > 
> > Greetings,
> > Maxime.
> 
> Thanks for the pointers Maxime.
> 
> I'm not an expert in networking but I can briefly tell about my use case
> here. basically my setup accomplishes two things: any machine connected to
> the server running guix and wireguard should be able to browse the internet
> like a normal vpn (using the server's ip address) and any client
> theoretically could see each other. Right now I use this capability to play
> 0ad with friends, in the future there will be apps running in different
> clients, accessible to anyone inside vpn.
> 
> That said, I'm back here to ask one more thing. I cloned guix and followed
> the manual to create an --pure environment and authenticated the commits.
> This machine is a different one from my server, here I have guix running on
> top of manjaro (an arch gnu/linux flavor).
> 
> I started changing code inside vpn.scm and my approach was to "make && make
> check" after changes to see if it would still build. But this week, after a
> git pull to update the repo and using make, I'm now greeted with
> 
> error: failed to load 'gnu/packages/perl.scm':
> ice-9/eval.scm:293:34: In procedure abi-check: #<record-type <package>>:
> record ABI mismatch; recompilation needed
> 
> I will still spend some time with this error, but I found worth to ask: is
> this approach of "make && make check" a reasonable one? Is there a way to
> test a guix system without installing it? Packages I know we can, but
> system capabilities like vpn I'm not sure. Finally, where can I get more
> information about submitting patches, including the proper way to do it, to
> guix?
> 
> thanks again,
> crodges
Ignore the patches question, I found it very well explained in the manual :)

Re: Wireguard

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 6092 bytes --]

crodges schreef op wo 22-09-2021 om 09:03 [-0700]:
> On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote:
> > crodges schreef op zo 29-08-2021 om 14:53 [-0700]:
> > > Hello everyone,
> > > 
> > > Let me start thanking you for developing such a interesting project in GNU
> > > Guix. Also, I don't want to take up anyone's time, so you can just point
> > > to
> > > documentation or other resource succinctly and I'll do my best. I'm
> > > writing
> > > here because I tried the help list but not answer so far, after a few
> > > days.
> > > 
> > > I managed to configure wireguard on a vps running guix and created clients
> > > for my desktop and cellphone. What I want to do (and did already in a
> > > Debian vps) is to make wireguard's lan accessible to anyone connected and
> > > also browse the internet using this vpn.
> > 
> > The Wireguard service as defined in Guix System doesn't currently support
> > the forwarding you appear to describe ...
> > 
> > > As I remember, I need to allow ip forwarding using
> > > 
> > > sysctl net.ipv4.ip_forward=1
> > > 
> > > and I also need to put these rules into wireguard (the server) under
> > > [interface],
> > > 
> > > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
> > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > > 
> > > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
> > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> > 
> > However, I don't see why this couldn't be implemented in Guix System
> > (after some changes to wireguard-service-type).
> > 
> > > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't
> > > seem to exist yet. Do they exist but are still undocumented?
> > 
> > Guix uses "wg-quick", so it would seem they do exist, but are inaccessible
> > from Guix.  The configuration file is created in
> > wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can
> > modify that.
> > 
> > > If they don't exist, where should be a reasonable place to add this
> > > configurations?
> > 
> > <wireguard-configuration> and wireguard-configuration-file in (gnu services
> > vpn) it would seem.  Also, sysctl-service-type would need to be extended
> > (in the ‘service-extension’ meaning of the word) to set net.ipv4.ip_forward
> > appropriately.
> > 
> > > I'm trying to do everything the guix way, when I finish this
> > > machine configuration, I'd like it to be fully replicable.
> > > 
> > > Also, is this something that I could solve modifying the wireguard service
> > > definition itself?
> > 
> > If replicability is all you need, you could add ‘postdown’ and ‘postup’
> > options to <wireguard-configuration>, which would need to be set to the
> > commands above.  However, these strings seem rather complicated for the
> > uninitiated, so I'd recommend something more high-level instead.  Some
> > interface like
> > 
> >   (wireguard-configuration
> >     [...]
> >     (addresses ...)
> >     (peers ...)
> >     (forward? #t))
> > 
> > perhaps?  Make sure to add some documentation to ‘Wireguard’ in (guix)VPN
> > Services. (Maybe add some example situations on how forward? can be used
> > and how it functions.)
> > 
> > I want to note that I don't understand what exactly you're doing, I only
> > understand that there is some forwarding going on, and I'm not unfamiliar
> > with networking issue (e.g. I recently figured out why I couldn't connect
> > to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken). 
> > So explaining forward? to laypeople might take some care.
> > 
> > Writing a corresponding ‘system test’ in gnu/tests/networking.scm is
> > recommended.
> > 
> > Greetings,
> > Maxime.
> Thanks for the pointers Maxime.
> 
> I'm not an expert in networking but I can briefly tell about my use case here.
> basically my setup accomplishes two things: any machine connected to the 
> server running guix and wireguard should be able to browse the internet like a 
> normal vpn (using the server's ip address) and any client theoretically could 
> see each other. Right now I use this capability to play 0ad with friends, in 
> the future there will be apps running in different clients, accessible to 
> anyone inside vpn.
> 
> That said, I'm back here to ask one more thing. I cloned guix and followed the 
> manual to create an --pure environment and authenticated the commits. This 
> machine is a different one from my server, here I have guix running on top of 
> manjaro (an arch gnu/linux flavor).
> 
> I started changing code inside vpn.scm and my approach was to "make && make 
> check" after changes to see if it would still build. But this week, after a 
> git pull to update the repo and using make, I'm now greeted with
> 
> error: failed to load 'gnu/packages/perl.scm':
> ice-9/eval.scm:293:34: In procedure abi-check: #<record-type <package>>: 
> record ABI mismatch; recompilation needed
> 
> I will still spend some time with this error, but I found worth to ask: is 
> this approach of "make && make check" a reasonable one?

If you see ‘recompilation needed’, recompile with "make clean && make".

>  Is there a way to test 
> a guix system without installing it? Packages I know we can, but system 
> capabilities like vpn I'm not sure.

You could create a VM: "./pre-inst-env guix system vm the-configuration.scm --root=run-the-vm.sh
&& ./run-the-vm.sh".  Or possibly "./pre-inst-env guix system reconfigure the-config.scm",
if you only don't want to install guix, but reconfiguring the system is fine.

(You can do almost everything from ./pre-inst-env that can be done without.
The exception is if you modify the guix daemon (code under nix/), then you
may need to restart it from the local checkout.)

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: Wireguard

[crodges]

On Wednesday, September 22, 2021 10:23:11 A.M. PDT Maxime Devos wrote:
> crodges schreef op wo 22-09-2021 om 09:03 [-0700]:
> > On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote:
> > > crodges schreef op zo 29-08-2021 om 14:53 [-0700]:
> > > > Hello everyone,
> > > > 
> > > > Let me start thanking you for developing such a interesting project in
> > > > GNU
> > > > Guix. Also, I don't want to take up anyone's time, so you can just
> > > > point
> > > > to
> > > > documentation or other resource succinctly and I'll do my best. I'm
> > > > writing
> > > > here because I tried the help list but not answer so far, after a few
> > > > days.
> > > > 
> > > > I managed to configure wireguard on a vps running guix and created
> > > > clients
> > > > for my desktop and cellphone. What I want to do (and did already in a
> > > > Debian vps) is to make wireguard's lan accessible to anyone connected
> > > > and
> > > > also browse the internet using this vpn.
> > > 
> > > The Wireguard service as defined in Guix System doesn't currently
> > > support
> > > the forwarding you appear to describe ...
> > > 
> > > > As I remember, I need to allow ip forwarding using
> > > > 
> > > > sysctl net.ipv4.ip_forward=1
> > > > 
> > > > and I also need to put these rules into wireguard (the server) under
> > > > [interface],
> > > > 
> > > > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j
> > > > ACCEPT;
> > > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > > > 
> > > > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j
> > > > ACCEPT;
> > > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> > > 
> > > However, I don't see why this couldn't be implemented in Guix System
> > > (after some changes to wireguard-service-type).
> > > 
> > > > Problem is, looking at the latest guix manual, PostUp and PostDown
> > > > doesn't
> > > > seem to exist yet. Do they exist but are still undocumented?
> > > 
> > > Guix uses "wg-quick", so it would seem they do exist, but are
> > > inaccessible
> > > from Guix.  The configuration file is created in
> > > wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can
> > > modify that.
> > > 
> > > > If they don't exist, where should be a reasonable place to add this
> > > > configurations?
> > > 
> > > <wireguard-configuration> and wireguard-configuration-file in (gnu
> > > services
> > > vpn) it would seem.  Also, sysctl-service-type would need to be extended
> > > (in the ‘service-extension’ meaning of the word) to set
> > > net.ipv4.ip_forward
> > > appropriately.
> > > 
> > > > I'm trying to do everything the guix way, when I finish this
> > > > machine configuration, I'd like it to be fully replicable.
> > > > 
> > > > Also, is this something that I could solve modifying the wireguard
> > > > service
> > > > definition itself?
> > > 
> > > If replicability is all you need, you could add ‘postdown’ and ‘postup’
> > > options to <wireguard-configuration>, which would need to be set to the
> > > commands above.  However, these strings seem rather complicated for the
> > > uninitiated, so I'd recommend something more high-level instead.  Some
> > > interface like
> > > 
> > >   (wireguard-configuration
> > >   
> > >     [...]
> > >     (addresses ...)
> > >     (peers ...)
> > >     (forward? #t))
> > > 
> > > perhaps?  Make sure to add some documentation to ‘Wireguard’ in
> > > (guix)VPN
> > > Services. (Maybe add some example situations on how forward? can be used
> > > and how it functions.)
> > > 
> > > I want to note that I don't understand what exactly you're doing, I only
> > > understand that there is some forwarding going on, and I'm not
> > > unfamiliar
> > > with networking issue (e.g. I recently figured out why I couldn't
> > > connect
> > > to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken).
> > > So explaining forward? to laypeople might take some care.
> > > 
> > > Writing a corresponding ‘system test’ in gnu/tests/networking.scm is
> > > recommended.
> > > 
> > > Greetings,
> > > Maxime.
> > 
> > Thanks for the pointers Maxime.
> > 
> > I'm not an expert in networking but I can briefly tell about my use case
> > here. basically my setup accomplishes two things: any machine connected
> > to the server running guix and wireguard should be able to browse the
> > internet like a normal vpn (using the server's ip address) and any client
> > theoretically could see each other. Right now I use this capability to
> > play 0ad with friends, in the future there will be apps running in
> > different clients, accessible to anyone inside vpn.
> > 
> > That said, I'm back here to ask one more thing. I cloned guix and followed
> > the manual to create an --pure environment and authenticated the commits.
> > This machine is a different one from my server, here I have guix running
> > on top of manjaro (an arch gnu/linux flavor).
> > 
> > I started changing code inside vpn.scm and my approach was to "make &&
> > make
> > check" after changes to see if it would still build. But this week, after
> > a
> > git pull to update the repo and using make, I'm now greeted with
> > 
> > error: failed to load 'gnu/packages/perl.scm':
> > ice-9/eval.scm:293:34: In procedure abi-check: #<record-type <package>>:
> > record ABI mismatch; recompilation needed
> > 
> > I will still spend some time with this error, but I found worth to ask: is
> > this approach of "make && make check" a reasonable one?
> 
> If you see ‘recompilation needed’, recompile with "make clean && make".
> 
> >  Is there a way to test
> > 
> > a guix system without installing it? Packages I know we can, but system
> > capabilities like vpn I'm not sure.
> 
> You could create a VM: "./pre-inst-env guix system vm the-configuration.scm
> --root=run-the-vm.sh && ./run-the-vm.sh".  Or possibly "./pre-inst-env guix
> system reconfigure the-config.scm", if you only don't want to install guix,
> but reconfiguring the system is fine.
> 
> (You can do almost everything from ./pre-inst-env that can be done without.
> The exception is if you modify the guix daemon (code under nix/), then you
> may need to restart it from the local checkout.)
> 
> Greetings,
> Maxime.
Thanks again Maxime,

I was able to create and run the vm. How can I build a .iso image with my code 
changes to install in a vps? I tried to change the code, compile, run

guix system image -t iso9660 gnu/system/install.scm

then I grabbed the .iso from the /gnu/store

but after installing it, it didn't contain my changes. Am I grabbing the wrong 
iso, if so, how should I do this? I may be confusing guix installed in my pc 
with the one I'm making changes.

Thanks,
crodges.

Re: Wireguard

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 1294 bytes --]

crodges schreef op wo 06-10-2021 om 09:28 [-0700]:
> [...]
> I was able to create and run the vm. How can I build a .iso image with my code 
> changes to install in a vps? I tried to change the code, compile, run
> 
> guix system image -t iso9660 gnu/system/install.scm

Don't forget ./pre-inst-env:

make && ./pre-inst-env guix system image -t iso9660 gnu/system/install.scm

Also, the installer won't use your locally modified guix.  IIUC,
it will use the 'guix' package, which is normally only used by a few services
like cuirass and guix-daemon, and for the initial installation.

It shouldn't be necessary to reinstall Guix System, I'd recommend sending a copy of
the locally-modified guix repo to your VM, build it, and reconfigure inside the VM
(./pre-inst-env guix system reconfigure ...) instead.

However, it should also be possible to modify the guix used by the installer, using the
procedure (current-guix) and and the macro modify-services, see gnu/tests/install.scm
for an example.

> then I grabbed the .iso from the /gnu/store
> 
> but after installing it, it didn't contain my changes. Am I grabbing the wrong 
> iso, if so, how should I do this? I may be confusing guix installed in my pc 
> with the one I'm making changes.

Greetins,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: Wireguard

[crodges]

On Wednesday, October 6, 2021 11:35:02 A.M. PDT you wrote:
> crodges schreef op wo 06-10-2021 om 09:28 [-0700]:
> > [...]
> > I was able to create and run the vm. How can I build a .iso image with my
> > code changes to install in a vps? I tried to change the code, compile,
> > run
> > 
> > guix system image -t iso9660 gnu/system/install.scm
> 
> Don't forget ./pre-inst-env:
> 
> make && ./pre-inst-env guix system image -t iso9660 gnu/system/install.scm
> 
> Also, the installer won't use your locally modified guix.  IIUC,
> it will use the 'guix' package, which is normally only used by a few
> services like cuirass and guix-daemon, and for the initial installation.
> 
> It shouldn't be necessary to reinstall Guix System, I'd recommend sending a
> copy of the locally-modified guix repo to your VM, build it, and
> reconfigure inside the VM (./pre-inst-env guix system reconfigure ...)
> instead.
> 
> However, it should also be possible to modify the guix used by the
> installer, using the procedure (current-guix) and and the macro
> modify-services, see gnu/tests/install.scm for an example.
> 
> > then I grabbed the .iso from the /gnu/store
> > 
> > but after installing it, it didn't contain my changes. Am I grabbing the
> > wrong iso, if so, how should I do this? I may be confusing guix installed
> > in my pc with the one I'm making changes.
> 
> Greetins,
> Maxime.
Maxime,

I'm getting closer. I'm reading up on how the kernel treats networks, guile 
and guix. After I solve this issue I'll definitely do a write up to pass on  
the acquired knowledge, it'll be good for someone that is starting with guix, 
like myself.

That said, I have additional questions. First, in my wireguard configuration I 
need to call iptables. It was suggested to me that I should modify wireguard 
to accept iptables-service as a extension, and also modify iptables for it to 
be extended. Do you know any other way, or this looks like most appropriate?

Also, there are several wg0.conf generated at /gnu/store (because of many 
generations). How do I know which one is the most recent one, so I can check 
if my configuration is parsing correctly from guile? I tried a simple ls -lt 
but everything is showing Jan 1, 1970.

Thanks Maxime.