From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id YDryIrZmS2HJJAAAgWs5BA (envelope-from ) for ; Wed, 22 Sep 2021 19:24:06 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 2IqmHrZmS2EQcwAA1q6Kng (envelope-from ) for ; Wed, 22 Sep 2021 17:24:06 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 685A41C8C4 for ; Wed, 22 Sep 2021 19:24:05 +0200 (CEST) Received: from localhost ([::1]:50186 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mT5yW-0006Be-Dy for larch@yhetil.org; Wed, 22 Sep 2021 13:24:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:32870) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mT5xv-00066z-RA for guix-devel@gnu.org; Wed, 22 Sep 2021 13:23:27 -0400 Received: from laurent.telenet-ops.be ([2a02:1800:110:4::f00:19]:53166) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mT5xq-0001FS-DZ for guix-devel@gnu.org; Wed, 22 Sep 2021 13:23:27 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by laurent.telenet-ops.be with bizsmtp id x5PG250080mfAB4015PGQj; Wed, 22 Sep 2021 19:23:16 +0200 Message-ID: Subject: Re: Wireguard From: Maxime Devos To: crodges , guix-devel@gnu.org Date: Wed, 22 Sep 2021 19:23:11 +0200 In-Reply-To: <5121813.v3WT2HIqr8@sceadufaex> References: <2301909.g8HzRWBaYy@sceadufaex> <5121813.v3WT2HIqr8@sceadufaex> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-Y79rGy+VXsGv6nW6fVrS" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1632331396; bh=IeB0MnChveQdZRkfHfM6pphJlH1vQpF6xg8Ai+FlcOQ=; h=Subject:From:To:Date:In-Reply-To:References; b=Phu+G+ioOgWj8q41Wk+ZzWGO3WiA8Iu11BnV8CIEd1FddEMGQ2YxcgfqC7XKoCLSl 9JfElXgFTU+lUXY2gOLga+8CKcTgbqWWraIMtmiHA3emWfXon7AaSH4uKvQl/+a6cz LTzfvm9KsQfYMjcVDRryFI7xgP4RnWLaQIZZwzrjt8PM0f9c+lFh3uxnXOCMDPywak LPVIB68EJH3Mf72C9CmmGmT9Ul8iUvDOhODc9S4KMZ4a+hEaM7DLEC5w26blbnrvpT V46+i+ekCkXI3F5DlPtzVm9LS7uEm6i6EcoUUhuvx/eTlTr1xrXNhsB5RqQudS7X0p WKq1nZzbyCXRw== Received-SPF: pass client-ip=2a02:1800:110:4::f00:19; envelope-from=maximedevos@telenet.be; helo=laurent.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1632331446; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=IeB0MnChveQdZRkfHfM6pphJlH1vQpF6xg8Ai+FlcOQ=; b=szzJUXUXWlgebdxtx+TSAPJZDDqRltMGB2SZNrh+DMsdCB9CJWxEDMxc1+xAyssb75xtmM FmIaGb5UhXr0ImKJeygcEBuMY2/S6vX7fZd3nqDv6DkO9peYgh502oQpX0o3AVimT+yo1t 65fdTCzF+lZSvUM4WFKOHjZlGEhjse5jk4r617gINYdABZ3FIZG2zZUs5fcVH3uY+O6nIZ NDYT4m5t/RFn8Noq1FgEOI3Tx2S4hDIKeIt0u9FcPViBuPjBLGWzplLPzx7dIgBSFviz/N LK4uQpdlI5MB1DxL5U36BCDLhIlHqs+1mMyZes+NXBU83yqT1N2D7/xk8N96xw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1632331446; a=rsa-sha256; cv=none; b=uBntzOb8YGVjId8tfhw5DnVYcqs8/v8lnjpYtJnrs6rNHavzAyvpXXiVlzLZK2qyI6Z0pL RMcQo4ZhZ7ZfJHYEHRZsGMjmFhK3YVXHz+DBe4ZdyquaZ/TcbdFC07M+yfnbNMlAw6fQQ/ jNRr25hByLrxdUYo9LaTjAOV0wHSHfOhRJF6503XKveT+lOdQ4wVx8x8ru3LpwUjfzktYm j0Z6yRr1u81FDgvcKw1lLQzq6pKpjPupcfi7Gwha8t1U7BIoD+7dypYktWWXA5ivgudq/c IEOt407s+AtVDidWaaWux8A4uDYn0Sf2HjF9LIJa+nuh3mLyHfC0OUe4qPhLwA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r21 header.b=Phu+G+io; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.19 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r21 header.b=Phu+G+io; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 685A41C8C4 X-Spam-Score: -5.19 X-Migadu-Scanner: scn0.migadu.com X-TUID: cmtMJubRPrpd --=-Y79rGy+VXsGv6nW6fVrS Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable crodges schreef op wo 22-09-2021 om 09:03 [-0700]: > On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote: > > crodges schreef op zo 29-08-2021 om 14:53 [-0700]: > > > Hello everyone, > > >=20 > > > Let me start thanking you for developing such a interesting project i= n GNU > > > Guix. Also, I don't want to take up anyone's time, so you can just po= int > > > to > > > documentation or other resource succinctly and I'll do my best. I'm > > > writing > > > here because I tried the help list but not answer so far, after a few > > > days. > > >=20 > > > I managed to configure wireguard on a vps running guix and created cl= ients > > > for my desktop and cellphone. What I want to do (and did already in a > > > Debian vps) is to make wireguard's lan accessible to anyone connected= and > > > also browse the internet using this vpn. > >=20 > > The Wireguard service as defined in Guix System doesn't currently suppo= rt > > the forwarding you appear to describe ... > >=20 > > > As I remember, I need to allow ip forwarding using > > >=20 > > > sysctl net.ipv4.ip_forward=3D1 > > >=20 > > > and I also need to put these rules into wireguard (the server) under > > > [interface], > > >=20 > > > PostUp =3D iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACC= EPT; > > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > >=20 > > > PostDown =3D iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACC= EPT; > > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE > >=20 > > However, I don't see why this couldn't be implemented in Guix System > > (after some changes to wireguard-service-type). > >=20 > > > Problem is, looking at the latest guix manual, PostUp and PostDown do= esn't > > > seem to exist yet. Do they exist but are still undocumented? > >=20 > > Guix uses "wg-quick", so it would seem they do exist, but are inaccessi= ble > > from Guix. The configuration file is created in > > wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can > > modify that. > >=20 > > > If they don't exist, where should be a reasonable place to add this > > > configurations? > >=20 > > and wireguard-configuration-file in (gnu serv= ices > > vpn) it would seem. Also, sysctl-service-type would need to be extende= d > > (in the =E2=80=98service-extension=E2=80=99 meaning of the word) to set= net.ipv4.ip_forward > > appropriately. > >=20 > > > I'm trying to do everything the guix way, when I finish this > > > machine configuration, I'd like it to be fully replicable. > > >=20 > > > Also, is this something that I could solve modifying the wireguard se= rvice > > > definition itself? > >=20 > > If replicability is all you need, you could add =E2=80=98postdown=E2=80= =99 and =E2=80=98postup=E2=80=99 > > options to , which would need to be set to the > > commands above. However, these strings seem rather complicated for the > > uninitiated, so I'd recommend something more high-level instead. Some > > interface like > >=20 > > (wireguard-configuration > > [...] > > (addresses ...) > > (peers ...) > > (forward? #t)) > >=20 > > perhaps? Make sure to add some documentation to =E2=80=98Wireguard=E2= =80=99 in (guix)VPN > > Services. (Maybe add some example situations on how forward? can be use= d > > and how it functions.) > >=20 > > I want to note that I don't understand what exactly you're doing, I onl= y > > understand that there is some forwarding going on, and I'm not unfamili= ar > > with networking issue (e.g. I recently figured out why I couldn't conne= ct > > to the Internet with the ISP-provided =E2=80=984G minimodem=E2=80=99 --= DNS was b0rken).=20 > > So explaining forward? to laypeople might take some care. > >=20 > > Writing a corresponding =E2=80=98system test=E2=80=99 in gnu/tests/netw= orking.scm is > > recommended. > >=20 > > Greetings, > > Maxime. > Thanks for the pointers Maxime. >=20 > I'm not an expert in networking but I can briefly tell about my use case = here. > basically my setup accomplishes two things: any machine connected to the= =20 > server running guix and wireguard should be able to browse the internet l= ike a=20 > normal vpn (using the server's ip address) and any client theoretically c= ould=20 > see each other. Right now I use this capability to play 0ad with friends,= in=20 > the future there will be apps running in different clients, accessible to= =20 > anyone inside vpn. >=20 > That said, I'm back here to ask one more thing. I cloned guix and followe= d the=20 > manual to create an --pure environment and authenticated the commits. Thi= s=20 > machine is a different one from my server, here I have guix running on to= p of=20 > manjaro (an arch gnu/linux flavor). >=20 > I started changing code inside vpn.scm and my approach was to "make && ma= ke=20 > check" after changes to see if it would still build. But this week, after= a=20 > git pull to update the repo and using make, I'm now greeted with >=20 > error: failed to load 'gnu/packages/perl.scm': > ice-9/eval.scm:293:34: In procedure abi-check: #>:= =20 > record ABI mismatch; recompilation needed >=20 > I will still spend some time with this error, but I found worth to ask: i= s=20 > this approach of "make && make check" a reasonable one? If you see =E2=80=98recompilation needed=E2=80=99, recompile with "make cle= an && make". > Is there a way to test=20 > a guix system without installing it? Packages I know we can, but system= =20 > capabilities like vpn I'm not sure. You could create a VM: "./pre-inst-env guix system vm the-configuration.scm= --root=3Drun-the-vm.sh && ./run-the-vm.sh". Or possibly "./pre-inst-env guix system reconfigure t= he-config.scm", if you only don't want to install guix, but reconfiguring the system is fin= e. (You can do almost everything from ./pre-inst-env that can be done without. The exception is if you modify the guix daemon (code under nix/), then you may need to restart it from the local checkout.) Greetings, Maxime. --=-Y79rGy+VXsGv6nW6fVrS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYUtmfxccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7u10AP41uPETzTlkrOZyaFtU0R4HlIlR bW0IS1d7hZO66nwnKwD6A4Tys6vwU7/AstyOJ9c199mrQTeWZSskH0jjWUBowAc= =1qie -----END PGP SIGNATURE----- --=-Y79rGy+VXsGv6nW6fVrS--