WireGuard: Difference between revisions

(4 intermediate revisions by 4 users not shown)

Line 134:

Multiple connections can be configured by configuring multiple interfaces under {{nixos:option|networking.wireguard.interfaces}}.

===== Configuration example =====

# Enable WireGuard

networking.wireguard.enable = true;

networking.wireguard.interfaces = {

#"wg0" is the network interface name. You can name the interface arbitrarily.

wgl0 = {

# Determines the IP address and subnet of the client's end of the tunnel interface.

ips = [ "192.168.27.88/32" ];

listenPort = 1235; # to match firewall allowedUDPPorts (without this wg uses random port numbers)

mtu = 1360;

# Path to the private key file.

# Note: The private key can also be included inline via the privateKey option,

# but this makes the private key world-readable; thus, using privateKeyFile is

# recommended.

privateKeyFile = "/etc/nixos/workmachine/orbitingstar/wireguard_privatekey.key";

peers = [

# For a client configuration, one peer entry for the server will suffice.

{

# Public key of the server (not a file path).

publicKey = "Iaaaaa5sUWc756dceJa8SL21X0TXpVFPPGdpNHaaaa=";

# Forward all the traffic via VPN.

allowedIPs = [ "192.168.27.64/27" "192.168.2.0/24" ];

# Or forward only particular subnets

#allowedIPs = [ "10.100.0.1" "11.111.11.0/22" ];

# Set this to the server IP and port.

name = "peer1";

endpoint = "11.61.111.211:12343"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577

# Send keepalives every 25 seconds. Important to keep NAT tables alive.

persistentKeepalive = 25;

}

];

}; # it’s not imperative but it does not know how to do it : sudo ip route add 11.111.11.111 via 192.168.1.11 dev wlo1 the ip adresse 11: external and 192: local.

};

</syntaxhighlight>

==Setting up WireGuard server/client with wg-quick and dnsmasq==

Line 247:

Line 284:

===Client setup (non-declaratively)===

The above steps will set up a <tt>wg-quick-wg0.service</tt> systemd unit.

You can start it by typing the following in your terminal:

sudo systemctl start wg-quick-wg0.service

</syntaxHighlight>

To stop the service:

sudo systemctl stop wg-quick-wg0.service

</syntaxHighlight>

If you have WireGuard configuration files that you want to use as-is (similarly how you would [https://wiki.debian.org/WireGuard#Step_2_-_Configuration configure WireGuard e.g. in Debian], without converting them to a declarative NixOS configuration, you can also configure <code>wg-quick</code> to use them. For example, if you have a configuration file <code>/etc/nixos/wireguard/wg0.conf</code>, add the following line to your <code>configuration.nix</code>:

Line 448:

Line 499:

</syntaxHighlight>

== Server is reachable, but only some services are working==

It might be, that the [https://en.wikipedia.org/wiki/Maximum_transmission_unit MTU] of the network connecting the endpoints is smaller than the default (1500). By default the "option is set to" 1420, with an additional 80 due to wireguard overhead. Try adjusting it to something smaller:

networking.wireguard.interfaces.wg0.mtu = 1000;

#this is extremely small, bigger values can yield better performance.

#networking.wg-quick.interfaces.wg0.mtu = 1000; #if you use wq-quick

</syntaxHighlight>

== wg-quick issues with NetworkManager ==

Try <code>systemd-resolved</code>

This fixed the issue of wg connecting to the peer but not being able to access the internet or LAN.

networking.networkmanager.dns = "systemd-resolved";

services.resolved.enable = true;

</syntaxhighlight>

=See also=

Line 458:

Line 528:

[[Category:Networking]]

[[Category:VPN]]

@@ Line 134: / Line 134: @@
 Multiple connections can be configured by configuring multiple interfaces under {{nixos:option|networking.wireguard.interfaces}}.
+===== Configuration example =====
+<syntaxhighlight lang="nixos">
+# Enable WireGuard
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces = {
+     #"wg0" is the network interface name. You can name the interface arbitrarily.
+     wgl0 = {
+      # Determines the IP address and subnet of the client's end of the tunnel interface.
+      ips = [ "192.168.27.88/32" ];
+      listenPort = 1235; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+      mtu = 1360;
+      # Path to the private key file.
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = "/etc/nixos/workmachine/orbitingstar/wireguard_privatekey.key";
+      peers = [
+        # For a client configuration, one peer entry for the server will suffice.
+      {
+          # Public key of the server (not a file path).
+          publicKey = "Iaaaaa5sUWc756dceJa8SL21X0TXpVFPPGdpNHaaaa=";
+          # Forward all the traffic via VPN.
+          allowedIPs = [ "192.168.27.64/27" "192.168.2.0/24" ];
+          # Or forward only particular subnets
+          #allowedIPs = [ "10.100.0.1" "11.111.11.0/22" ];
+          # Set this to the server IP and port.
+          name = "peer1";
+          endpoint = "11.61.111.211:12343";  #  ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+      ];
+    }; # it’s not imperative but it does not know how to do it : sudo ip route add 11.111.11.111 via 192.168.1.11 dev wlo1 the ip adresse 11: external and 192: local.
+  };
+</syntaxhighlight>
 ==Setting up WireGuard server/client with wg-quick and dnsmasq==
@@ Line 247: / Line 284: @@
 ===Client setup (non-declaratively)===
+The above steps will set up a <tt>wg-quick-wg0.service</tt> systemd unit.
+You can start it by typing the following in your terminal:
+<syntaxHighlight lang="sh">
+sudo systemctl start wg-quick-wg0.service
+</syntaxHighlight>
+To stop the service:
+<syntaxHighlight lang="sh">
+sudo systemctl stop wg-quick-wg0.service
+</syntaxHighlight>
 If you have WireGuard configuration files that you want to use as-is (similarly how you would [https://wiki.debian.org/WireGuard#Step_2_-_Configuration configure WireGuard e.g. in Debian], without converting them to a declarative NixOS configuration, you can also configure <code>wg-quick</code> to use them. For example, if you have a configuration file <code>/etc/nixos/wireguard/wg0.conf</code>, add the following line to your <code>configuration.nix</code>:
@@ Line 448: / Line 499: @@
 </syntaxHighlight>
+== Server is reachable, but only some services are working==
+It might be, that the [https://en.wikipedia.org/wiki/Maximum_transmission_unit MTU] of the network connecting the endpoints is smaller than the default (1500). By default the "option is set to" 1420, with an additional 80 due to wireguard overhead. Try adjusting it to something smaller:
+<syntaxHighlight lang="nix">
+networking.wireguard.interfaces.wg0.mtu = 1000;
+#this is extremely small, bigger values can yield better performance.
+#networking.wg-quick.interfaces.wg0.mtu = 1000; #if you use wq-quick
+</syntaxHighlight>
+== wg-quick issues with NetworkManager ==
+Try <code>systemd-resolved</code>
+This fixed the issue of wg connecting to the peer but not being able to access the internet or LAN.
+<syntaxhighlight lang="nix">
+networking.networkmanager.dns = "systemd-resolved";
+services.resolved.enable = true;
+</syntaxhighlight>
 =See also=
@@ Line 458: / Line 528: @@
 [[Category:Networking]]
+[[Category:VPN]]