WireGuard: Difference between revisions

(23 intermediate revisions by 17 users not shown)

Line 1:

[https://www.wireguard.com/ WireGuard] is a simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

=Setting up WireGuard=

==Generate keypair==

Line 15:

Line 17:

Alternatively, you can use <tt>networking.wireguard.interfaces.[name].generatePrivateKeyFile</tt> option.

If you decide to use files for storing your private keys and also use networkd, you'll need to modify the private key file permissions.

==== Troubleshooting Private Key File Resources ====

* https://discourse.nixos.org/t/wg0-failed-to-read-private-key/31461/8

===Server setup===

Enable WireGuard on the server via <tt>/etc/nixos/configuration.nix</tt>:

<~~syntaxHighlight~~ lang="nix">

{

...

Line 30:

Line 38:

};

networking.wireguard.enable = true;

networking.wireguard.interfaces = {

# "wg0" is the network interface name. You can name the interface arbitrarily.

Line 74:

Line 83:

...

}

</~~syntaxHighlight~~>

</syntaxhighlight>

===Client setup===

<~~syntaxHighlight~~ lang="nix">

{

...

Line 84:

Line 93:

};

# Enable WireGuard

networking.wireguard.enable = true;

networking.wireguard.interfaces = {

# "wg0" is the network interface name. You can name the interface arbitrarily.

Line 121:

Line 131:

...

}

</~~syntaxHighlight~~>

</syntaxhighlight>

Multiple connections can be configured by configuring multiple interfaces under {{nixos:option|networking.wireguard.interfaces}}.

===== Configuration example =====

# Enable WireGuard

networking.wireguard.enable = true;

networking.wireguard.interfaces = {

#"wg0" is the network interface name. You can name the interface arbitrarily.

wgl0 = {

# Determines the IP address and subnet of the client's end of the tunnel interface.

ips = [ "192.168.27.88/32" ];

listenPort = 1235; # to match firewall allowedUDPPorts (without this wg uses random port numbers)

mtu = 1360;

# Path to the private key file.

# Note: The private key can also be included inline via the privateKey option,

# but this makes the private key world-readable; thus, using privateKeyFile is

# recommended.

privateKeyFile = "/etc/nixos/workmachine/orbitingstar/wireguard_privatekey.key";

peers = [

# For a client configuration, one peer entry for the server will suffice.

{

# Public key of the server (not a file path).

publicKey = "Iaaaaa5sUWc756dceJa8SL21X0TXpVFPPGdpNHaaaa=";

# Forward all the traffic via VPN.

allowedIPs = [ "192.168.27.64/27" "192.168.2.0/24" ];

# Or forward only particular subnets

#allowedIPs = [ "10.100.0.1" "11.111.11.0/22" ];

# Set this to the server IP and port.

name = "peer1";

endpoint = "11.61.111.211:12343"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577

# Send keepalives every 25 seconds. Important to keep NAT tables alive.

persistentKeepalive = 25;

}

];

}; # it’s not imperative but it does not know how to do it : sudo ip route add 11.111.11.111 via 192.168.1.11 dev wlo1 the ip adresse 11: external and 192: local.

};

</syntaxhighlight>

==Setting up WireGuard server/client with wg-quick and dnsmasq==

Line 234:

Line 281:

}

</syntaxHighlight>

===Client setup (non-declaratively)===

The above steps will set up a <tt>wg-quick-wg0.service</tt> systemd unit.

You can start it by typing the following in your terminal:

sudo systemctl start wg-quick-wg0.service

</syntaxHighlight>

To stop the service:

sudo systemctl stop wg-quick-wg0.service

</syntaxHighlight>

If you have WireGuard configuration files that you want to use as-is (similarly how you would [https://wiki.debian.org/WireGuard#Step_2_-_Configuration configure WireGuard e.g. in Debian], without converting them to a declarative NixOS configuration, you can also configure <code>wg-quick</code> to use them. For example, if you have a configuration file <code>/etc/nixos/wireguard/wg0.conf</code>, add the following line to your <code>configuration.nix</code>:

networking.wg-quick.interfaces.wg0.configFile = "/etc/nixos/files/wireguard/wg0.conf";

</syntaxHighlight>

This will set up a <code>wg-quick-wg0.service</code> systemd unit.

==Setting up WireGuard with systemd-networkd==

Line 247:

Line 318:

}: {

networking.firewall.allowedUDPPorts = [51820];

networking.useNetworkd = true;

systemd.network = {

enable = true;

Line 259:

Line 331:

PrivateKeyFile = "/run/keys/wireguard-privkey";

ListenPort = 51820;

RouteTable = "main"; # wg-quick creates routing entries automatically but we must use use this option in systemd.

};

wireguardPeers = [

{

~~wireguardPeerConfig = {~~

PublicKey = "L4msD0mEG2ctKDtaMJW2y3cs1fT2LBRVV7iVlWZ2nZc=";

AllowedIPs = ["10.100.0.2"];

};

}

];

Line 284:

Line 355:

===Client setup===

<~~syntaxHighlight~~ lang="nix">

{ config, pkgs, lib, ... }: {

{

boot.~~extraModulePackages~~ = [ ~~config.boot.kernelPackages.~~wireguard ];

config,

pkgs,

lib,

...

}: {

boot.kernelModules = [ "wireguard" ];

systemd.network = {

enable = true;

Line 298:

Line 374:

# See also man systemd.netdev (also contains info on the permissions of the key files)

wireguardConfig = {

# Don't use a file from the Nix store as these are world readable.

# Don't use a file from the Nix store as these are world readable. Must be readable by the systemd-network user

PrivateKeyFile = "/run/keys/wireguard-privkey";

ListenPort = 9918;

};

wireguardPeers = [{

wireguardPeers = [

~~wireguardPeerConfig =~~ {

# configuration since nixos-unstable/nixos-24.11

{

PublicKey = "OhApdFoOYnKesRVpnYRqwk3pdM247j8PPVH5K7aIKX0=";

AllowedIPs = [ "fc00::1/64" "10.100.0.1" ];

AllowedIPs = ["fc00::1/64" "10.100.0.1"];

Endpoint = "{set this to the server ip}:51820";

}

}];

];

};

Line 321:

Line 398:

];

DHCP = "no";

dns = [ "fc00::53" ];

dns = ["fc00::53"];

ntp = [ "fc00::123" ];

ntp = ["fc00::123"];

gateway = [

"fc00::1"

Line 332:

Line 409:

};

}

</~~syntaxHighlight~~>

</syntaxhighlight>

==Setting up WireGuard with NetworkManager==

Line 367:

Line 445:

};

}

</syntaxHighlight>

</syntaxHighlight>{{Note|For the ip46tables command you need to add the reaction package.}}{{note|On NixOS 22.05 and earlier, the nixos-fw-rpfilter chain was in the raw table, not in the mangle table}}

{{note|On NixOS 22.05 and earlier, the nixos-fw-rpfilter chain was in the raw table, not in the mangle table}}

Adding a wireguard connection to NetworkManager is not straightforward to do fully in gui, it is simpler to reuse a configuration file for wg-guick. For example:

Line 423:

Line 499:

</syntaxHighlight>

== Server is reachable, but only some services are working==

It might be, that the [https://en.wikipedia.org/wiki/Maximum_transmission_unit MTU] of the network connecting the endpoints is smaller than the default (1500). By default the "option is set to" 1420, with an additional 80 due to wireguard overhead. Try adjusting it to something smaller:

networking.wireguard.interfaces.wg0.mtu = 1000;

#this is extremely small, bigger values can yield better performance.

#networking.wg-quick.interfaces.wg0.mtu = 1000; #if you use wq-quick

</syntaxHighlight>

== wg-quick issues with NetworkManager ==

Try <code>systemd-resolved</code>

This fixed the issue of wg connecting to the peer but not being able to access the internet or LAN.

networking.networkmanager.dns = "systemd-resolved";

services.resolved.enable = true;

</syntaxhighlight>

=See also=

* [https://www.wireguard.com/ WireGuard homepage]

* [https://wiki.archlinux.org/index.php/WireGuard Arch Wiki] has an exhaustive guide, including troubleshooting tips

* [https://search.nixos.org/options/?query=wireguard List of WireGuard options supported by NixOS]

* [https://search.nixos.org/options?query=wireguard List of WireGuard options supported by NixOS]

* [https://uint.one/posts/configuring-wireguard-using-systemd-networkd-on-nixos/ Blogpost by uint.one on replicating wg-quick with networkd]

* [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his WireGuard setup]

* [https://web.archive.org/web/20210101230654/https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ WireGuard Troubleshooting (on Web Archive)] shows how to enable debug logs

[[Category:~~Configuration~~]]

[[Category:Networking]]

[[Category:VPN]]

@@ Line 1: / Line 1: @@
+[https://www.wireguard.com/ WireGuard] is a simple yet fast and modern VPN that utilizes state-of-the-art cryptography.
 =Setting up WireGuard=
 ==Generate keypair==
@@ Line 15: / Line 17: @@
 Alternatively, you can use <tt>networking.wireguard.interfaces.[name].generatePrivateKeyFile</tt> option.
+If you decide to use files for storing your private keys and also use networkd, you'll need to modify the private key file permissions.
+==== Troubleshooting Private Key File Resources ====
+* https://discourse.nixos.org/t/wg0-failed-to-read-private-key/31461/8
 ===Server setup===
 Enable WireGuard on the server via <tt>/etc/nixos/configuration.nix</tt>:
-<syntaxHighlight lang="nix">
+<syntaxhighlight lang="nix">
 {
    ...
@@ Line 30: / Line 38: @@
    };
+  networking.wireguard.enable = true;
    networking.wireguard.interfaces = {
      # "wg0" is the network interface name. You can name the interface arbitrarily.
@@ Line 74: / Line 83: @@
    ...
 }
-</syntaxHighlight>
+</syntaxhighlight>
 ===Client setup===
-<syntaxHighlight lang="nix">
+<syntaxhighlight lang="nix">
 {
    ...
@@ Line 84: / Line 93: @@
    };
    # Enable WireGuard
+  networking.wireguard.enable = true;
    networking.wireguard.interfaces = {
      # "wg0" is the network interface name. You can name the interface arbitrarily.
@@ Line 121: / Line 131: @@
    ...
 }
-</syntaxHighlight>
+</syntaxhighlight>
 Multiple connections can be configured by configuring multiple interfaces under {{nixos:option|networking.wireguard.interfaces}}.
+===== Configuration example =====
+<syntaxhighlight lang="nixos">
+# Enable WireGuard
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces = {
+     #"wg0" is the network interface name. You can name the interface arbitrarily.
+     wgl0 = {
+      # Determines the IP address and subnet of the client's end of the tunnel interface.
+      ips = [ "192.168.27.88/32" ];
+      listenPort = 1235; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+      mtu = 1360;
+      # Path to the private key file.
+      # Note: The private key can also be included inline via the privateKey option,
+      # but this makes the private key world-readable; thus, using privateKeyFile is
+      # recommended.
+      privateKeyFile = "/etc/nixos/workmachine/orbitingstar/wireguard_privatekey.key";
+      peers = [
+        # For a client configuration, one peer entry for the server will suffice.
+      {
+          # Public key of the server (not a file path).
+          publicKey = "Iaaaaa5sUWc756dceJa8SL21X0TXpVFPPGdpNHaaaa=";
+          # Forward all the traffic via VPN.
+          allowedIPs = [ "192.168.27.64/27" "192.168.2.0/24" ];
+          # Or forward only particular subnets
+          #allowedIPs = [ "10.100.0.1" "11.111.11.0/22" ];
+          # Set this to the server IP and port.
+          name = "peer1";
+          endpoint = "11.61.111.211:12343";  #  ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
+          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+          persistentKeepalive = 25;
+        }
+      ];
+    }; # it’s not imperative but it does not know how to do it : sudo ip route add 11.111.11.111 via 192.168.1.11 dev wlo1 the ip adresse 11: external and 192: local.
+  };
+</syntaxhighlight>
 ==Setting up WireGuard server/client with wg-quick and dnsmasq==
@@ Line 234: / Line 281: @@
 }
 </syntaxHighlight>
+===Client setup (non-declaratively)===
+The above steps will set up a <tt>wg-quick-wg0.service</tt> systemd unit.
+You can start it by typing the following in your terminal:
+<syntaxHighlight lang="sh">
+sudo systemctl start wg-quick-wg0.service
+</syntaxHighlight>
+To stop the service:
+<syntaxHighlight lang="sh">
+sudo systemctl stop wg-quick-wg0.service
+</syntaxHighlight>
+If you have WireGuard configuration files that you want to use as-is (similarly how you would [https://wiki.debian.org/WireGuard#Step_2_-_Configuration configure WireGuard e.g. in Debian], without converting them to a declarative NixOS configuration, you can also configure <code>wg-quick</code> to use them. For example, if you have a configuration file <code>/etc/nixos/wireguard/wg0.conf</code>, add the following line to your <code>configuration.nix</code>:
+<syntaxHighlight lang="nix">
+networking.wg-quick.interfaces.wg0.configFile = "/etc/nixos/files/wireguard/wg0.conf";
+</syntaxHighlight>
+This will set up a <code>wg-quick-wg0.service</code> systemd unit.
 ==Setting up WireGuard with systemd-networkd==
@@ Line 247: / Line 318: @@
 }: {
    networking.firewall.allowedUDPPorts = [51820];
+  networking.useNetworkd = true;
    systemd.network = {
      enable = true;
@@ Line 259: / Line 331: @@
            PrivateKeyFile = "/run/keys/wireguard-privkey";
            ListenPort = 51820;
+          RouteTable = "main"; # wg-quick creates routing entries automatically but we must use use this option in systemd.
          };
          wireguardPeers = [
            {
-             wireguardPeerConfig = {
+             PublicKey = "L4msD0mEG2ctKDtaMJW2y3cs1fT2LBRVV7iVlWZ2nZc=";
-              PublicKey = "L4msD0mEG2ctKDtaMJW2y3cs1fT2LBRVV7iVlWZ2nZc=";
+            AllowedIPs = ["10.100.0.2"];
-              AllowedIPs = ["10.100.0.2"];
-            };
            }
          ];
@@ Line 284: / Line 355: @@
 ===Client setup===
-<syntaxHighlight lang="nix">
+<syntaxhighlight lang="nix">
-{ config, pkgs, lib, ... }: {
+{
-   boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+   boot.kernelModules = [ "wireguard" ];
    systemd.network = {
      enable = true;
@@ Line 298: / Line 374: @@
          # See also man systemd.netdev (also contains info on the permissions of the key files)
          wireguardConfig = {
-           # Don't use a file from the Nix store as these are world readable.
+           # Don't use a file from the Nix store as these are world readable. Must be readable by the systemd-network user
            PrivateKeyFile = "/run/keys/wireguard-privkey";
            ListenPort = 9918;
          };
-         wireguardPeers = [{
+         wireguardPeers = [
-           wireguardPeerConfig = {
+          # configuration since nixos-unstable/nixos-24.11
+           {
              PublicKey = "OhApdFoOYnKesRVpnYRqwk3pdM247j8PPVH5K7aIKX0=";
-             AllowedIPs = [ "fc00::1/64" "10.100.0.1" ];
+             AllowedIPs = ["fc00::1/64" "10.100.0.1"];
              Endpoint = "{set this to the server ip}:51820";
            }
-         }];
+         ];
        };
      };
@@ Line 321: / Line 398: @@
        ];
        DHCP = "no";
-       dns = [ "fc00::53" ];
+       dns = ["fc00::53"];
-       ntp = [ "fc00::123" ];
+       ntp = ["fc00::123"];
        gateway = [
          "fc00::1"
@@ Line 332: / Line 409: @@
      };
    };
-};
+}
-</syntaxHighlight>
+</syntaxhighlight>
 ==Setting up WireGuard with NetworkManager==
@@ Line 367: / Line 445: @@
    };
 }
-</syntaxHighlight>
+</syntaxHighlight>{{Note|For the ip46tables command you need to add the reaction package.}}{{note|On NixOS 22.05 and earlier, the nixos-fw-rpfilter chain was in the raw table, not in the mangle table}}
-{{note|On NixOS 22.05 and earlier, the nixos-fw-rpfilter chain was in the raw table, not in the mangle table}}
 Adding a wireguard connection to NetworkManager is not straightforward to do fully in gui, it is simpler to reuse a configuration file for wg-guick. For example:
@@ Line 423: / Line 499: @@
 </syntaxHighlight>
+== Server is reachable, but only some services are working==
+It might be, that the [https://en.wikipedia.org/wiki/Maximum_transmission_unit MTU] of the network connecting the endpoints is smaller than the default (1500). By default the "option is set to" 1420, with an additional 80 due to wireguard overhead. Try adjusting it to something smaller:
+<syntaxHighlight lang="nix">
+networking.wireguard.interfaces.wg0.mtu = 1000;
+#this is extremely small, bigger values can yield better performance.
+#networking.wg-quick.interfaces.wg0.mtu = 1000; #if you use wq-quick
+</syntaxHighlight>
+== wg-quick issues with NetworkManager ==
+Try <code>systemd-resolved</code>
+This fixed the issue of wg connecting to the peer but not being able to access the internet or LAN.
+<syntaxhighlight lang="nix">
+networking.networkmanager.dns = "systemd-resolved";
+services.resolved.enable = true;
+</syntaxhighlight>
 =See also=
 * [https://www.wireguard.com/ WireGuard homepage]
 * [https://wiki.archlinux.org/index.php/WireGuard Arch Wiki] has an exhaustive guide, including troubleshooting tips
-* [https://search.nixos.org/options/?query=wireguard List of WireGuard options supported by NixOS]
+* [https://search.nixos.org/options?query=wireguard List of WireGuard options supported by NixOS]
+* [https://uint.one/posts/configuring-wireguard-using-systemd-networkd-on-nixos/ Blogpost by uint.one on replicating wg-quick with networkd]
 * [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his WireGuard setup]
 * [https://web.archive.org/web/20210101230654/https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ WireGuard Troubleshooting (on Web Archive)] shows how to enable debug logs
-[[Category:Configuration]]
+[[Category:Networking]]
+[[Category:VPN]]