NixOS Wiki

WireGuard: Difference between revisions

← Older edit
VisualWikitext
Tie-ling (talk | contribs)
69 edits
do not use IPMasquerade
Tie-ling (talk | contribs)
69 edits
Route for specific user: add port forwading
 
(24 intermediate revisions by the same user not shown)
Line 2: Line 2:
= Configuration Modules =
= Configuration Modules =


In NixOS, there are several configuration modules for WireGuard.
WireGuard-related NixOS options exist for the following networking modules:
Depending on how your network is currently managed, refer to the
relevant section for details.
 
They have different options and capabilities.  For example,
<code>systemd.network</code> allows you to redirect network traffic
based on the user, such as redirecting torrenting traffic, with
RoutingPolicyRule option.  See ArchWiki for further details.


* NetworkManager
* NetworkManager
Line 16: Line 9:
* systemd.network
* systemd.network


= Use cases =
Depending on how your computer is configured, you need to refer to the
relevant section for setting up WireGuard.


This page describes how to set up WireGuard for two use cases.
Different modules have different capabilities.  systemd.network support routing
traffic on a per user basis.  For example, you can route all torrenting traffic
through a wireguard tunnel, see below.


The first use case is Virtual Private Network, which makes several peers
systemd.network is recommended due to its powerful configuration interface.
available on a private subnetThis is the basis for further
wg-quick is suitable for common usage patterns.  networking.wireguard seems to
configuration.
have issues with routingNetworkManager does not supoort Proxy server setup, and
is cubersome to use.


The second use case is Internet proxy,  which allows you to access the
Skip to Generate Keys section if you are in a hurry.
Internet via another peer.  This use case depends on the first use
case working correctly.


== Network address translation ==
= Use cases =


NAT maps the internal private IP address of the VPN to the public IP
The first use case is Virtual Private Network, which makes several peers
address of another peerFor all proxying setups, enable the
available on the same private subnetThis is the basis for the proxy
following configuration
configuration below.


<syntaxhighlight lang="nix">
The second use case is Internet proxy,  which allows you to access the
{
Internet via another peer.
  networking.nat = {
    enable = true;
    enableIPv6 = true;
    externalInterface = "ens6";
    internalInterfaces = [ "wg0" ];
  };
}
</syntaxhighlight>


== External DNS with dnscrypt ==
== Secure DNS for the proxy client ==


You can use an external, encrypted DNS such as
You can use a secure DNS client such as knot dns resolver,
which comes with a set of authenticated dns servers ips
built in.


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{
{
   services.dnscrypt-proxy2 = {
  # knot dns resolver
    enable = true;
   services.kresd.enable = true;
    upstreamDefaults = true;
    settings = {
      ipv6_servers = true;
    };
  };
  networking.nameservers = [ "127.0.0.1" ];
}
</syntaxhighlight>


== Proxy DNS with dnsmasq ==
  # disable built-in dns
  services.resolved.enable = false;


On the proxy server, use the following config
  environment.etc."resolv.conf" = {
 
     mode = "0644";
<syntaxhighlight lang="nix">
     text = "nameserver ::1";
{
  networking.firewall = {
     allowedTCPPorts = [ 53 ];
     allowedUDPPorts = [ 53 ];
  };
  services = {
    dnsmasq = {
      enable = true;
      settings.interface = "wg0";
    };
   };
   };
}
}
</syntaxhighlight>
</syntaxhighlight>


On the proxy client, configure DNS optionsFor wg-quick, use the
Secure DNS hinders usage of captive portalsSee [[systemd-resolved]] for solutions.
following
 
<syntaxhighlight lang="nix">
{
  networking.wg-quick.interfaces.wg0.dns =
  [ {internal v4 & v6 ip addr of server} ];
}
</syntaxhighlight>


= AllowedIPs =


= AllowedIPs =
Each peer can handle traffic destined for a certain IP range.
This range is called AllowedIP.


"Allowed IPs" are IP addresses or ranges.  It is specified on a
Common forms of allowed IPs include
per-peer basis. All traffic to these addresses and ranges will be
redirected to the peer.  Common forms of allowed IPs are the
following.


* 192.168.26.9/32, a single internal IPv4 address
* 192.168.26.9/32, a single internal IPv4 address
Line 106: Line 69:
* ::/0, entire IPv6 address space, for proxying
* ::/0, entire IPv6 address space, for proxying


Notice that, in specifiying its subnet mask, some configuration
Notice that, in specifying its subnet mask, some configuration
modules can automatically configure network routes.
modules can automatically configure network routes.


Allowed IPs are unique to each peer.  If there are peers with the same
Allowed IPs should be unique to each peer.  If there are peers whose
allowed IPs, network traffic will only be redirected to one of them.
allowed IPs overlap, traffic will only reach one of them.


= WireGuard UDP Port =
= UDP Port =


The default port is 51820.  Some literature recommends changing this
The default port is 51820.  Some literature recommends changing this
port to circumvent intentional blocking of WireGuard traffic.
port to circumvent blocking of WireGuard traffic.
 
WireGuard will choose a random port, if this option is not set.


= Generate keys =
= Generate keys =


WireGuard works with public-private key pairs. Computers, called peers
WireGuard works with public-private key pairs.  
in WireGuard, are identified by their unique public keys.  Data is
encrypted with the corresponding private key before transmission.


Peers can only connect to a computer, if its public key is known to
Computer (peer) is identified by its public key
this computer.
Only connections from peers with known public keys are accepted.
For this reason, you can not reuse keys on multiple peers.


To generate a private key, and then derive the public key from it, you
To generate a private key, and derive the public key from it, you
need the <code>wg</code> utility, available in
need the <code>wg</code> utility, available in
<code>wireguard-tools</code> package.
<code>wireguard-tools</code> package.
Line 138: Line 102:
</syntaxHighlight>
</syntaxHighlight>


You need to generate a new key for each peer.  If you are setting up
You need to generate a new key for each peer.
multiple WireGuard interfaces on the same computer, you can reuse the
same key.


Pay attention to the permission of the file.  File permission may
Make sure the private key has the correct file permission as required
cause the WireGuard service to fail.  Check system log to rule out
by the WireGuard service. Wrong file permission may
cause the service to fail.  Check system log to rule out
this scenario.
this scenario.


Line 149: Line 112:
WireGuard key.
WireGuard key.


= networking.wireguard =
For systemd.network:
<syntaxHighlight>
  age.secrets.wg-key-vps = {
    file = "${inputs.self.outPath}/secrets/wg-key-vps.age";
    # for permission, see man systemd.netdev
    mode = "640";
    owner = "systemd-network";
    group = "systemd-network";
  };
</syntaxHighlight>
 
= systemd.network =


Note: does not automatically configure routes. Use
Credit: this section is adapted from ArchWiki.
<code>wg-quick</code> instead.
This section should fully support IPv4 and v6 dual stack.


== Peer setup ==
== Peer setup ==


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{ config, ... }:
{
{
   age.secrets.wg-key-peer0 = {
   age.secrets.wg-key-vps = {
     file = "./secrets/wg-key-peer0.age";
     file = "${inputs.self.outPath}/secrets/wg-key-vps.age";
    # for permission, see man systemd.netdev
    mode = "640";
    owner = "systemd-network";
    group = "systemd-network";
   };
   };


   networking.firewall.allowedUDPPorts = [ 51820 ];
   networking.firewall.allowedUDPPorts = [ 51820 ];


   networking.wireguard = {
   networking.useNetworkd = true;
 
  systemd.network = {
     enable = true;
     enable = true;
    interfaces = {
      # network interface name.
      # You can name the interface arbitrarily.
      wg0 = {
        # the IP address and subnet of this peer
        ips = [ "fd31:bf08:57cb::9/128" "192.168.26.9/32" ];


         # WireGuard Port
    networks."50-wg0" = {
         # Must be accessible by peers
      matchConfig.Name = "wg0";
         listenPort = 51820;
 
      address = [
         # /32 and /128 specifies a single address
         # for use on this wg peer machine
        "fd31:bf08:57cb::7/128"
        "192.168.26.7/32"
      ];
    };
 
    netdevs."50-wg0" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg0";
      };
 
      wireguardConfig = {
         ListenPort = 51820;
 
        PrivateKeyFile = config.age.secrets.wg-key-vps.path;


         # Path to the private key file.
         # To automatically create routes for everything in AllowedIPs,
        #
         # add RouteTable=main
        # Note: can also be included inline via the privateKey option,
         RouteTable = "main";
         # but this makes the private key world-readable;
        # using privateKeyFile is recommended.
         privateKeyFile = config.age.secrets.wg-key-laptop.path;


         peers = [
         # FirewallMark marks all packets send and received by wg0
          {
        # with the number 42, which can be used to define policy rules on these packets.  
            name = "home nas";
        FirewallMark = 42;
            publicKey = "ejmbag/fcc9OLp8K62zfV0NCbp056DnA0qpNixLXwCo=";
            allowedIPs = [
              "fd31:bf08:57cb::8/128"
              "192.168.26.8/32"
            ];
            endpoint = "192.168.1.56:51820";
            # ToDo: route to endpoint not automatically configured
            # https://wiki.archlinux.org/index.php/WireGuard#Loop_routing
            # https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
            # persistentKeepalive = 25;
          }
        ];
       };
       };
      wireguardPeers = [
        {
          # laptop wg conf
          PublicKey = "ronr+8v670J0CPb0xT5QLGMWDfE7+1g7HmC6YMdCIDk=";
          AllowedIPs = [
            "fd31:bf08:57cb::9/128"
            "192.168.26.9/32"
          ];
          Endpoint = "192.168.1.26:51820";
          # RouteTable can also be set in wireguardPeers
          # RouteTable in wireguardConfig will then be ignored.
          # RouteTable = 1000;
        }
      ];
     };
     };
  };
}
}
# it’s not imperative but it does not know how to do it :
# sudo ip route add 11.111.11.111 via 192.168.1.11 dev wlo1
# the ip adresse 11: external and 192: local.
</syntaxhighlight>
</syntaxhighlight>


Line 212: Line 201:


Same as peer setup, skip the endpoint option, with the following
Same as peer setup, skip the endpoint option, with the following
addition, Remember to update the internal IP addresses in the script:
addition:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{
{
  # enable NAT
   networking.nat = {
   networking.nat = {
     enable = true;
     enable = true;
Line 224: Line 212:
   };
   };


   networking.wireguard.interfaces.wg0 = {
   systemd.network = {
      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
    enable = true;
      postSetup = ''
    networks."50-wg0" = {
        ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
      networkConfig = {
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
         # do not use IPMasquerade,
         ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
         # unnecessary, causes problems with host ipv6
         ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
        IPv4Forwarding = true;
      '';
         IPv6Forwarding = true;
 
      };
      # Undo the above
    };
      postShutdown = ''
         ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
        ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
        ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
      '';
   };
   };
}
}
Line 246: Line 228:
== Proxy client setup ==
== Proxy client setup ==


Same as peer setup, specify proxy server ip or domain in the endpoint
Same as peer setup, with the following addition:
option. Use <code>[ "0.0.0.0/0" "::/0" ]</code> as allowed IPs.
 
=== Disable rpfilter ===
 
<syntaxhighlight lang="nix">
# NixOS firewall will block wg traffic because of rpfilter
networking.firewall.checkReversePath = "loose";
</syntaxhighlight>
 
=== Route DNS over wg0 ===
 
This applies to systemd-resolved:
<syntaxhighlight lang="nix">
  systemd.network = {
    networks."50-wg0" = {
      # only works with systemd-resolved
      domains = [ "~." ];
      dns = [ "{proxy server internal ip}" ];
      networkConfig = {
        DNSDefaultRoute = true;
      };
    };
  };
</syntaxhighlight>
Note: Routing all DNS over WireGuard (i.e. Domains=~.) will prevent the DNS resolution of endpoints. Unless the peer domain is configured to be resolved on a specific network link.
 
To use a peer as a DNS server, specify its WireGuard tunnel's IP address(es) in the .network file using the DNS= option. For search domains use the Domains= option.
 
To use a peer as the only DNS server set DNSDefaultRoute=true and Domains=~. in the [Network] section of .network file's.
 
=== Route all traffic over wg0, except endpoint ===
<syntaxhighlight lang="nix">
  systemd.network = {
    netdevs."50-wg0" = {
      # FirewallMark simply marks all packets send and received by this wireguard
      # interface with the number 42, which can be used to define policy rules on these packets.
      wireguardConfig.FirewallMark = 42;
 
      wireguardPeers = [
        {
          AllowedIPs = [
            # proxy all traffic
            "::/0"
            "0.0.0.0/0"
          ];
          # can't use domain
          # Routing all DNS over WireGuard (i.e. Domains=~.) will prevent the DNS resolution of endpoints.
          Endpoint = "[2a01::1]:51820";
 
          # RouteTable line specifies that a new routing table with id 1000 is created
          # for the wireguard interface, and no rules are set on the main routing table.
          RouteTable = 1000;
        }
      ];
    };
    networks."50-wg0" = {
      routingPolicyRules = [
        # rule 1: redirect traffic
        {
          # apply rule to both v4 and v6
          Family = "both";
 
          # For all packets *not* marked with 42 (i.e. all non-wireguard/normal traffic),
          InvertRule = true;
          FirewallMark = 42;
 
          # (... continued) we specify that the routing table 1000 must be used
          # (which is the wireguard routing table). This rule routes all traffic through wireguard.
          # inside routingPolicyRules section is called Table, not RouteTable
          Table = 1000;
 
          # this routing policy rule has a lower priority (10) than
          # endpoint exclusion rule (5).
          Priority = 10;
        }
 
 
        # rule 2: exclude endpoint ip
        {
          # Use a routing policy rule to exclude the endpoint IP address,
          # so that wireguard can still connect to it.
          # it has a higher priority (5) than (10).
 
          # We exempt our endpoint with a higher priority by routing it
          # through the main table (Table=main is default).
          To = "2a01::1/128";
          Priority = 5;
        }
      ];
    };
  };
</syntaxhighlight>
 
=== Exempting specific addresses ===
 
In order to exempt specific addresses (such as private LAN addresses) from routing over the WireGuard tunnel, add them to another RoutingPolicyRule with higher priority.
 
<syntaxhighlight lang="nix">
  systemd.network.networks."50-wg0".routingPolicyRules =
  [
    {
      To = "192.168.0.0/24";
      Priority = 9;
    }
  ]
</syntaxhighlight>
 
=== Manually start and stop wg0 ===
 
The above steps will set up a <tt>wg0</tt> interface, managed by networkctl command.
 
You can start it by typing the following in your terminal:
 
<syntaxHighlight lang="sh">
sudo networkctl up wg0
</syntaxHighlight>
 
To stop the service:
 
<syntaxHighlight lang="sh">
sudo networkctl down wg0
</syntaxHighlight>
 
=== Route for specific user ===
 
It may be desirable to route WAN traffic over the tunnel only for a specific user, for example, the transmission user in order to use the tunnel for torrent traffic.
 
Replace catch-all rules above, with user-specific rules below.
 
<syntaxhighlight lang="nix">
  systemd.network.networks."50-wg0".routingPolicyRules =
  [
    {
      # The lower priority rule (30001), matches all traffic generated
      # by the transmission user and routes it through table 1000 which is the wireguard table.
      Table = 1000;
      User = "transmission";
      Priority = 30001;
      Family = "both";
    }
 
    {
      # The higher priority rule (30000), matches all traffic
      # generated by the transmission user
      # and routes it through the main table (no wireguard)
      # BUT only using rules with a prefix length larger than 0.
      #
      # This means the default 0.0.0.0/0 and ::/0 rules still apply
      #
      # Therefore, only traffic matching specific rules with non-zero prefix
      # (such as those defining the subnet of your local home network) of the main table
      # are routed through the main table.
 
      Table = "main";
      User = "transmission";
      SuppressPrefixLength = 0;
      Priority = 30000;
      Family = "both";
    }
  ];
  # Configure port forwarding for Transmission under NAT
  networking.nat.forwardPorts =
      [
        {
          destination = "10.0.0.1:80";
          proto = "tcp";
          sourcePort = 8080;
        }
        {
          destination = "[fc00::2]:80";
          proto = "tcp";
          sourcePort = 8080;
        }
      ];
</syntaxhighlight>
 
== Test and Troubleshooting ==
 
Test the proxy with
 
# ipv4
$ curl -4 zx2c4.com/ip
# ipv6
$ curl -6 zx2c4.com/ip
 
Check systemd-networkd log for any error and warning messages.
 
$ journalctl -u systemd-networkd.service
 
Invoke <code>wg</code> command from <code>wireguard-tools</code>.
 
Use <code>ip route</code> to inspect the route table
 
$ ip route show table 1000
default dev wg0 proto static scope link
 
$ ip route show table all
... many entries ...
 
$ ip rule list
10: not from all fwmark 0x2a lookup 1000 proto static
 
$ ip route get  136.144.57.121
136.144.57.121 dev wg0 table 1000 src 192.168.26.9 uid 1000
 
$ ip route get 2600:1406::1
2600:1406::1 from :: dev wg0 table 1000 proto static src fd31:bf08:57cb::9 metric 1024 pref medium


= wg-quick =
= wg-quick =
Line 323: Line 511:


Optionally, configure proxy server as DNS server as described above.
Optionally, configure proxy server as DNS server as described above.
=== Proxy DNS with dnsmasq ===
You can also use the proxy server as DNS server with
dnsmasq.
<syntaxhighlight lang="nix">
{
  networking.firewall = {
    allowedTCPPorts = [ 53 ];
    allowedUDPPorts = [ 53 ];
  };
  services = {
    dnsmasq = {
      enable = true;
      settings.interface = "wg0";
    };
  };
}
</syntaxhighlight>
For wg-quick peer, use the
following option
<syntaxhighlight lang="nix">
{
  networking.wg-quick.interfaces.wg0.dns =
  [ {internal v4 & v6 ip addr of server} ];
}
</syntaxhighlight>


== Manually start and stop wg-quick ==
== Manually start and stop wg-quick ==
Line 357: Line 575:
This will set up a <code>wg-quick-wg0.service</code> systemd unit.
This will set up a <code>wg-quick-wg0.service</code> systemd unit.


= systemd.network =
= networking.wireguard =
 
Note: does not automatically configure routes, see comments.


== Peer setup ==
== Peer setup ==


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{ config, ... }:
{
{
  age.secrets.wg-key-peer0 = {
    file = "./secrets/wg-key-peer0.age";
  };
   networking.firewall.allowedUDPPorts = [ 51820 ];
   networking.firewall.allowedUDPPorts = [ 51820 ];
   networking.useNetworkd = true;
 
  systemd.network = {
   networking.wireguard = {
     enable = true;
     enable = true;
     networks."50-wg0" = {
     interfaces = {
      matchConfig.Name = "wg0";
      # network interface name.
      address = [
      # You can name the interface arbitrarily.
         # /32 and /128 specifies a single address
      wg0 = {
         # for use on this wg peer machine
        # the IP address and subnet of this peer
         "fd31:bf08:57cb::7/128"
        ips = [ "fd31:bf08:57cb::9/128" "192.168.26.9/32" ];
        "192.168.26.7/32"
 
      ];
        # WireGuard Port
    };
        # Must be accessible by peers
    netdevs."50-wg0" = {
        listenPort = 51820;
      netdevConfig = {
 
        Kind = "wireguard";
        # Path to the private key file.
         Name = "wg0";
        #
         # Note: can also be included inline via the privateKey option,
         # but this makes the private key world-readable;
        # using privateKeyFile is recommended.
        privateKeyFile = config.age.secrets.wg-key-laptop.path;
 
         peers = [
          {
            name = "home nas";
            publicKey = "ejmbag/fcc9OLp8K62zfV0NCbp056DnA0qpNixLXwCo=";
            allowedIPs = [
              "fd31:bf08:57cb::8/128"
              "192.168.26.8/32"
            ];
            endpoint = "192.168.1.56:51820";
            #  ToDo: route to endpoint not automatically configured
            # https://wiki.archlinux.org/index.php/WireGuard#Loop_routing
            # https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
            # persistentKeepalive = 25;
          }
         ];
       };
       };
      wireguardConfig = {
        ListenPort = 51820;
        # routing table identifier for addresses in AllowedIP
        # if empty, no route is configured.
        # see systemd netdev man page
        RouteTable = "main";
        PrivateKeyFile = config.age.secrets.wg-key-vps.path;
      };
      wireguardPeers = [
        {
          # laptop wg conf
          PublicKey = "ronr+8v670J0CPb0xT5QLGMWDfE7+1g7HmC6YMdCIDk=";
          AllowedIPs = [
            "fd31:bf08:57cb::9/128"
            "192.168.26.9/32"
          ];
          Endpoint = "192.168.1.26:51820";
        }
      ];
     };
     };
  };
}
}
# it’s not imperative but it does not know how to do it :
# sudo ip route add 11.111.11.111 via 192.168.1.11 dev wlo1
# the ip adresse 11: external and 192: local.
</syntaxhighlight>
</syntaxhighlight>


Line 409: Line 637:


Same as peer setup, skip the endpoint option, with the following
Same as peer setup, skip the endpoint option, with the following
addition:
addition, Remember to update the internal IP addresses in the script:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{
{
  # enable NAT
   networking.nat = {
   networking.nat = {
     enable = true;
     enable = true;
Line 420: Line 649:
   };
   };


   systemd.network = {
   networking.wireguard.interfaces.wg0 = {
    enable = true;
      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
    networks."50-wg0" = {
      postSetup = ''
      networkConfig = {
        ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
         # do not use IPMasquerade,
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
         # unnecessary, causes problems with host ipv6
        ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
         IPv4Forwarding = true;
         ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
         IPv6Forwarding = true;
      '';
      };
 
    };
      # Undo the above
      postShutdown = ''
         ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
         ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
         ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
        ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
      '';
   };
   };
}
}
Line 439: Line 674:
option.  Use <code>[ "0.0.0.0/0" "::/0" ]</code> as allowed IPs.
option.  Use <code>[ "0.0.0.0/0" "::/0" ]</code> as allowed IPs.


Optionally, configure proxy server as DNS server as described above.
Note, systemd.network client seems to have issues.  Use wg-quick
client instead.


= NetworkManager Proxy client setup =
= NetworkManager Proxy client setup =
Line 560: Line 791:
* [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his WireGuard setup]
* [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his WireGuard setup]
* [https://web.archive.org/web/20210101230654/https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ WireGuard Troubleshooting (on Web Archive)] shows how to enable debug logs
* [https://web.archive.org/web/20210101230654/https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ WireGuard Troubleshooting (on Web Archive)] shows how to enable debug logs
= Additional routing setups =
For documentation on more routing and topology setups, such as
* Point to Point Configuration,
* Hub and Spoke Configuration,
* Point to Site Configuration,
* Site to Site Configuration,
see [https://docs.procustodibus.com/guide/wireguard/ Pro Custodibus Documentation], [https://web.archive.org/web/20250920231827/https://docs.procustodibus.com/guide/wireguard/ Mirror on Internet Archive].


[[Category:Networking]]
[[Category:Networking]]
[[Category:VPN]]
[[Category:VPN]]
Retrieved from "https://wiki.nixos.org/wiki/WireGuard"