WireGuard: Difference between revisions

(8 intermediate revisions by 3 users not shown)

Line 18:

systemd.network is recommended due to its powerful configuration interface.

wg-quick is suitable for common usage patterns. networking.wireguard seems to

have issues with routing. NetworkManager does not ~~supoort~~ Proxy server setup, and

have issues with routing. NetworkManager does not support Proxy server setup, and

is cubersome to use.

Line 32:

Internet via another peer.

== DNS for the proxy client ==

== Secure DNS for the proxy client ==

You can use ~~an external, encrypted~~ DNS such as knot dns resolver,

You can use a secure DNS client such as knot dns resolver,

which comes with a set of authenticated dns servers

which comes with a set of authenticated dns servers ips

built in.

Line 52:

}

</syntaxhighlight>

Secure DNS hinders usage of captive portals. See [[systemd-resolved]] for solutions.

= AllowedIPs =

Line 165:

Line 167:

ListenPort = 51820;

# ensure file is readable by `systemd-network` user

PrivateKeyFile = config.age.secrets.wg-key-vps.path;

Line 292:

Line 295:

FirewallMark = 42;

# we specify that the routing table 1000 must be used

# (... continued) we specify that the routing table 1000 must be used

# (which is the wireguard routing table). This rule routes all traffic through wireguard.

# inside routingPolicyRules section is called Table, not RouteTable

Line 385:

Line 388:

Family = "both";

}

]

];

# Configure port forwarding for Transmission under NAT

networking.nat.forwardPorts =

[

{

destination = "10.0.0.1:80";

proto = "tcp";

sourcePort = 8080;

}

{

destination = "[fc00::2]:80";

proto = "tcp";

sourcePort = 8080;

}

];

</syntaxhighlight>

Line 544:

Line 561:

== Reuse existing wg-quick config file ==

If you have WireGuard configuration files that you want to use as-is

If you have WireGuard configuration files that you want to use as-is (similarly how you would configure WireGuard e.g. in [https://wiki.debian.org/WireGuard#Step_2_-_Configuration Debian]), without converting them to a declarative NixOS configuration, you can also configure <code>wg-quick</code> to use them. For example, if you have a configuration file <code>/etc/nixos/wireguard/wg0.conf</code>, add the following line to your <code>configuration.nix</code>:

(similarly how you would

[https://wiki.debian.org/WireGuard#Step_2_-_Configuration ~~configure~~

~~WireGuard e.g. in~~ Debian], without converting them to a declarative

NixOS configuration, you can also configure <code>wg-quick</code> to

use them. For example, if you have a configuration file

<code>/etc/nixos/wireguard/wg0.conf</code>, add the following line to

your <code>configuration.nix</code>:

Line 775:

Line 785:

* [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his WireGuard setup]

* [https://web.archive.org/web/20210101230654/https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ WireGuard Troubleshooting (on Web Archive)] shows how to enable debug logs

= Additional routing setups =

For documentation on more routing and topology setups, such as

* Point to Point Configuration,

* Hub and Spoke Configuration,

* Point to Site Configuration,

* Site to Site Configuration,

see [https://docs.procustodibus.com/guide/wireguard/ Pro Custodibus Documentation], [https://web.archive.org/web/20250920231827/https://docs.procustodibus.com/guide/wireguard/ Mirror on Internet Archive].

[[Category:Networking]]

[[Category:VPN]]

@@ Line 18: / Line 18: @@
 systemd.network is recommended due to its powerful configuration interface.
 wg-quick is suitable for common usage patterns.  networking.wireguard seems to
-have issues with routing.  NetworkManager does not supoort Proxy server setup, and
+have issues with routing.  NetworkManager does not support Proxy server setup, and
 is cubersome to use.
@@ Line 32: / Line 32: @@
 Internet via another peer.
-== DNS for the proxy client ==
+== Secure DNS for the proxy client ==
-You can use an external, encrypted DNS such as knot dns resolver,
+You can use a secure DNS client such as knot dns resolver,
-which comes with a set of authenticated dns servers
+which comes with a set of authenticated dns servers ips
 built in.
@@ Line 52: / Line 52: @@
 }
 </syntaxhighlight>
+Secure DNS hinders usage of captive portals.  See [[systemd-resolved]] for solutions.
 = AllowedIPs =
@@ Line 165: / Line 167: @@
          ListenPort = 51820;
+        # ensure file is readable by `systemd-network` user
          PrivateKeyFile = config.age.secrets.wg-key-vps.path;
@@ Line 292: / Line 295: @@
            FirewallMark = 42;
-           # we specify that the routing table 1000 must be used
+           # (... continued) we specify that the routing table 1000 must be used
            # (which is the wireguard routing table). This rule routes all traffic through wireguard.
            # inside routingPolicyRules section is called Table, not RouteTable
@@ Line 385: / Line 388: @@
        Family = "both";
      }
-   ]
+   ];
+  # Configure port forwarding for Transmission under NAT
+  networking.nat.forwardPorts =
+       [
+         {
+           destination = "10.0.0.1:80";
+           proto = "tcp";
+           sourcePort = 8080;
+         }
+         {
+           destination = "[fc00::2]:80";
+           proto = "tcp";
+           sourcePort = 8080;
+         }
+       ];
 </syntaxhighlight>
@@ Line 544: / Line 561: @@
 == Reuse existing wg-quick config file ==
-If you have WireGuard configuration files that you want to use as-is
+If you have WireGuard configuration files that you want to use as-is (similarly how you would configure WireGuard e.g. in [https://wiki.debian.org/WireGuard#Step_2_-_Configuration Debian]), without converting them to a declarative NixOS configuration, you can also configure <code>wg-quick</code> to use them. For example, if you have a configuration file <code>/etc/nixos/wireguard/wg0.conf</code>, add the following line to your <code>configuration.nix</code>:
-(similarly how you would
-[https://wiki.debian.org/WireGuard#Step_2_-_Configuration configure
-WireGuard e.g. in Debian], without converting them to a declarative
-NixOS configuration, you can also configure <code>wg-quick</code> to
-use them. For example, if you have a configuration file
-<code>/etc/nixos/wireguard/wg0.conf</code>, add the following line to
-your <code>configuration.nix</code>:
 <syntaxHighlight lang="nix">
@@ Line 775: / Line 785: @@
 * [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his WireGuard setup]
 * [https://web.archive.org/web/20210101230654/https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ WireGuard Troubleshooting (on Web Archive)] shows how to enable debug logs
+= Additional routing setups =
+For documentation on more routing and topology setups, such as
+* Point to Point Configuration,
+* Hub and Spoke Configuration,
+* Point to Site Configuration,
+* Site to Site Configuration,
+see [https://docs.procustodibus.com/guide/wireguard/ Pro Custodibus Documentation], [https://web.archive.org/web/20250920231827/https://docs.procustodibus.com/guide/wireguard/ Mirror on Internet Archive].
 [[Category:Networking]]
 [[Category:VPN]]