@@ Line 1: / Line 1: @@
-[https://www.wireguard.com/ WireGuard] is a simple yet fast and modern VPN that utilizes state-of-the-art cryptography.
-=Setting up WireGuard=
+= Configuration Modules =
-==Generate keypair==
-Each peer needs to have a public-private keypair. The keys can be generated on any machine that already has WireGuard installed using the <code>wg</code> utility. If WireGuard isn't installed yet, it can be made available by adding <code>wireguard-tools</code> to <code>environment.systemPackages</code> or by running <code>nix-env -iA nixos.wireguard-tools</code> for NixOS based systems and <code>nix-env -iA nixpkgs.wireguard-tools</code> for non-NixOS systems.
+In NixOS, there are several configuration modules for WireGuard.
+Depending on how your network is currently managed, refer to the
+relevant section for details.
-Creating a keypair is simple:
+They have different options and capabilities.  For example,
-<syntaxHighlight lang="nix">
+<code>systemd.network</code> allows you to redirect network traffic
-umask 077
+based on the user, such as redirecting torrenting traffic, with
-mkdir ~/wireguard-keys
+RoutingPolicyRule option.  See ArchWiki for further details.
-wg genkey > ~/wireguard-keys/private
-wg pubkey < ~/wireguard-keys/private > ~/wireguard-keys/public
+* NetworkManager
-</syntaxHighlight>
+* wg-quick
+* networking.wireguard
+* systemd.network
+= Use cases =
-You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection.
+This page describes how to set up WireGuard for two use cases.
-Alternatively, you can use <tt>networking.wireguard.interfaces.[name].generatePrivateKeyFile</tt> option.
+The first use case is Virtual Private Network, which makes several peers
+available on a private subnet.  This is the basis for further
+configuration.
-If you decide to use files for storing your private keys and also use networkd, you'll need to modify the private key file permissions.
+The second use case is Internet proxy,  which allows you to access the
+Internet via another peer.  This use case depends on the first use
+case working correctly.
-==== Troubleshooting Private Key File Resources ====
+== Network address translation ==
-* https://discourse.nixos.org/t/wg0-failed-to-read-private-key/31461/8
+NAT maps the internal private IP address of the VPN to the public IP
+address of another peer.  For all proxying setups, enable the
+following configuration
-===Server setup===
-Enable WireGuard on the server via <tt>/etc/nixos/configuration.nix</tt>:
 <syntaxhighlight lang="nix">
 {
-   ...
+   networking.nat = {
+    enable = true;
-  # enable NAT
+    enableIPv6 = true;
-  networking.nat.enable = true;
+    externalInterface = "ens6";
-  networking.nat.externalInterface = "eth0";
+    internalInterfaces = [ "wg0" ];
-  networking.nat.internalInterfaces = [ "wg0" ];
-  networking.firewall = {
-    allowedUDPPorts = [ 51820 ];
    };
+}
+</syntaxhighlight>
-  networking.wireguard.enable = true;
+== External DNS with dnscrypt ==
-  networking.wireguard.interfaces = {
-    # "wg0" is the network interface name. You can name the interface arbitrarily.
-    wg0 = {
-      # Determines the IP address and subnet of the server's end of the tunnel interface.
-      ips = [ "10.100.0.1/24" ];
-      # The port that WireGuard listens to. Must be accessible by the client.
+You can use an external, encrypted DNS such as
-      listenPort = 51820;
-      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+<syntaxhighlight lang="nix">
-      # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+{
-       postSetup = ''
+  services.dnscrypt-proxy2 = {
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+    enable = true;
-      '';
+    upstreamDefaults = true;
+    settings = {
+       ipv6_servers = true;
+    };
+  };
+  networking.nameservers = [ "127.0.0.1" ];
+}
+</syntaxhighlight>
-      # This undoes the above command
+== Proxy DNS with dnsmasq ==
-      postShutdown = ''
-        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
-      '';
-      # Path to the private key file.
+On the proxy server, use the following config
-      #
-      # Note: The private key can also be included inline via the privateKey option,
-      # but this makes the private key world-readable; thus, using privateKeyFile is
-      # recommended.
-      privateKeyFile = "path to private key file";
-      peers = [
+<syntaxhighlight lang="nix">
-        # List of allowed peers.
+{
-        {
+  networking.firewall = {
-          # Feel free to give a meaningful name
+    allowedTCPPorts = [ 53 ];
-          name = "Jane Doe";
+    allowedUDPPorts = [ 53 ];
-          # Public key of the peer (not a file path).
+  };
-          publicKey = "{client public key}";
+  services = {
-          # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+    dnsmasq = {
-          allowedIPs = [ "10.100.0.2/32" ];
+      enable = true;
-        }
+      settings.interface = "wg0";
-        {
-          name = "John Doe";
-          publicKey = "{john doe's public key}";
-          allowedIPs = [ "10.100.0.3/32" ];
-        }
-      ];
      };
    };
-  ...
 }
 </syntaxhighlight>
-===Client setup===
+On the proxy client, configure DNS options.  For wg-quick, use the
+following
+<syntaxhighlight lang="nix">
+{
+  networking.wg-quick.interfaces.wg0.dns =
+  [ {internal v4 & v6 ip addr of server} ];
+}
+</syntaxhighlight>
+= AllowedIPs =
+"Allowed IPs" are IP addresses or ranges.  It is specified on a
+per-peer basis. All traffic to these addresses and ranges will be
+redirected to the peer.  Common forms of allowed IPs are the
+following.
+* 192.168.26.9/32, a single internal IPv4 address
+* 192.168.26.0/24, a subnet
+* fd31:bf08:57cb::9/128, a single internal IPv6 address
+* fd31:bf08:57cb::/60, a subnet
+* 0.0.0.0/0, entire IPv4 address space, for proxying
+* ::/0, entire IPv6 address space, for proxying
+Notice that, in specifiying its subnet mask, some configuration
+modules can automatically configure network routes.
+Allowed IPs are unique to each peer.  If there are peers with the same
+allowed IPs, network traffic will only be redirected to one of them.
+= WireGuard UDP Port =
+The default port is 51820.  Some literature recommends changing this
+port to circumvent intentional blocking of WireGuard traffic.
+= Generate keys =
+WireGuard works with public-private key pairs. Computers, called peers
+in WireGuard, are identified by their unique public keys.  Data is
+encrypted with the corresponding private key before transmission.
+Peers can only connect to a computer, if its public key is known to
+this computer.
+To generate a private key, and then derive the public key from it, you
+need the <code>wg</code> utility, available in
+<code>wireguard-tools</code> package.
+After installation, use the following commands to generate keys:
+<syntaxHighlight>
+$ umask 077
+$ wg genkey > privatekey
+$ wg pubkey < privatekey > publickey
+</syntaxHighlight>
+You need to generate a new key for each peer.  If you are setting up
+multiple WireGuard interfaces on the same computer, you can reuse the
+same key.
+Pay attention to the permission of the file.  File permission may
+cause the WireGuard service to fail.  Check system log to rule out
+this scenario.
+You can use ryamtm/agenix to declaratively store and manage the
+WireGuard key.
+= networking.wireguard =
+Note: does not automatically configure routes.  Use
+<code>wg-quick</code> instead.
+== Peer setup ==
 <syntaxhighlight lang="nix">
+{ config, ... }:
 {
-   ...
+   age.secrets.wg-key-peer0 = {
-  networking.firewall = {
+     file = "./secrets/wg-key-peer0.age";
-     allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport
    };
-  # Enable WireGuard
-  networking.wireguard.enable = true;
-  networking.wireguard.interfaces = {
-    # "wg0" is the network interface name. You can name the interface arbitrarily.
-    wg0 = {
-      # Determines the IP address and subnet of the client's end of the tunnel interface.
-      ips = [ "10.100.0.2/24" ];
-      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-      # Path to the private key file.
+  networking.firewall.allowedUDPPorts = [ 51820 ];
-      #
-      # Note: The private key can also be included inline via the privateKey option,
-      # but this makes the private key world-readable; thus, using privateKeyFile is
-      # recommended.
-      privateKeyFile = "path to private key file";
-       peers = [
+  networking.wireguard = {
-         # For a client configuration, one peer entry for the server will suffice.
+    enable = true;
+    interfaces = {
+       # network interface name.
+      # You can name the interface arbitrarily.
+      wg0 = {
+         # the IP address and subnet of this peer
+        ips = [ "fd31:bf08:57cb::9/128" "192.168.26.9/32" ];
-         {
+         # WireGuard Port
-          # Public key of the server (not a file path).
+        # Must be accessible by peers
-          publicKey = "{server public key}";
+        listenPort = 51820;
-          # Forward all the traffic via VPN.
+        # Path to the private key file.
-          allowedIPs = [ "0.0.0.0/0" ];
+        #
-          # Or forward only particular subnets
+        # Note: can also be included inline via the privateKey option,
-          #allowedIPs = [ "10.100.0.1" "91.108.12.0/22" ];
+        # but this makes the private key world-readable;
+        # using privateKeyFile is recommended.
+        privateKeyFile = config.age.secrets.wg-key-laptop.path;
-           # Set this to the server IP and port.
+        peers = [
-          endpoint = "{server ip}:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
+           {
+            name = "home nas";
-          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+            publicKey = "ejmbag/fcc9OLp8K62zfV0NCbp056DnA0qpNixLXwCo=";
-          persistentKeepalive = 25;
+            allowedIPs = [
-         }
+              "fd31:bf08:57cb::8/128"
-       ];
+              "192.168.26.8/32"
+            ];
+            endpoint = "192.168.1.56:51820";
+            #  ToDo: route to endpoint not automatically configured
+            # https://wiki.archlinux.org/index.php/WireGuard#Loop_routing
+            # https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
+            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+            # persistentKeepalive = 25;
+          }
+         ];
+       };
      };
-  };
-  ...
 }
+# it’s not imperative but it does not know how to do it :
+# sudo ip route add 11.111.11.111 via 192.168.1.11 dev wlo1
+# the ip adresse 11: external and 192: local.
 </syntaxhighlight>
-Multiple connections can be configured by configuring multiple interfaces under {{nixos:option|networking.wireguard.interfaces}}.
+== Proxy server setup ==
-===== Configuration example =====
+Same as peer setup, skip the endpoint option, with the following
-<syntaxhighlight lang="nixos">
+addition, Remember to update the internal IP addresses in the script:
-# Enable WireGuard
-  networking.wireguard.enable = true;
-  networking.wireguard.interfaces = {
-     #"wg0" is the network interface name. You can name the interface arbitrarily.
-     wgl0 = {
-      # Determines the IP address and subnet of the client's end of the tunnel interface.
-      ips = [ "192.168.27.88/32" ];
-      listenPort = 1235; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-      mtu = 1360;
-      # Path to the private key file.
-      # Note: The private key can also be included inline via the privateKey option,
-      # but this makes the private key world-readable; thus, using privateKeyFile is
-      # recommended.
-      privateKeyFile = "/etc/nixos/workmachine/orbitingstar/wireguard_privatekey.key";
-      peers = [
-        # For a client configuration, one peer entry for the server will suffice.
-      {
-          # Public key of the server (not a file path).
-          publicKey = "Iaaaaa5sUWc756dceJa8SL21X0TXpVFPPGdpNHaaaa=";
-          # Forward all the traffic via VPN.
-          allowedIPs = [ "192.168.27.64/27" "192.168.2.0/24" ];
-          # Or forward only particular subnets
-          #allowedIPs = [ "10.100.0.1" "11.111.11.0/22" ];
-          # Set this to the server IP and port.
-          name = "peer1";
-          endpoint = "11.61.111.211:12343";  #  ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
-          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
-          persistentKeepalive = 25;
-        }
-      ];
-    }; # it’s not imperative but it does not know how to do it : sudo ip route add 11.111.11.111 via 192.168.1.11 dev wlo1 the ip adresse 11: external and 192: local.
-  };
-</syntaxhighlight>
+<syntaxhighlight lang="nix">
-==Setting up WireGuard server/client with wg-quick and dnsmasq==
-===Server setup===
-DNS requires opening TCP/UDP port 53.
-<syntaxHighlight lang="nix">
 {
-  ...
+   # enable NAT
-   # Enable NAT
    networking.nat = {
      enable = true;
      enableIPv6 = true;
-     externalInterface = "eth0";
+     externalInterface = "ens6";
      internalInterfaces = [ "wg0" ];
    };
-  # Open ports in the firewall
-  networking.firewall = {
-    allowedTCPPorts = [ 53 ];
-    allowedUDPPorts = [ 53 51820 ];
-  };
-  ...
-}
-</syntaxHighlight>
-The wg-quick setup is similar to the previous setup.
-<syntaxHighlight lang="nix">
-{
-  ...
-  networking.wg-quick.interfaces = {
-    # "wg0" is the network interface name. You can name the interface arbitrarily.
-    wg0 = {
-      # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface
-      address = [ "10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64" ];
-      # The port that WireGuard listens to - recommended that this be changed from default
-      listenPort = 51820;
-      # Path to the server's private key
-      privateKeyFile = "/root/wireguard-keys/privatekey";
+  networking.wireguard.interfaces.wg0 = {
        # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
-       postUp = ''
+       postSetup = ''
          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
@@ Line 220: / Line 234: @@
        # Undo the above
-       preDown = ''
+       postShutdown = ''
          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
@@ Line 226: / Line 240: @@
          ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
        '';
-      peers = [
-        { # peer0
-          publicKey = "{client public key}";
-          presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key";
-          allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ];
-        }
-        # More peers can be added here.
-      ];
-    };
    };
-  ...
 }
-</syntaxHighlight>
+</syntaxhighlight>
+== Proxy client setup ==
+Same as peer setup, specify proxy server ip or domain in the endpoint
+option.  Use <code>[ "0.0.0.0/0" "::/0" ]</code> as allowed IPs.
+= wg-quick =
+== Peer setup ==
-To enable dnsmasq and only serve DNS requests to the WireGuard interface add the following:
 <syntaxhighlight lang="nix">
 {
-   ...
+   networking.wg-quick.interfaces = {
-  services = {
+    wg0 = {
-    ...
+      address = [
-    dnsmasq = {
+        "fd31:bf08:57cb::9/128"
-       enable = true;
+        "192.168.26.9/32"
-       settings.interface = "wg0";
+      ];
+      # use dnscrypt, or proxy dns as described above
+      dns = [ "127.0.0.1" ];
+       privateKeyFile = config.age.secrets.wg-key-laptop.path;
+       peers = [
+        {
+          # bt wg conf
+          publicKey = "ejmbag/fcc9OLp8K62zfV0NCbp056DnA0qpNixLXwCo=";
+          allowedIPs = [
+            "fd31:bf08:57cb::8/128"
+            "192.168.26.8/32"
+          ];
+          endpoint = "192.168.1.56:51820";
+        }
+      ];
      };
-    ...
    };
-  ...
 }
 </syntaxhighlight>
-===Client setup===
+== Proxy server setup ==
-The client will now point DNS to the server.
-<syntaxHighlight lang="nix">
+Same as peer setup, skip the endpoint option, with the following
+addition:
+<syntaxhighlight lang="nix">
 {
-  ...
    networking.wg-quick.interfaces = {
      wg0 = {
-       address = [ "10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64" ];
+       # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
-      dns = [ "10.0.0.1" "fdc9:281f:04d7:9ee9::1" ];
+      postUp = ''
-       privateKeyFile = "/root/wireguard-keys/privatekey";
+        ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
-       peers = [
+        ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
-         {
+        ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
-          publicKey = "{server public key}";
+       '';
-          presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key";
-          allowedIPs = [ "0.0.0.0/0" "::/0" ];
+       # Undo the above
-          endpoint = "{server ip}:51820";
+       preDown = ''
-          persistentKeepalive = 25;
+         ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
-         }
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
-       ];
+        ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
+         ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
+       '';
      };
    };
-  ...
 }
-</syntaxHighlight>
+</syntaxhighlight>
+== Proxy client setup ==
+Same as peer setup, specify proxy server ip or domain in the endpoint
+option.  Use <code>[ "0.0.0.0/0" "::/0" ]</code> as allowed IPs.
+Optionally, configure proxy server as DNS server as described above.
+== Manually start and stop wg-quick ==
-===Client setup (non-declaratively)===
 The above steps will set up a <tt>wg-quick-wg0.service</tt> systemd unit.
@@ Line 299: / Line 332: @@
 </syntaxHighlight>
-If you have WireGuard configuration files that you want to use as-is (similarly how you would [https://wiki.debian.org/WireGuard#Step_2_-_Configuration configure WireGuard e.g. in Debian], without converting them to a declarative NixOS configuration, you can also configure <code>wg-quick</code> to use them. For example, if you have a configuration file <code>/etc/nixos/wireguard/wg0.conf</code>, add the following line to your <code>configuration.nix</code>:
+== Reuse existing wg-quick config file ==
+If you have WireGuard configuration files that you want to use as-is
+(similarly how you would
+[https://wiki.debian.org/WireGuard#Step_2_-_Configuration configure
+WireGuard e.g. in Debian], without converting them to a declarative
+NixOS configuration, you can also configure <code>wg-quick</code> to
+use them. For example, if you have a configuration file
+<code>/etc/nixos/wireguard/wg0.conf</code>, add the following line to
+your <code>configuration.nix</code>:
 <syntaxHighlight lang="nix">
@@ Line 307: / Line 349: @@
 This will set up a <code>wg-quick-wg0.service</code> systemd unit.
-==Setting up WireGuard with systemd-networkd==
+= systemd.network =
-===Server setup===
+== Peer setup ==
 <syntaxhighlight lang="nix">
 {
-  config,
+   networking.firewall.allowedUDPPorts = [ 51820 ];
-  pkgs,
+   networking.useNetworkd = true;
-  lib,
-  ...
-}: {
-   networking.firewall.allowedUDPPorts = [51820];
-   networking.useNetworkd = true;
    systemd.network = {
      enable = true;
-     netdevs = {
+     networks."50-wg0" = {
-      "50-wg0" = {
+      matchConfig.Name = "wg0";
-        netdevConfig = {
+      address = [
-          Kind = "wireguard";
+         # /32 and /128 specifies a single address
-          Name = "wg0";
+         # for use on this wg peer machine
-          MTUBytes = "1300";
+        "fd31:bf08:57cb::7/128"
-         };
+        "192.168.26.7/32"
-         wireguardConfig = {
+      ];
-          PrivateKeyFile = "/run/keys/wireguard-privkey";
+    };
-          ListenPort = 51820;
+    netdevs."50-wg0" = {
-          RouteTable = "main"; # wg-quick creates routing entries automatically but we must use use this option in systemd.
+      netdevConfig = {
-        };
+        Kind = "wireguard";
-        wireguardPeers = [
+        Name = "wg0";
-          {
-            PublicKey = "L4msD0mEG2ctKDtaMJW2y3cs1fT2LBRVV7iVlWZ2nZc=";
-            AllowedIPs = ["10.100.0.2"];
-          }
-        ];
        };
-    };
+      wireguardConfig = {
-    networks.wg0 = {
+        ListenPort = 51820;
-      matchConfig.Name = "wg0";
+        # routing table identifier for addresses in AllowedIP
-      address = ["10.100.0.1/24"];
+        # if empty, no route is configured.
-      networkConfig = {
+        # see systemd netdev man page
-         IPMasquerade = "ipv4";
+         RouteTable = "main";
-         IPv4Forwarding = true; # if using IPv4
+         PrivateKeyFile = config.age.secrets.wg-key-vps.path;
-        IPv6Forwarding = false; # if using IPv6, but above we don't use IPv6
        };
+      wireguardPeers = [
+        {
+          # laptop wg conf
+          PublicKey = "ronr+8v670J0CPb0xT5QLGMWDfE7+1g7HmC6YMdCIDk=";
+          AllowedIPs = [
+            "fd31:bf08:57cb::9/128"
+            "192.168.26.9/32"
+          ];
+          Endpoint = "192.168.1.26:51820";
+        }
+      ];
      };
    };
 }
 </syntaxhighlight>
-===Client setup===
+== Proxy server setup ==
+Same as peer setup, skip the endpoint option, with the following
+addition:
 <syntaxhighlight lang="nix">
 {
-   config,
+   networking.nat = {
-  pkgs,
+    enable = true;
-  lib,
+    enableIPv6 = true;
-  ...
+    externalInterface = "ens6";
-}: {
+    internalInterfaces = [ "wg0" ];
-  boot.kernelModules = [ "wireguard" ];
+  };
    systemd.network = {
      enable = true;
-     netdevs = {
+     networks."50-wg0" = {
-      "10-wg0" = {
-        netdevConfig = {
-          Kind = "wireguard";
-          Name = "wg0";
-          MTUBytes = "1300";
-        };
-        # See also man systemd.netdev (also contains info on the permissions of the key files)
-        wireguardConfig = {
-          # Don't use a file from the Nix store as these are world readable. Must be readable by the systemd-network user
-          PrivateKeyFile = "/run/keys/wireguard-privkey";
-          ListenPort = 9918;
-        };
-        wireguardPeers = [
-          # configuration since nixos-unstable/nixos-24.11
-          {
-            PublicKey = "OhApdFoOYnKesRVpnYRqwk3pdM247j8PPVH5K7aIKX0=";
-            AllowedIPs = ["fc00::1/64" "10.100.0.1"];
-            Endpoint = "{set this to the server ip}:51820";
-          }
-        ];
-      };
-    };
-    networks.wg0 = {
-      # See also man systemd.network
-      matchConfig.Name = "wg0";
-      # IP addresses the client interface will have
-      address = [
-        "fe80::3/64"
-        "fc00::3/120"
-        "10.100.0.2/24"
-      ];
-      DHCP = "no";
-      dns = ["fc00::53"];
-      ntp = ["fc00::123"];
-      gateway = [
-        "fc00::1"
-        "10.100.0.1"
-      ];
        networkConfig = {
-         IPv6AcceptRA = false;
+         IPv4Forwarding = true;
+        IPv6Forwarding = true;
        };
      };
    };
 }
+</syntaxhighlight>
-</syntaxhighlight>
+== Proxy client setup ==
+Same as peer setup, specify proxy server ip or domain in the endpoint
+option.  Use <code>[ "0.0.0.0/0" "::/0" ]</code> as allowed IPs.
+Optionally, configure proxy server as DNS server as described above.
+Note, systemd.network client seems to have issues.  Use wg-quick
+client instead.
+= NetworkManager Proxy client setup =
-==Setting up WireGuard with NetworkManager==
 This is probably only useful on clients. Functionality is present in NetworkManager since version 1.20 but network-manager-applet can show and control wireguard connections since version 1.22 only (available since NixOS 21.05).
@@ Line 468: / Line 488: @@
 {{Commands|nmcli connection import type wireguard file thefile.conf}}
-The new VPN connection should be available, you still have to click on it to activate it.
+The new VPN connection should be available, you still have to click on
+it to activate it.
 =Troubleshooting=

WireGuard: Difference between revisions