NixOS Wiki

WireGuard: Difference between revisions

← Older editNewer edit →
VisualWikitext
Tie-ling (talk | contribs)
69 edits
add heading for dns
Tie-ling (talk | contribs)
69 edits
finally fixed systemd network ipv6 client config
Line 11: Line 11:
Depending on how your computer is configured, you need to refer to the
Depending on how your computer is configured, you need to refer to the
relevant section for setting up WireGuard.
relevant section for setting up WireGuard.
Different modules have different capabilities.  systemd.network support routing
traffic on a per user basis.  For example, you can route all torrenting traffic
through a wireguard tunnel, see below.


= Use cases =
= Use cases =
Line 29: Line 33:
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
{
{
   services.dnscrypt-proxy2 = {
  # knot dns resolver
    enable = true;
   services.kresd.enable = true;
    upstreamDefaults = true;
 
    settings = {
  # disable built-in dns
      ipv6_servers = true;
  services.resolved.enable = false;
     };
 
  environment.etc."resolv.conf" = {
    mode = "0644";
     text = "nameserver ::1";
   };
   };
  networking.nameservers = [ "127.0.0.1" ];
}
}
</syntaxhighlight>
</syntaxhighlight>
Line 95: Line 101:
The default port is 51820.  Some literature recommends changing this
The default port is 51820.  Some literature recommends changing this
port to circumvent blocking of WireGuard traffic.
port to circumvent blocking of WireGuard traffic.
WireGuard will choose a random port, if this option is not set.


= Generate keys =
= Generate keys =
Line 139: Line 147:
= networking.wireguard =
= networking.wireguard =


Note: does not automatically configure routes.  Use
Note: does not automatically configure routes, see comments.
<code>wg-quick</code> instead.


== Peer setup ==
== Peer setup ==
Line 346: Line 353:


= systemd.network =
= systemd.network =
Credit: this section is adapted from ArchWiki.


== Peer setup ==
== Peer setup ==
Line 352: Line 361:
{
{
   networking.firewall.allowedUDPPorts = [ 51820 ];
   networking.firewall.allowedUDPPorts = [ 51820 ];
   networking.useNetworkd = true;
   networking.useNetworkd = true;
   systemd.network = {
   systemd.network = {
     enable = true;
     enable = true;
     networks."50-wg0" = {
     networks."50-wg0" = {
       matchConfig.Name = "wg0";
       matchConfig.Name = "wg0";
       address = [
       address = [
         # /32 and /128 specifies a single address
         # /32 and /128 specifies a single address
Line 364: Line 377:
       ];
       ];
     };
     };
     netdevs."50-wg0" = {
     netdevs."50-wg0" = {
       netdevConfig = {
       netdevConfig = {
Line 369: Line 383:
         Name = "wg0";
         Name = "wg0";
       };
       };
       wireguardConfig = {
       wireguardConfig = {
         ListenPort = 51820;
         ListenPort = 51820;
         # routing table identifier for addresses in AllowedIP
 
        # if empty, no route is configured.
         # To automatically create routes for everything in AllowedIPs,
         # see systemd netdev man page
         # add RouteTable=main
         RouteTable = "main";
         RouteTable = "main";
         PrivateKeyFile = config.age.secrets.wg-key-vps.path;
         PrivateKeyFile = config.age.secrets.wg-key-vps.path;
       };
       };
Line 386: Line 402:
           ];
           ];
           Endpoint = "192.168.1.26:51820";
           Endpoint = "192.168.1.26:51820";
          # RouteTable can also be set in wireguardPeers
          # RouteTable in wireguardConfig will then be ignored.
          # RouteTable = 1000;
          # FirewallMark marks all packets send and received by wg0
          # with the number 42, which can be used to define policy rules on these packets.
          FirewallMark = 42;
         }
         }
       ];
       ];
Line 424: Line 448:
== Proxy client setup ==
== Proxy client setup ==


Same as peer setup, specify proxy server ip or domain in the endpoint
Same as peer setup, with the following addition:
option.  Use <code>[ "0.0.0.0/0" "::/0" ]</code> as allowed IPs.
 
=== Disable rpfilter ===
 
<syntaxhighlight lang="nix">
# NixOS firewall will block wg traffic because of rpfilter
networking.firewall.checkReversePath = "loose";
</syntaxhighlight>
 
=== Route DNS over wg0 ===
 
This applies to systemd-resolved:
<syntaxhighlight lang="nix">
  systemd.network = {
    networks."50-wg0" = {
      # only works with systemd-resolved
      domains = [ "~." ];
      dns = [ "192.168.26.9" ];
      DNSDefaultRoute = true;
    };
  };
</syntaxhighlight>
Note: Routing all DNS over WireGuard (i.e. Domains=~.) will prevent the DNS resolution of endpoints. Unless the peer domain is configured to be resolved on a specific network link.
 
To use a peer as a DNS server, specify its WireGuard tunnel's IP address(es) in the .network file using the DNS= option. For search domains use the Domains= option.
 
To use a peer as the only DNS server set DNSDefaultRoute=true and Domains=~. in the [Network] section of .network file's.
 
=== Route all traffic over wg0, except endpoint ===
<syntaxhighlight lang="nix">
  systemd.network = {
    netdevs."50-wg0" = {
      wireguardPeers = [
        {
          AllowedIPs = [
            # proxy all traffic
            "::/0"
            "0.0.0.0/0"
          ];
          # can't use domain
          # Routing all DNS over WireGuard (i.e. Domains=~.) will prevent the DNS resolution of endpoints.
          Endpoint = "[2a01::1]:51820";
 
          # RouteTable line specifies that a new routing table with id 1000 is created
          # for the wireguard interface, and no rules are set on the main routing table.
          RouteTable = 1000;
 
          # FirewallMark simply marks all packets send and received by this wireguard
          # interface with the number 42, which can be used to define policy rules on these packets.
          FirewallMark = 42;
        }
      ];
    };
    networks."50-wg0" = {
      routingPolicyRules = [
        # rule 1: redirect traffic
        {
          # apply rule to both v4 and v6
          Family = "both";
 
          # For all packets *not* marked with 42 (i.e. all non-wireguard/normal traffic),
          InvertRule = true;
          FirewallMark = 42;
 
          # we specify that the routing table 1000 must be used
          # (which is the wireguard routing table). This rule routes all traffic through wireguard.
          Table = 1000;
 
          # this routing policy rule has a lower priority (10) than
          # endpoint exclusion rule (5).
          Priority = 10;
        }
 


Optionally, configure proxy server as DNS server as described above.
        # rule 2: exclude endpoint ip
        {
          # Use a routing policy rule to exclude the endpoint IP address,
          # so that wireguard can still connect to it.
          # it has a higher priority (5) than (10).


Note, systemd.network client seems to have issues wit routing. Use wg-quick
          # We exempt our endpoint with a higher priority by routing it
client instead.
          # through the main table (Table=main is default).  
          Family = "both";
          To = "2a01::1/128";
          Priority = 5;
        }
      ];
    };
  };
</syntaxhighlight>


= NetworkManager Proxy client setup =
= NetworkManager Proxy client setup =
Retrieved from "https://wiki.nixos.org/wiki/WireGuard"