WireGuard: Difference between revisions

Line 1:

=Setting up ~~Wireguard~~=

=Setting up WireGuard=

==Generate keypair==

Each peer needs to have a public-private keypair. The keys can be generated on any machine that already has ~~Wireguard~~ installed using the <code>wg</code> utility. If ~~Wireguard~~ isn't installed yet, it can be made available by adding <code>wireguard</code> to <code>environment.systemPackages</code> or by running <code>nix-env -iA wireguard</code>.

Each peer needs to have a public-private keypair. The keys can be generated on any machine that already has WireGuard installed using the <code>wg</code> utility. If WireGuard isn't installed yet, it can be made available by adding <code>wireguard</code> to <code>environment.systemPackages</code> or by running <code>nix-env -iA wireguard</code>.

Creating a keypair is simple:

Line 15:

===Server setup===

Enable ~~Wireguard~~ on the server via <tt>/etc/nixos/configuration.nix</tt>:

Enable WireGuard on the server via <tt>/etc/nixos/configuration.nix</tt>:

{

Line 34:

ips = [ "10.100.0.1/24" ];

# The port that ~~Wireguard~~ listens to. Must be accessible by the client.

# The port that WireGuard listens to. Must be accessible by the client.

listenPort = 51820;

Line 81:

allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport

};

# Enable ~~Wireguard~~

# Enable WireGuard

networking.wireguard.interfaces = {

# "wg0" is the network interface name. You can name the interface arbitrarily.

Line 123:

Multiple connections can be configured by configuring multiple interfaces under {{nixos:option|networking.wireguard.interfaces}}.

==Setting up ~~Wireguard~~ server/client with wg-quick and dnsmasq==

==Setting up WireGuard server/client with wg-quick and dnsmasq==

===Server setup===

DNS requires opening TCP/UDP port 53.

Line 153:

# Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface

address = [ "10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64" ];

# The port that ~~Wireguard~~ listens to - recommended that this be changed from default

# The port that WireGuard listens to - recommended that this be changed from default

listenPort = 51820;

# Path to the server's private key

Line 188:

</syntaxHighlight>

To enable dnsmasq and only serve DNS requests to the ~~Wireguard~~ interface add the following:

To enable dnsmasq and only serve DNS requests to the WireGuard interface add the following:

{

Line 232:

</syntaxHighlight>

==Setting up ~~Wireguard~~ with systemd-networkd==

==Setting up WireGuard with systemd-networkd==

Please note, that networkd support in NixOS is still [https://search.nixos.org/options/?query=usenetworkd experimental].

Line 293:

=See also=

* [https://www.wireguard.com/ ~~Wireguard~~ homepage]

* [https://www.wireguard.com/ WireGuard homepage]

* [https://wiki.archlinux.org/index.php/WireGuard Arch Wiki] has an exhaustive guide, including troubleshooting tips

* [https://search.nixos.org/options/?query=wireguard List of ~~Wireguard~~ options supported by NixOS]

* [https://search.nixos.org/options/?query=wireguard List of WireGuard options supported by NixOS]

* [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his ~~Wireguard~~ setup]

* [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his WireGuard setup]

* [https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ ~~Wireguard~~ Troubleshooting] shows how to enable debug logs

* [https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ WireGuard Troubleshooting] shows how to enable debug logs

[[Category:Configuration]]

@@ Line 1: / Line 1: @@
-=Setting up Wireguard=
+=Setting up WireGuard=
 ==Generate keypair==
-Each peer needs to have a public-private keypair. The keys can be generated on any machine that already has Wireguard installed using the <code>wg</code> utility. If Wireguard isn't installed yet, it can be made available by adding <code>wireguard</code> to <code>environment.systemPackages</code> or by running <code>nix-env -iA wireguard</code>.
+Each peer needs to have a public-private keypair. The keys can be generated on any machine that already has WireGuard installed using the <code>wg</code> utility. If WireGuard isn't installed yet, it can be made available by adding <code>wireguard</code> to <code>environment.systemPackages</code> or by running <code>nix-env -iA wireguard</code>.
 Creating a keypair is simple:
@@ Line 15: / Line 15: @@
 ===Server setup===
-Enable Wireguard on the server via <tt>/etc/nixos/configuration.nix</tt>:
+Enable WireGuard on the server via <tt>/etc/nixos/configuration.nix</tt>:
 <syntaxHighlight lang="nix">
 {
@@ Line 34: / Line 34: @@
        ips = [ "10.100.0.1/24" ];
-       # The port that Wireguard listens to. Must be accessible by the client.
+       # The port that WireGuard listens to. Must be accessible by the client.
        listenPort = 51820;
@@ Line 81: / Line 81: @@
      allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport
    };
-   # Enable Wireguard
+   # Enable WireGuard
    networking.wireguard.interfaces = {
      # "wg0" is the network interface name. You can name the interface arbitrarily.
@@ Line 123: / Line 123: @@
 Multiple connections can be configured by configuring multiple interfaces under {{nixos:option|networking.wireguard.interfaces}}.
-==Setting up Wireguard server/client with wg-quick and dnsmasq==
+==Setting up WireGuard server/client with wg-quick and dnsmasq==
 ===Server setup===
 DNS requires opening TCP/UDP port 53.
@@ Line 153: / Line 153: @@
        # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface
        address = [ "10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64" ];
-       # The port that Wireguard listens to - recommended that this be changed from default
+       # The port that WireGuard listens to - recommended that this be changed from default
        listenPort = 51820;
        # Path to the server's private key
@@ Line 188: / Line 188: @@
 </syntaxHighlight>
-To enable dnsmasq and only serve DNS requests to the Wireguard interface add the following:
+To enable dnsmasq and only serve DNS requests to the WireGuard interface add the following:
 <syntaxHighlight lang="nix">
 {
@@ Line 232: / Line 232: @@
 </syntaxHighlight>
-==Setting up Wireguard with systemd-networkd==
+==Setting up WireGuard with systemd-networkd==
 Please note, that networkd support in NixOS is still [https://search.nixos.org/options/?query=usenetworkd experimental].
@@ Line 293: / Line 293: @@
 =See also=
-* [https://www.wireguard.com/ Wireguard homepage]
+* [https://www.wireguard.com/ WireGuard homepage]
 * [https://wiki.archlinux.org/index.php/WireGuard Arch Wiki] has an exhaustive guide, including troubleshooting tips
-* [https://search.nixos.org/options/?query=wireguard List of Wireguard options supported by NixOS]
+* [https://search.nixos.org/options/?query=wireguard List of WireGuard options supported by NixOS]
-* [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his Wireguard setup]
+* [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his WireGuard setup]
-* [https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ Wireguard Troubleshooting] shows how to enable debug logs
+* [https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ WireGuard Troubleshooting] shows how to enable debug logs
 [[Category:Configuration]]