WireGuard: Difference between revisions
imported>Pancho m Fix capitalization of WireGuard. |
imported>Symphorien instructions for network manager (and disabling rpfilter) |
||
| Line 290: | Line 290: | ||
}; | }; | ||
</syntaxHighlight> | </syntaxHighlight> | ||
==Setting up WireGuard with NetworkManager== | |||
This is probably only useful on clients. Functionality is present in NetworkManager since version 1.20 but network-manager-applet can show and control wireguard connections since version 1.22 only (available since NixOS 21.05). | |||
If you intend to route all your traffic through the wireguard tunnel, the default configuration of the NixOS firewall will block the traffic because of rpfilter. You can either disable rpfilter altogether: | |||
<syntaxHighlight lang="nix"> | |||
{ config, pkgs, lib, ... }:{ | |||
networking.firewall.checkReversePath = false; # maybe "loose" also works, untested | |||
} | |||
</syntaxHighlight> | |||
or you can adapt the rpfilter to ignore wireguard related traffic (replace 51820 by the port of your wireguard endpoint): | |||
<syntaxHighlight lang="nix"> | |||
{ config, pkgs, lib, ... }:{ | |||
networking.firewall = { | |||
logReversePathDrops = true; | |||
# wireguard trips rpfilter up | |||
extraCommands = '' | |||
ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN | |||
ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN | |||
''; | |||
extraStopCommands = '' | |||
ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true | |||
ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true | |||
''; | |||
}; | |||
} | |||
</syntaxHighlight> | |||
Adding a wireguard connection to NetworkManager is not straightforward to do fully in gui, it is simpler to reuse a configuration file for wg-guick. For example: | |||
<pre> | |||
[Interface] | |||
# your own IP on the wireguard network | |||
Address = 10.0.0.3/24, fd4:8e3:226:2e0::3/64 | |||
Table = auto | |||
PrivateKey = 0000000000000000000000000000000000000000000= | |||
[Peer] | |||
PublicKey = 1111111111111111111111111111111111111111111= | |||
# restrict this to the wireguard subnet if you don't want to route everything to the tunnel | |||
AllowedIPs = 0.0.0.0/0, ::/0 | |||
# ip and port of the peer | |||
Endpoint = 1.2.3.4:51820 | |||
</pre> | |||
Then run | |||
{{Commands|nmcli connection import type wireguard file thefile.conf}} | |||
The new VPN connection should be available, you still have to click on it to activate it. | |||