NixOS Wiki

WireGuard: Difference between revisions

← Older editNewer edit →
VisualWikitext
Tie-ling (talk | contribs)
69 edits
systemd.network permissions
Tie-ling (talk | contribs)
69 edits
fix grammar
Line 2: Line 2:
= Configuration Modules =
= Configuration Modules =


In NixOS, there are several configuration modules for WireGuard.
WireGuard-related NixOS options exist for the following networking modules:
Depending on how your network is currently managed, refer to the
relevant section for details.
 
They have different options and capabilities.  For example,
<code>systemd.network</code> allows you to redirect network traffic
based on the user, such as redirecting torrenting traffic, with
RoutingPolicyRule option.  See ArchWiki for further details.


* NetworkManager
* NetworkManager
Line 15: Line 8:
* networking.wireguard
* networking.wireguard
* systemd.network
* systemd.network
Depending on how your computer is configured, you need to refer to the
relevant section for setting up WireGuard.


= Use cases =
= Use cases =
This page describes how to set up WireGuard for two use cases.


The first use case is Virtual Private Network, which makes several peers
The first use case is Virtual Private Network, which makes several peers
available on a private subnet.  This is the basis for further
available on the same private subnet.  This is the basis for the proxy
configuration.
configuration below.


The second use case is Internet proxy,  which allows you to access the
The second use case is Internet proxy,  which allows you to access the
Internet via another peer. This use case depends on the first use
Internet via another peer.
case working correctly.
 
== Network address translation ==
 
NAT maps the internal private IP address of the VPN to the public IP
address of another peer.  For all proxying setups, enable the
following configuration
 
<syntaxhighlight lang="nix">
{
  networking.nat = {
    enable = true;
    enableIPv6 = true;
    externalInterface = "ens6";
    internalInterfaces = [ "wg0" ];
  };
}
</syntaxhighlight>


== External DNS with dnscrypt ==
== External DNS with dnscrypt ==
Line 64: Line 40:
== Proxy DNS with dnsmasq ==
== Proxy DNS with dnsmasq ==


On the proxy server, use the following config
You can also use the proxy server as DNS server with
dnsmasq.


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 81: Line 58:
</syntaxhighlight>
</syntaxhighlight>


On the proxy client, configure DNS options.  For wg-quick, use the
For wg-quick peer, use the
following
following option


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 94: Line 71:
= AllowedIPs =
= AllowedIPs =


"Allowed IPs" are IP addresses or ranges. It is specified on a
Each peer can handle traffic destined for a certain IP range.
per-peer basis. All traffic to these addresses and ranges will be
This range is called AllowedIP.
redirected to the peer.  Common forms of allowed IPs are the
 
following.
Common forms of allowed IPs include


* 192.168.26.9/32, a single internal IPv4 address
* 192.168.26.9/32, a single internal IPv4 address
Line 106: Line 83:
* ::/0, entire IPv6 address space, for proxying
* ::/0, entire IPv6 address space, for proxying


Notice that, in specifiying its subnet mask, some configuration
Notice that, in specifying its subnet mask, some configuration
modules can automatically configure network routes.
modules can automatically configure network routes.


Allowed IPs are unique to each peer.  If there are peers with the same
Allowed IPs should be unique to each peer.  If there are peers whose
allowed IPs, network traffic will only be redirected to one of them.
allowed IPs overlap, traffic will only reach one of them.


= WireGuard UDP Port =
= UDP Port =


The default port is 51820.  Some literature recommends changing this
The default port is 51820.  Some literature recommends changing this
port to circumvent intentional blocking of WireGuard traffic.
port to circumvent blocking of WireGuard traffic.


= Generate keys =
= Generate keys =


WireGuard works with public-private key pairs. Computers, called peers
WireGuard works with public-private key pairs.  
in WireGuard, are identified by their unique public keys.  Data is
encrypted with the corresponding private key before transmission.


Peers can only connect to a computer, if its public key is known to
Computer (peer) is identified by its public key
this computer.
Only connections from peers with known public keys are accepted.
For this reason, you can not reuse keys on multiple peers.


To generate a private key, and then derive the public key from it, you
To generate a private key, and derive the public key from it, you
need the <code>wg</code> utility, available in
need the <code>wg</code> utility, available in
<code>wireguard-tools</code> package.
<code>wireguard-tools</code> package.
Line 138: Line 114:
</syntaxHighlight>
</syntaxHighlight>


You need to generate a new key for each peer.  If you are setting up
You need to generate a new key for each peer.
multiple WireGuard interfaces on the same computer, you can reuse the
same key.


Pay attention to the permission of the file.  File permission may
Make sure the private key has the correct file permission as required
cause the WireGuard service to fail.  Check system log to rule out
by the WireGuard service. Wrong file permission may
cause the service to fail.  Check system log to rule out
this scenario.
this scenario.


Line 452: Line 427:
Optionally, configure proxy server as DNS server as described above.
Optionally, configure proxy server as DNS server as described above.


Note, systemd.network client seems to have issues.  Use wg-quick
Note, systemd.network client seems to have issues wit routing.  Use wg-quick
client instead.
client instead.


Retrieved from "https://wiki.nixos.org/wiki/WireGuard"