hexa- changed the topic of #nixos-on-your-router to: NixOS on your Router
pie_ has quit [Ping timeout: 250 seconds]
pie_ has joined #nixos-on-your-router
pie_ has quit [Ping timeout: 252 seconds]
<gchristensen> I made progress on wireguard tunnels
{`-`} has joined #nixos-on-your-router
THFKA4 has joined #nixos-on-your-router
THFKA4 has quit [Changing host]
<flokli> \o/
pie_ has joined #nixos-on-your-router
<gchristensen> okay so the insight is networking.firewall.checkReversePath = false; and wg-quick lets it "just work"
<gchristensen> I'm inclined to say we should switch from netfilter's rpfilter to the sysctl one
<gchristensen> I'm noticing:
<gchristensen> net.ipv4.conf.all.arp_filter = 0
<gchristensen> net.ipv4.conf.all.rp_filter = 0
<andi-> don't switch to the sysctls
<andi-> those do not exist in ipv6 ;-)
<andi-> turn them off (0) and use the netfilter modules
<gchristensen> maybe maybe you could chime in on the discussion in #wireguard?
* andi- looks
<gchristensen> I wonder why ipv6 doesn't have a sysctl for rp_filter
<gchristensen> anyway, disabling rpfilter fixes wireguard. I found https://github.com/NixOS/nixpkgs/commit/69407cb0136fb6a04b21a00aa6768c45fed00060 which specifically mentions wg0 so it is related, but I don't know about ipset
<andi-> I think david miller is right with not wanting that in the forwarding code
<andi-> Having it in firewalling code is the more flexible solution
<andi-> but yeah I still have to read on why it is needed for wg
<gchristensen> I have a computer next to me setup with a VPN
<gchristensen> broken by this code, so I can help answer questiosn :)
<andi-> lets do this some other day.. I should go to bed... Appointment early in the morning :/
<gchristensen> aye
<gchristensen> hmm
<gchristensen> maybe just setting it to loose will be sufficient?
<gchristensen> fwiw wg-quick runs `ip -4 rule add not fwmark 51820 table 51820; ip -4 rule add table main suppress_prefixlength 0`
<gchristensen> woohoo I got it to work
<gchristensen> I'd appreciate feedback :) https://github.com/NixOS/nixpkgs/pull/66300
<andi-> gnah, couldn't sleep left some feedback
<gchristensen> hrm I'm not actually sure how much of the networking.nat... options are required. will have to look ...
<gchristensen> I assume at a minimum internalInterfaces
<andi-> I would set internal and external interfaces just to be super clear about what to actually nat. I hate having firewall rules too broad.
<gchristensen> yeah
<andi-> I am assuming wg-quick adds the routes configured on the interface to the routing table with the same id as the mark? Then this whole setup does make sense. I would probably still build something around network namespaces / VRFs especially since I want to spawn webbrowser to click those stupid wifi portal things.
<gchristensen> right
<gchristensen> that is what it does
<andi-> Then your change looks okay-ish.. I do not like this whole scripted networking and we should get rid of it but that is what we got…
<gchristensen> right
<gchristensen> networkd seems pretty sweet
<andi-> until it doesn't deliver what you expected :/
<gchristensen> YUP
<andi-> hexa- and me will run a local event network on NixOS with networkd next month. We already got https://github.com/systemd/systemd/pull/13235 out of preparing that…
<andi-> Will see how much more things will break