#nixos-on-your-router on 2019-08-07

2019-05-13 22:50 hexa- changed the topic of #nixos-on-your-router to: NixOS on your Router

08:14 pie_ has quit [Ping timeout: 250 seconds]

11:19 pie_ has joined #nixos-on-your-router

12:59 pie_ has quit [Ping timeout: 252 seconds]

13:52 <gchristensen> I made progress on wireguard 0.0.0.0/0 tunnels

14:01 {`-`} has joined #nixos-on-your-router

16:10 THFKA4 has joined #nixos-on-your-router

16:10 THFKA4 has quit [Changing host]

17:01 <flokli> \o/

17:47 pie_ has joined #nixos-on-your-router

19:57 <gchristensen> okay so the insight is networking.firewall.checkReversePath = false; and wg-quick lets it "just work"

20:45 <gchristensen> I'm inclined to say we should switch from netfilter's rpfilter to the sysctl one

20:45 <gchristensen> I'm noticing:

20:45 <gchristensen> net.ipv4.conf.all.arp_filter = 0

20:45 <gchristensen> net.ipv4.conf.all.rp_filter = 0

20:46 <andi-> don't switch to the sysctls

20:46 <andi-> those do not exist in ipv6 ;-)

20:46 <andi-> turn them off (0) and use the netfilter modules

20:46 <gchristensen> maybe maybe you could chime in on the discussion in #wireguard?

20:46 * andi- looks

20:48 <gchristensen> I wonder why ipv6 doesn't have a sysctl for rp_filter

20:48 <gchristensen> oh http://lkml.iu.edu/hypermail/linux/kernel/0601.1/2454.html

20:49 <gchristensen> https://patchwork.ozlabs.org/patch/98970/

20:51 <gchristensen> anyway, disabling rpfilter fixes wireguard. I found https://github.com/NixOS/nixpkgs/commit/69407cb0136fb6a04b21a00aa6768c45fed00060 which specifically mentions wg0 so it is related, but I don't know about ipset

20:52 <andi-> I think david miller is right with not wanting that in the forwarding code

20:52 <andi-> Having it in firewalling code is the more flexible solution

20:52 <andi-> but yeah I still have to read on why it is needed for wg

20:53 <gchristensen> I have a computer next to me setup with a 0.0.0.0/0 VPN

20:53 <gchristensen> broken by this code, so I can help answer questiosn :)

20:53 <andi-> lets do this some other day.. I should go to bed... Appointment early in the morning :/

20:53 <gchristensen> aye

20:54 <gchristensen> hmm

20:54 <gchristensen> maybe just setting it to loose will be sufficient?

20:55 <gchristensen> fwiw wg-quick runs `ip -4 rule add not fwmark 51820 table 51820; ip -4 rule add table main suppress_prefixlength 0`

21:30 <gchristensen> woohoo I got it to work

22:21 <gchristensen> I'd appreciate feedback :) https://github.com/NixOS/nixpkgs/pull/66300

22:26 <andi-> gnah, couldn't sleep left some feedback

22:28 <gchristensen> hrm I'm not actually sure how much of the networking.nat... options are required. will have to look ...

22:28 <gchristensen> I assume at a minimum internalInterfaces

22:30 <andi-> I would set internal and external interfaces just to be super clear about what to actually nat. I hate having firewall rules too broad.

22:30 <gchristensen> yeah

22:34 <andi-> I am assuming wg-quick adds the routes configured on the interface to the routing table with the same id as the mark? Then this whole setup does make sense. I would probably still build something around network namespaces / VRFs especially since I want to spawn webbrowser to click those stupid wifi portal things.

22:35 <gchristensen> right

22:35 <gchristensen> that is what it does

22:36 <andi-> Then your change looks okay-ish.. I do not like this whole scripted networking and we should get rid of it but that is what we got…

22:36 <gchristensen> right

22:36 <gchristensen> networkd seems pretty sweet

22:36 <andi-> until it doesn't deliver what you expected :/

22:36 <gchristensen> YUP

22:38 <andi-> hexa- and me will run a local event network on NixOS with networkd next month. We already got https://github.com/systemd/systemd/pull/13235 out of preparing that…

22:39 <andi-> Will see how much more things will break