<danderson>
bqv[m]: I use wireguard as part of Tailscale (shilling alert!), so I don't have configs to share, but if you have a topology or questions in mind I'm happy to help
<bqv[m]>
does anyone here use wireguard
2020-04-04
<hyper_ch>
hmmm, having issues with latest master and boot.extraModulePackages: error: The option value `boot.extraModulePackages.[definition 1-entry 1]' in `/etc/nixos/hardware-configuration.nix' is not of type `package'. --> I need to have wireguard in it
<gchristensen>
gustavderdrache: (kill me) I could have it request its unlock keys over the wireguard tunnel to my laptop's vault , which reuires a yubi-tap to allow :)
<Cadey>
is there any prior art for adding nixos containers to a wireguard subnet?
2020-03-21
<Avaq>
clever: Currently just using it to explore nixops. Once I have a setup going where I can reliably update my pi using nixops, I intend to run wireguard, and possibly if I can manage run a pihole server as well.
2020-03-18
<danderson>
but it really just means "relay encrypted wireguard packets based on the destination public key"
2020-03-16
<sigwinch28>
Avaq: oh! you have wireguard allowed as a _TCP_ port: `firewall.allowedTCPPorts = [ 51820 ];`. Wireguard is UDP.
<Avaq>
And I'm using my phone (with WireGuard android) to try and connect to my laptop from the outside.
<Avaq>
But if we forget the forwarding for a second - is there any way I can check that my wireguard server is running and doing what it should by approaching it from localhost somehow?
<sigwinch28>
Wireguard is a bit misleading to troubleshoot because wireguard servers/clients will not respond at all unless the correct keys are configured
<sigwinch28>
the real method of checking whether wireguard is _working_ is to use `wg show`, probably as root
<Avaq>
I also tried in various ways to connect from my localhost to the wireguard server, but I'm not sure what I'm supposed to be looking for.
<Avaq>
I have the port forwarding on my router working, which I confirmed by disabling wireguard and having something else listen to 51820, and I could in fact reach it from outside the network.
<sigwinch28>
Avaq: I have some experience running Wireguard (both vanilla setups and through nixos)
<Avaq>
Hi folks! I'm trying to set up wireguard. First using `networking.wireguard`, and when that didn't work, I switched to `networking.wg-quick`. I've gone over things a hundred times, but whatever I do, I end up in a situation where the wireguard server appears to be running, yet cannot be reached (Connection refused) by anyone.
<Avaq>
My problem is that I have no frame of reference for how a correctly running WireGuard setup should behave. So maybe one of you can help me out? Also I'm not very well versed when it comes to networking, so I might be mixing some things up. For example, I used telnet to try and connect to the wireguard server, but I fear that might be useless as wireguard expects UDP traffic.
<aminechikhaoui>
gchristensen I remember you once looked at the wireguard systemd services issue where they don't start on boot correctly ? do you remember that and did you ever figure what was the problem
2020-03-12
<Raito_Bezarius>
Also, WireGuard seems to have a problem, I'm having a unit file with some \n in it
2020-03-10
<Henson>
Hi everyone, I'm trying to get wireguard working with NixOS. I'm defining the peers of an interface exactly as it's described in the NixOS wiki, and that wireguard.nix file itself, and a site a found online. But when I try to build it, I get the error: error: The option value `networking.wireguard.interfaces.wg0.peers' in `/var/lib/containers/foo1/etc/nixos/configuration.nix' is not of type `lis
2020-03-09
<martijn>
Hello, is this the right place to ask for some nixos hints? I'm running ZFS with an encrypted pool and would like to be able to unlock remotely over SSH. I've found instructions on https://nixos.wiki/wiki/NixOS_on_ZFS, but the problem is, my machine doesn't have a public address and can only be accessed over a wireguard VPN. Is this possible to do on boot?
<{^_^}>
[nixpkgs] @bhipple opened pull request #81977 → prometheus-wireguard-exporter: upgrade cargo fetcher and cargoSha256 → https://git.io/JvrWc
2020-03-05
<aranea>
Is there a way to make nix install external kernel modules such as wireguard for the currently running kernel in addition to the kernel that'll be booted by default on the next boot?
2020-03-03
<aranea>
gchristensen: Well, a user in #wireguard just mentioned that their ISP (Charter) has a routing loop for some gh ips right now.
2020-02-28
<maxkernel>
(I am not using wireguard, but seems NixOS 19.09 depends on evaluating it at least)
2020-02-23
<v0|d>
i'm having trouble while switching to nftables, wireguard seems to load iptables modules back which breaks nft. any ideas?
2020-02-22
<{^_^}>
[nixpkgs] @rnhmjoj merged pull request #80758 → nixos/wireguard: fix wireguard service as well after it got upstreamed → https://git.io/JvRAQ
2020-02-21
<{^_^}>
[nixpkgs] @ikervagyok opened pull request #80758 → nixos/wireguard: fix wireguard service as well after it got upstreamed → https://git.io/JvRAQ
2020-02-14
<slabity>
Does anyone have a config for creating a wireguard-based network with NixOps?
2020-02-07
<floscr>
I've got this service for wireguard
<clever>
Twey: this spins up 2 peers, and then forms a wireguard tunnel between them, and confirms you can ping over the tunnel
* colemickens
wishes for the shoe making fairies to set their efforts to making systemd-networkd, iwd, network namespaces and wireguard all work together beautifully in nixos.
2020-01-31
<lovesegfault>
worldofpeace: I want my wireguard on 5.6 though :(
2020-01-30
<wedens[m]>
how do I configure wireguard to not route some subnets via tunnel?
<hpfr[m]>
danderson: yeah, preferably FOSS haha. Nebula actually seemed cool, but I think a VPS with WireGuard might be easier and from what you just explained more reliable
<danderson>
okay the simplest in terms of setup is: get a VPS, run a wireguard tunnel from your home to the VPS, and connect your laptop/etc to the VPS as well over wg
2020-01-16
<Guanin>
gchristensen, that's the path I'm taking right now. Just wanted to know if it would be possible to provide a nix-based alternative, as it seems really hard to break for a non-tech person while being remote-maintainable over wireguard+ssh, which is a big plus for me :)
<ivan>
dminuoso_: I don't know but you can search journalctl -b for 'taint' which has things like `wireguard: loading out-of-tree module taints kernel.`
2020-01-07
<kqb>
nix-env --query --installed --description | grep wireguard has zero lines. When I run "sudo nix-env --query --installed --description | grep wireguard" I see "Kernel module" in the descriptions of wireguard-0.0.20200105 . How do I debug this further?
<kqb>
I am running NixOS 19.09, I have added the package wireguard to my system, but networking.wireguard.enable is said not to exist. How do I solve this?
2020-01-06
<{^_^}>
[nixpkgs] @Ma27 pushed commit from @xwvvvvwx to release-19.09 « wireguard: 0.0.20191226 -> 0.0.20200105 »: https://git.io/Jejw0
<gchristensen>
diamondman: you might give it a try starting with a VM? :) but from a checkout of nixpkgs, try this: nix-build nixos/tests/wireguard/default.nix <- this will build a few NixOS systems, boot them in VMs, and verify the network and wireguard works correctly between them
2019-12-19
<mrlizard>
Ah.. it's wireguard issue.
<{^_^}>
[nixpkgs] @jonringer pushed commit from @ivan to master « wireguard-tools: 0.0.20191212 -> 0.0.20191219 »: https://git.io/Je5zh
<sshow>
I am running a custom kernel (latest_hardened), but it does not seem to make a difference whether I include the wireguard kernel module explicitly or not
<sshow>
Trying to setup a wireguard server. Unit-script fails with "fopen: No such file or directory". Any experience with this error?
2019-12-14
<duairc>
Great, they're just Ed25519 keys, I can reuse my terraform module that generates wireguard keys for this
<{^_^}>
[nixpkgs] @fpletz closed pull request #60983 → wireguard: add 'namespace' option to set interface netns → https://git.io/JerE0
<{^_^}>
[nixpkgs] @fpletz merged pull request #71510 → Add namespace support to Wireguard module → https://git.io/JeRId
2019-11-13
<tilpner>
infinisil: There are some efforts to add meshing to wireguard, but it doesn't do that on its own
<infinisil>
tilpner: tinc vs wireguard?
2019-11-09
<gyroninja>
and then right after it there are logs about wireguard being loaded
<sphalerite>
since wireguard is stateless
<gyroninja>
Is there a way to make a service depend on wireguard being up?
2019-11-08
<srid>
Basically, I'd like to run VPN. But limited in scope only to a single process of the web browser (Google Chrome). I already use Wireguard, and have a remote peer, so I'd like to use that as my VPN server.
<srid>
Could someone point me to their config of running containers declaratively, with wireguard tunnelling all traffic to some server (acting as vpn), and then launching google-chrome from the container, using the local X display?
2019-11-04
<manveru>
wedens[m]: i use krops+niv+wireguard to deploy all my machines
2019-11-02
<dhess>
I have a few that participate in a WireGuard network, and those need to have secrets deployed.
2019-10-29
<laudecay>
god i have to learn to reverse binaries and get my OSCP and contribute to wireguard and do work work stuff and read marx and practice cello and implement libc and aaaAAAAAAA
<laudecay>
me too it's ok i'm writing wireguard's haskell impl
2019-10-26
<gchristensen>
grr I think adding NAT to my server for my wireguard VPN broke a bunch of other things on my host
2019-10-23
<{^_^}>
[nixpkgs] @nixos-channel-bot pushed commit from @Ma27 to nixos-19.09-small « wireguard-tools: 0.0.20190913 -> 0.0.20191012 »: https://git.io/Je0Zi
<yorick>
I have a wireguard tunnel with an ipv6 address and allowedips=0.0.0.0/0,::/0. ipv6 works but isn't the default anywhere. how do I make it prefer ipv6 over ipv4?
2019-10-21
<{^_^}>
[nixpkgs] @asymmetric opened pull request #71510 → Add namespace support to Wireguard module → https://git.io/JeRId
<ajs124>
the fork has some support for modules. my project doesn't do that much. it just builds lineageos with wireguard and included google apps. also does over the air updates. but that's about it.
<witchof0x20>
I'm looking to encapsulate a service (transmission) so that it uses a vpn (wireguard) for communication. LXC seems like a good way to accomplish this. Is there a nice way to integrate the NixOS config of a LXC guest with the NixOS config of the host?
2019-09-29
<emily>
ah, you mean because of wireguard automation?
<ddellacosta>
okay. I guess this is my fault because I'm not using the built-in wireguard...because it also doesn't allow me to configure things the way I want. Grr
2019-09-28
<ivan>
I'm trying to decide how to manage all my wireguard configuration
<colemickens>
gchristensen: btw, I was hoping to be able to test the wireguard stuff soon, and ack back with something other than "I'll try soon" but I'm using it as motivation to wrap up my azure/nixos work, and of course I'm running into roadblocks again. Hopefully soon TM.
<ajs124>
gchristensen: the service *does* fail. As luck would have it, we redesigned and redeployed our wireguard infrastracture in exactly that week, that it was on stable.
<ajs124>
gchristensen: ahaha, you actually reverted this on 2019-06-01, so it should be fine on stable, as well. Seems like I was mainly doing wireguard stuff back then and I haven't paid attention to what's happening to the module.
<ajs124>
hyper_ch2, gchristensen: so. turns out, wireguard works different on master, than it does on stable and it's actually oneshot again, already
<hyper_ch2>
wireguard? dns problems? /me is all ears
<ajs124>
so. gchristensen: The commit that introduced the wireguard restart semantics is 1bff53cb8408f583f4f9a02e487dbe2fa4110271, the motivation seems to be DNS problems. A few commits later (1de35c7f5ecbfe3c5bae252f660068669eb62b7a) we're setting WG_ENDPOINT_RESOLUTION_RETRIES to infinity, which the wg(8) manpage documents as something that should solve the same DNS problems.
2019-08-01
<{^_^}>
[nixpkgs] @grahamc closed pull request #31250 → wireguard: add support for default routing → https://git.io/vFC0Z
2019-07-25
<inquisitiv3>
How do I set DNS for WireGuard? I can't find any options when I search on the website.
<aleph->
Hmm wasn't there a wireguard service?
2019-07-24
<ajs124>
inquisitiv3: you could also just use wireguard manually, at that point. just wg-quick up/down.
<inquisitiv3>
Is there any way to connect to a Wireguard server using *.conf files instead of configuring it using the options `networking.wireguard.interfaces.*`? I'm trying to connect to my VPN provider.
<Smith[m]>
Hello ! I'm trying to setup wireguard and I was wondering how can I make private keys available before hand ? Is there some kind of hooks where I can execute a script to fetch my private keys ?
2019-07-21
<clever>
gchristensen: wireguard would need to dynamically figure out the remote ip, and add a route entry at runtime, to ensure it still goes via the gateway
<clever>
gchristensen: i need to go over your wireguard changes, and update tgt_service, it has similar bugs to what your wireguard recently had (which got fixed)
<Mic92>
hyper_ch: sorry, no longer using wireguard on any machine.
2019-06-20
<clever>
ashkitten: but you can also just allow the wireguard interface to do whatever it wants
<ashkitten>
i got wireguard working
<qyliss>
the nixos.wiki page on wireguard is pretty good
<clever>
ashkitten: have you considered a vpn? either toxvpn or wireguard
<qyliss>
wireguard?
2019-06-14
<hyper_ch2>
wireguard has really nice throughput and latency
<clever>
Yaniel: ive been considering using wireguard to mess with that
<hyper_ch2>
hmmm, still banned in #wireguard
2019-06-12
<dhess>
clever: yeah I'm trying to avoid that. Right now I host my Hydra behind WireGuard but it's a PITA
2019-06-10
<hyper_ch>
grahamc[m]: with yesterday's fix to wireguard service it seems now to work just fine
<mthst>
can i route services.transmission traffic through a wireguard interface?
2019-06-09
<clever>
dhess: ive also thought about how nixops should manage wireguard for you
<dhess>
I do have an elaborate WireGuard mesh for my own stuff but I'm trying to avoid that in new deployments. It's a bit of a PITA to maintain.
<dhess>
clever: I don't provision in NixOps anymore so that bit is not a problem for me. Anyway I'm trying to avoid WireGuard in this case if possible.
<clever>
dhess: wireguard on both the target machine, and also others in its LAN, and then i just mess with the deployip based on whatever is working at the time
<gchristensen>
hyper_ch2: okay, and what does `systemctl status 'wireguard-wg_hb-peer-quHqlmRZb2J\x2bg2V5GgOXqERaVLYjx5vAUMgYLIgqo2U\x3d.service'` say?
<gchristensen>
hyper_ch2: wireguard doens't have a "client" or "server" mode, so what do you mean by that?
<hyper_ch2>
grahamc[m]: the problem occurs if you use wireguard as client and not as server
<hyper_ch2>
I was just looking at systemctl status wireguard-....
<gchristensen>
hyper_ch2: how did you find the wireguard peer unit which didn't start?
<hyper_ch2>
Shados: I forgot about that remark was still at "wireguard" - that's why it made no sense to me
<gchristensen>
clever: requires = [ "wireguard-${interfaceName}.service" ]; after = [ "wireguard-${interfaceName}.service" ]; wantedBy = [ "multi-user.target" ]; is this insufficient?
<gchristensen>
hyper_ch2: wireguard's module has no "client" or "Server" mode
<{^_^}>
[nixpkgs] @flokli merged pull request #62325 → wireguard: 0.0.20190406 -> 0.0.20190531 and Change peers without tearing down the interface, handle DNS failures better → https://git.io/fjEUa
<{^_^}>
[nixpkgs] @grahamc opened pull request #62325 → wireguard: 0.0.20190406 -> 0.0.20190531 and Change peers without tearing down the interface, handle DNS failures better → https://git.io/fjEUa
2019-05-30
<Mic92>
gchristensen: I am a bit biased to just use networkd in NixOS instead of maintaining script hackery for wireguard :)
2019-05-28
<jonge[m]>
i have a problem on nixos 19.03 here... i configured a wireguard server according to https://nixos.wiki/wiki/Wireguard - and after a reboot the log says `modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.0.3`. shouldn't the modules be in place just by activating wireguard via the module expression?
<jonge[m]>
yorick: So your suggestion is: make the hydra server also a wireguard server. make all build slaves automatically connect to the wireguard server after boot. the hydra server can then see the slaves like local machines, and if they are up it will use them as build slaves. correct?
<li_matrix>
wireguard is nice but I like cjdns for its pubkey derived IPs
<yorick>
jonge[m]: vpn (wireguard?
2019-05-25
<{^_^}>
[nixpkgs] @Ma27 pushed commit from @sjau to release-19.03 « wireguard: restart on failure »: https://git.io/fjBpo
<{^_^}>
[nixpkgs] @Ma27 merged pull request #61971 → wireguard: restart on failure\nAs a oneshot service, if the startup f… → https://git.io/fjB4c
<{^_^}>
[nixpkgs] @sjau opened pull request #61971 → wireguard: restart on failure\nAs a oneshot service, if the startup f… → https://git.io/fjB4c
<gchristensen>
I'd write up something a bit longer, like ... "wireguard: restart on failure\nAs a oneshot service, if the startup failed it would never be attempted again. This is problematic when peer's addresses require DNS. DNS may not be reliably available at the time wireguard starts. Converting this to a simple service with Restart and RestartAfter directives allows the service to be reattempted, but at the cost of losing the oneshot semantics."
<hyper_ch>
gchristensen: what would I name the commit? wireguard: fix client start ?
2019-05-22
<gchristensen>
(this will only impact the "wg0" wireguard interface)
<gchristensen>
the reason I mentioned ^ is for things like wireguard tunnel key exchange, and also keys used for things like znapzend
<andi->
haven't seen that on my wireguard machines. Not entirely sure how the kernel update timing is. I usually reboot those as soon as a new kernel is deployed.
<gchristensen>
wireguardians, do y'all see modprobe: FATAL: Module wireguard not found in directory /run/booted-system/kernel-modules/lib/modules/... when deploying a system with a kernel update?
<Qubasa>
devalot: So know it starts automatically after every rebuild with: the following new units were started: sys-devices-virtual-net-wireguard\x2dhome.device, sys-subsystem-net-devices-wireguard\x2dhome.device
<Qubasa>
Does someone have an idea how to overwrite the wireguard systemd service so that it doesn't start automatically?
<pie___>
yuken, its precisely my tinc connection that was the problem lol ;~; (also isnt wireguard all the rage these days)
2019-05-03
<Xyliton>
has anyone managed to get wireguard+mullvad working on NixOS?
2019-05-02
<{^_^}>
[nixpkgs] @ryantrinkle opened pull request #60818 → wireguard: allow routes to overlap with other routes → https://git.io/fjZj6
2019-04-30
<aminechikhaoui>
gchristensen yeah I always have the wireguard unit in a failed state after reboot
<gchristensen>
I'm not referring to the wireguard kernel module, but the wireguard nixos module
<gchristensen>
if wireguard fails to resolve the name the setup fails and I think never retries
<gchristensen>
hmm our wireguard module is broken if you use hostnames instead of IPs
2019-04-29
<{^_^}>
#51258 (by Tmplt, 21 weeks ago, open): wireguard: unable to route all traffic through interface
<ivan>
pbb: whoever put wireguard into nixos didn't implement that part
<pbb>
Hi, can anyone explain to me how the wireguard routing works on NixOS when I have a default route over wireguard? There is no table 51820 or any additional rule as there is with the wg-quick script.
2019-04-27
<{^_^}>
[nixpkgs] @thoferon opened pull request #60339 → wireguard: Add peers.*.publicKeyFile as an alternative to publicKey → https://git.io/fjGtv
2019-04-26
<gchristensen>
anyone have opinions about wireguard + public keys + endpoints being public?
2019-04-25
<{^_^}>
[nixos-org-configurations] @grahamc pushed to master « Setup wireguard on bastion »: https://git.io/fjsV7
<dhess>
gchristensen: I regularly use WireGuard to deploy to remote hosts.
<gchristensen>
anyone depending on wireguard to deploy to remote hosts?
<arianvp>
(I recently got a patch into networkd so we can provide keyfiles to wireguard through networkd config)
<gchristensen>
I just added a path unit to the wireguard module to support private keys being deployed out of band
<hyper_ch>
but x-systemd.automount probably tries to mount at boot - which would fail because of wireguard not being up
<hyper_ch>
problem is wireguard doesn't get properly started at bootup because of dns so I run a cron that regularly checks if the wg interface is running nicely and if not, call it
2019-04-14
<emilsp>
the wireguard kernel module creates wireguard specific network interfaces and this `AllowedIPs` thing is a feature of it.
<emilsp>
This is more of a question for #wireguard/##networking. But could you please elaborate your concern?
<emilsp>
asymmetric|: if it's more of a wireguard issue than nixos issue, I might be of some help :)
<asymmetric|>
can someone help me troubleshoot my wireguard setup?
2019-04-13
<sphalerite>
and the wireguard module will automatically create routes for them by default
<sphalerite>
since they need to be there anyway for wireguard to route them
<pingiun>
[14:47:21] <pingiun>I have this error where nixos keeps waiting on a wireguard device: https://0x0.st/zZQv.png
<pingiun>
I have tried that, but when I boot the machine, it keeps waiting for a wireguard device
<pingiun>
I have a wireguard configuration, but I also need to add routes to the interface, which can only be done once the interface is up
2019-04-07
<pingiun>
oh wait that's the wireguard config
<ajs124>
pingiun, maybe wireguard is trying to resolve domains of endpoints?
<pingiun>
wireguard also falls under this
<pingiun>
so should the wireguard key be one that is stored on the machine?
<pingiun>
after waiting the 1.5 minute, the wireguard device is up and working btw
<pingiun>
I have this error where nixos keeps waiting on a wireguard device: https://0x0.st/zZQv.png
<inquisitiv3>
I don't think that I run any tunnel on the host that block network traffic. Uninstalled Wireguard after tried to get it running.
2019-01-14
<jasongrossman>
Thanks, lassulus and Mic92 and tilpner. I'm going to put wireguard to one side until at least tomorrow.
<Mic92>
i.e. ip route add 8.8.8.8 via $wireguard_ip
<lassulus>
hmm, I think you can also put 0.0.0.0/0 to the allowedIPs of the wireguard peer?
<Mic92>
because you need still a route to your wireguard vpn
<lassulus>
you need to set your default gateway to the wireguard server (mind, that you probably need a special route, to connect to your wireguard server still through the normal internet). You need to enable nat on the wireguard server
<jasongrossman>
Hi hi. I have what I think is a very basic networking question. I've set up wireguard using the instructions on the NixOS wiki, and I can ping my local wireguard address successfully. But my internet traffic is not going over the wireguard tunnel - it's still using my wireless interface directly (wlp2s0) instead of my new wireguard interface (wg0). Should I be doing something to tell the OS to use the wireguard interface?
2019-01-11
<clever>
tobiasBora: make a second file, that configures only wireguard, and add it to the imports section
<tobiasBora>
clever: not sure to follow you here. the goal is exaclty to do everything from one file right? Do you mean you could change this file into a usable unique file that keep the structure (separate openvpn conf and wireguard)? http://paste.debian.net/1059696
<bake[m]>
i've tried to use wireguard as described in https://nixos.org/nixos/options.html#networking.wireguard.interfaces (and the wiki), and it does not log errors, but i can't connect to any side (other than google.com after ~30s). are there some mandatory configurations i am missing?