<pinecamp> anyone here using wireguard in a network namespace? I've spent 8hrs or so trying to get things working in the past couple days, but I think I'm in over my head


<vuko> Keij0: wireguard works on some BSD's
<Keij0> but idk if pfSense supports wireguard since it's BSD-based
<mkaito> yeah, we switched to wireguard and the skies opened and the angels sang
<raghavsood> Wireguard is the future


<ivan> xenophile: it looks like windscribe has wireguard support which you can use on nixos via wg-quick


<axx> my nfs.server and a wireguard tunnel failed to load, rest looks ok at first glance


<pushqrdx> sphalerite i removed wireguard from there and only left ddci-driver but getting same error for some reason, it seems like extraModulePackage doesn't exist anymore or somethging
<sphalerite> and you'll have your wireguard support already shipped in the kernel.
<pushqrdx> sphalerite yes i always did because i want to add ddci and wireguard packages


<Cadey> when is the 20.09 channel going to update with the wireguard fix


<{^_^}> [nixpkgs] @dasJ closed pull request #103451 → wireguard: Fix building on Linux 4.5.76+ → https://git.io/JkIx9
<{^_^}> #103451 (by dasJ, 15 seconds ago, open): wireguard: Fix building on Linux 4.5.76+
<{^_^}> [nixpkgs] @dasJ opened pull request #103451 → wireguard: Fix building on Linux 4.5.76+ → https://git.io/JkIx9
<Cadey> upgraded my 20.09 channel today and i can't build wireguard: https://gist.github.com/Xe/dc479baee47186f069094817c0f35d6f


<arianvp> (I run networkd in initrd; with wireguard support)
<colemickens> does anyone run wireguard in initrd?


<matthewcroughan_> so on this machine, globally, you have wireguard, qemu, certmon, matrix, mastodon, etc?


<Akira[m]> technically not a fix for your issue but I think mullvad just uses wireguard, you can use the wireguard package


<exarkun> Anyone using wireguard as a vpn client on NixOS? I tried but it won't route traffic. Same configuration/provider works fine on, eg, an Ubuntu VM running on the same NixOS machine.


<cole-h> Specifically in my libvirt and wireguard configs


<Akira[m]> any reasons why wireguard wouldn't work with the standard setup here? https://nixos.wiki/wiki/Wireguard


<Raito_Bezarius> if you try wireguard on mobile or something like this
<Raito_Bezarius> did this commercial VPN already worked before with WireGuard?
<Raito_Bezarius> exarkun: and on the wireguard layer?
<exarkun> the return traffic appears to be wireguard keepalives
<Raito_Bezarius> imperative wg-quick could be used for debug, but I have some large WireGuard setup in NixOS (20.03 and beyond) and they're working quite well
<exarkun> beats me, I've never tried setting up wireguard on any other OS
<exarkun> What should I dump with it? traffic on the wireguard interface? traffic on the uplink interface?
<exarkun> Raito_Bezarius: I have no idea if it has anything to do with NixOS either but #wireguard hasn't been able to help so far either
<exarkun> having lots of trouble getting wireguard working on nixos


<julm> exarkun: I don't know about the container part, but for the interface part the wireguard module has support for the net namespace isolation described at the end of https://www.wireguard.com/netns/
<exarkun> Anyone have any guides for running a nixos container with only a wireguard-supplied interface for its network?
<exarkun> Anyone have any guides for running a nixos container with only a wireguard-supplied interface for its network?


<V> I have a directory /secrets that's only visible to root, with subdirectories for each module (wireguard, openssh, etc), and write their private data in there


<Ke> just type in wireguard
<pinpox> Trying to list the options, e.g. for wireguard
<pinpox> Hi, general question from a NixOS newbie: How do you deal with secrets in general when using nixOS? e.g. I've added my wireguard setup in the configuration.nix, the secret key is read from /etc/wireguard/privatekey. Where would you store that key savely so it will be placed there when putting my configuration.nix on a different machine? Same thing for SSH private keys or credentials for
<clever> tobiasBora: but some systemd services like wireguard will force a `modprobe wg` before starting the service


<Miyu-saki> If I allow for wireguard, then that means that everything is routed through there
<Miyu-saki> cole-h: Hi, my bad, sorry, turns out it was wireguard being smart.
<Miyu-saki> I think it's not wireguard itself, but I have a daemon adding a default route for every interface
<Miyu-saki> How do I make wireguard *not* setup a default route?
<hyper_ch> lucus16: currently there's 11 people in the list... also those 11 get vpn connections with wireguard etc..... so I hvae a seperate secrets.nix that is imported on top of the configuration nix and in that secrets.nix I have all the individual data setup.... so I can make the list there and then just use it
<hyper_ch> no, those are not users.users.... they jus access via sambe authenticated by ip through wireguard... not actual system users


<energizer> iqubic: turns out "which computers can see each other over my network" is a rapidly evolving right now due to things like wireguard replacing old tech


<{^_^}> [nixpkgs] @Ma27 pushed to release-20.03 « wireguard-tools: 1.0.20200820 -> 1.0.20200827 »: https://git.io/JUtfE


<infinisil> Oh yeah I get less failures at least when turning off wireguard
<q3k[m]> if so, we can fix your wireguard tunnel next :P
<q3k[m]> try it without the wireguard if possible, see if that fixes the issue
<infinisil> I think I tried turning it wireguard already though
<q3k[m]> yep it's the wireguard
<infinisil> Home network, but I do route everything through wireguard to another server


<{^_^}> [nixpkgs] @Ma27 pushed to release-20.03 « wireguard-tools: 1.0.20200513 -> 1.0.20200820 »: https://git.io/JUvV6


<das_j> are there any example out-of-tree modules built for nixos? I found wireguard but their makefiles do a lot more that I expected


<nilsirl[m]> hyper_ch: nah 😂, I was saying that it worked on my phone but didn't work on my desktop system running nixos (suggesting that the problem is not linked to my wireguard configuration file or server)
<{^_^}> #52411 (by anderspapitto, 1 year ago, open): Support network-namespace based wireguard vpn setup [feature request]
<{^_^}> https://github.com/NixOS/nixpkgs/issues/51258 (by tmplt, 1 year ago, open): wireguard: unable to route all traffic through interface
<nilsirl[m]> after rereading your message, I guess the correct message would be, what are the open issues regarding wireguard? #51258 seems interesting
<nicolas[m]1> There's many open issues regarding Wireguard on NixOS. If you tunnel your entire traffic through Wireguard then it doesn't work AFAIK
<nilsirl[m]> I'm not using nixos' builtin wireguard support, just `wg-quick` directly from the command line and have nothing in my network settings
<nilsirl[m]> Hi, I've been trying to connect to a wireguard server, but when I run `sudo wg-quick up ./config.conf`, I loose internet connectivity and nothing works. I have to disable wireguard for my internet to work again. I believe this is failure is linked to nixos because out of my 2 attempts to get wireguard to work on this nixos system, none of the have worked and I've been able to connect with the exact same wireguard


<nature> Hi, I just set up wireguard on nixos with wg-quick, I was wondering how can I do the equivalent of `wg-quick down wg0` ?


<muranic> My wireguard config wasn't getting any connection so I eventually settled for OpenVPN. https://pastebin.com/WBu3MV65
<muranic> I couldn't really figure out a Wireguard configuration, especially with split tunneling.
<ivan> wireguard is connectionless and will retry after 5 seconds or so
<ivan> mullvad has wireguard endpoints, you could just use those instead


<nature> same with wireguard as well, if you configure it, is it still advised to explicitely install in ?


<disasm> yay for wireguard and ssh :)


<aml> Hi! I've just started using NixOS and there are some cases where I don't want to start services automatically but rather run systemctl start service. How is that usually handled? My specific use cases are for docker and wireguard.


<gchristensen> postgres isn't ordered after the wireguard interface...


<Rian[m]> which service definition? that of the wireguard interface?
<Rian[m]> I noticed that when I do nixos-rebuild switch manually, afterwards my wireguard link doesn't work any more. restarting the wg0 interface fixes that


<Henson> jneplokh: here's my guess. You should be specifying "ens3" instead of "eth0" in the networking.nat.externalInterface line in that wiki article. The same goes for those "iptables" line in the postSetup and postShutdown sections. Change all instances of "eth0" in your wireguard config for "ens3".
<Henson> jneplokh: well, your server has several network interfaces. "wg0" is your wireguard interface, "lo" is your loopback interface. If your server is connected to the Internet via an ethernet interface, you should have one of those too, although the name is hard for me to predict.


<Henson> jneplokh: fire up "tcpdump -ni wg0" on your server and see if it sees the ping packets come in on the Wireguard interface
<jneplokh> infinisil: The client I am currently using is not running NixOS, so I am just configuring Wireguard through the app
<Henson> jneplokh: so you've got a central server, connected to the Internet, running NixOS. You want to connect from a client, over the Internet using Wireguard as a VPN, and route traffic from your client, through the VPN, to the server and then out to the Internet?
<Henson> jneplokh: can you describe what you're trying to achieve with wireguard?
<jneplokh> Henson: Sorry, just a little confused. Do you mean from my "client" if I can ping the server? If so, I can ping the local IP for the wireguard interface
<Henson> jneplokh: are you able to ping from the client to the server on the wireguard interface?
<jneplokh> Hey everyone, I am trying to setup Wireguard as a "server"/forward all traffic like a VPN on a NixOS machine using the instructions here: https://nixos.wiki/wiki/Wireguard but am having issues with reaching the internet.


<drakonis> hmm, i want to set up wireguard to connect to a vpn


<betaboon> actually it seems like it tries to pull in all the firmwares, nvidia-x11, amdgpu, ati-drivers, wireguard etc


<quinn> well you can run wireguard right now if you want! i ran 5.6 on stable 20.03 for a while (until an issue with rt-patch and zfs kicked me off)
<multun> somebody wants wireguard :)


<nanashi0x74Old[m> I'm trying to set up a wireguard vpn tunnel. The link seems to work, I'm routing outgoing traffic through my other server now, but now I'd like to forward some external ports to the machine, but that doesn't seem to work. Could anybody help me here?


<magnetophon> sphalerite: I checked: command not found: tinc, command not found: wireguard
<sphalerite> magnetophon: you can build one yourself (if you have a server with a public IP somewhere) using tinc or wireguard, which are slightly more involved options, or use a service like zerotier or… I forgot the name of the other one I had in mind


<emilsp> bellavito: I've not used nix to configure wireguard interfaces before, but if you check the options for wireguard and wg-quick, it's pretty self explanaotry. You can also peek at infinisil's system config if you want to see those fields be populated - https://github.com/Infinisil/system/blob/31ebb66df2ebc040eea3b1cd1855ddf05830bc6d/config/machines/vario/default.nix#L28-L37
<emilsp> in wireguard, there are no clients or servers, only peers
<bellavito> I'm trying out wireguard for the first time. I'll be grateful if anyone could share example configs.


<nixbitcoin> energizer: One could also mitigate a bunch of security vulnerabilities by only allowing clients to access Nextcloud through a Wireguard tunnel
<raghavsood> We just run two instances of chrome with separate data directories, so one instance runs inside a network namespace under wireguard, and connects to the self hosted one, while the regular chrome instance doesn't run under wireguard and connects to the public bitwarden
<raghavsood> Provided you are using SSL, you shouldn't need a VPN to secure stuff - although you will need it if you want to enforce any kind of IP whitelisting (we use wireguard for the hosted instance, so only people on the company VPN can connect to it)


<hyper_ch> quinn: I suggest to give wireguard a try...
<quinn> also you might be able to set the bind address to the wg address rather than if you run wireguard and `ip a` that should tell you. no promises though
<hyper_ch> and wireguard is simple to setup and has almost no overhead
<hyper_ch> wg is the wireguard interface
<hyper_ch> samba server and wireguard server are on the same physical box
<hyper_ch> energizer: where is the wireguard vpn subnet that I use
<hyper_ch> energizer: I use samba instead of nfs and I just only allow connections from predefined ip addresses (which are all wireguard vpn addresses where the same server is also the wireguard server)


<irimi1> Hi! I set up NixOS on my main machine a few weeks ago and I’m having trouble using WireGuard. I can set up my config using wg-quick and everything, but DNS resolution seems to fail afterwards and internet access fails. I’m using networkmanager and haven’t messed with the network setup otherwise. Can anyone help me understand what’s going wrong?
<hazel> I'm using resolvconf for /etc/resolv.conf since WireGuard depends on itorres


<clever> gchristensen: ive tried removing that, and making one systemd service per block-dev, but its got some bugs, and your wireguard changes kind of fit the same style i was aiming for
<bqv> Systemctl stop wireguard-wg0
<hazel> i have a wireguard vpn, and i'm aware that networking.wireguard.interfaces exists


<njha> yup, I have physical access and access through wireguard
<lux2> can anyone help me to set up wireguard?


<{^_^}> [nixpkgs] @Ma27 pushed to release-20.03 « wireguard-go: keep `$bin/bin/wireguard` for backwards-compat »: https://git.io/JfaVO
<{^_^}> [nixpkgs] @Ma27 pushed to release-20.03 « wireguard-go: fix executable name »: https://git.io/Jfaan
<{^_^}> [nixpkgs] @flokli merged pull request #88610 → wireguard-go: fix executable name → https://git.io/Jf2Pw
<njha> So I'm trying out NixOS right now, and I want to store a secret (WireGuard Private Key) declaratively. Putting it in /etc/nixos/ seems like a bad idea, but the issue for storing secrets is still open (#24288).


<{^_^}> [nixpkgs] @Ma27 opened pull request #88610 → wireguard-go: fix executable name → https://git.io/Jf2Pw


<keithy[m]> Hi, im struggling to get wireguard running.... modprobe: FATAL: Module wireguard not found in directory /run/booted-system/kernel-modules/lib/modules/5.4.41


<{^_^}> [nixpkgs] @Ma27 pushed to release-20.03 « wireguard-tools: 1.0.20200510 -> 1.0.20200513 »: https://git.io/Jfu6L
<{^_^}> [nixpkgs] @Ma27 pushed to master « wireguard-tools: 1.0.20200510 -> 1.0.20200513 »: https://git.io/JfuKF


<metheflea> anyone using wireguard? i'm a nixos/linux noob and i'm having troubles setting it up the way i want it to... i've got a wg0.conf file that i'd like to use, but installing the wg-quick package and doing "wg-quick up wg0 " doesn't seem to work (can't reach any websites). i then tried using the "networking.wg-quick.interfaces.*" nixos option and while it does work, it creates a systemd service that starts on boot and i'd much


<aswanson> cole-h: I've tried disabling my install of inetutils since a grep of nixpkgs showed that it had a depency on help2man, and the wireguard kernel module I had enabled, but no dice so far


<{^_^}> [nixpkgs] @Ma27 pushed to release-20.03 « wireguard-tools: 1.0.20200319 -> 1.0.20200510 »: https://git.io/JfllZ
<{^_^}> [nixpkgs] @Ma27 pushed to master « wireguard-tools: 1.0.20200319 -> 1.0.20200510 »: https://git.io/JflWV
<danderson> cole-h: wireguard-go works on Windows, via the "wintun" driver
<cole-h> danderson: Tailscale on Windows :o Does Wireguard (I think you guys use Wireguard, right?) even support Windows?


<pistache> what I usually do is setup a specific routing table for the Wireguard traffic
<hr[m]> Does anyone have experience setting up wireguard on NixOS with all traffic routed through the vpn? I attempted it a few months ago but remember there was an issue with routing all traffic.
<yorick> I'm trying to cross-compile the wireguard kernel module


<clever> ixxie: look at openvpn or wireguard for examples


<{^_^}> [nixpkgs] @Ma27 merged pull request #86605 → wireguard-compat: 1.0.20200426 -> 1.0.20200429 → https://git.io/Jf3ym
<notgne2> not sure if it's a good idea, but one of my personal modules actually uses runCommandNoCC to generate a list of IPs for the wireguard module


<{^_^}> [nixpkgs] @BKPepe opened pull request #86605 → wireguard-compat: 1.0.20200426 -> 1.0.20200429 → https://git.io/Jf3ym


<Raito_Bezarius> clever: but what if, conf A does not include WireGuard, but conf A' includes WireGuard
<clever> and then you immediately have to reboot, because the kernel is old and cant load the wireguard driver
<clever> currently, you would boot an old nixos from an AMI image, and deploy your full config with wireguard
<Raito_Bezarius> I have seen that the current nixops does not know when to reboot apparently with respect to wireguard
<clever> to do it "securely", you would want to copy-closure the wireguard binary to the remote machines, and run the keygen commands over ssh, storing the secret remotely, and public in the nixops state
<clever> that reminds me, i was thinking about how wireguard would work in nixops
<Raito_Bezarius> but automagic WireGuard is going to be such a killer-feature
<Raito_Bezarius> but I'd love to contribute to nixops-encrypted-links for WireGuard
<adisbladis> But wireguard
<Raito_Bezarius> nothing that fancy :P ; but for some work, they didn't have proper private networking, so I tried to write something that put WireGuard as private networking layer with minimal assumptions and hardcoding
<adisbladis> Raito_Bezarius: Wireguard?
<Raito_Bezarius> recently, I used a lot nixops+nixos qemu, it works pretty great, I've wrote some basic wireguard layer and it enables to test small infrastructure quite easily


<{^_^}> [nixpkgs] @Ma27 pushed commit from @xwvvvvwx to release-20.03 « wireguard-compat: 1.0.20200413 -> 1.0.20200426 »: https://git.io/JfqlF
<{^_^}> [nixpkgs] @Ma27 merged pull request #86107 → wireguard-compat: 1.0.20200413 -> 1.0.20200426 → https://git.io/JfqOA
<{^_^}> [nixpkgs] @xwvvvvwx opened pull request #86107 → wireguard-compat: 1.0.20200413 -> 1.0.20200426 → https://git.io/JfqOA


<{^_^}> [nixpkgs] @Mic92 merged pull request #85984 → wireguard: 1.0.20200401 -> 1.0.20200413 → https://git.io/JfLhQ


<{^_^}> [nixpkgs] @Mic92 opened pull request #85984 → wireguard: 1.0.20200401 -> 1.0.20200413 → https://git.io/JfLhQ


<infinisil> immae: E.g. my wireguard config references /nix/store/vjy7xbjqdx0pw0wxjijlgy0a4gkfmjqx-secret-client-private, which is a symlink to /var/keys/client-private, but the hash of the secret is incorporated into the hash of the /nix/store path


<cole-h> It's because the module defaults to wireguard-cli
<simpson> Kyndig: As a hint, I tested out not just `wireguard-tools`, but /nix/store/7l4j4671x81k7w520mqj5m1sgr7pij6h-wireguard-tools-0.0.20190123, and I didn't build it myself, but summoned it from cache.
<Kyndig> not for wireguard
<hyper_ch> wireguard <3
<simpson> Kyndig: The package named `wireguard-tools` can be built and installed regardless of whether the running kernel supports it.
<Kyndig> wireguard is an exmaple


<MYMYRSRS> hen I manually use wg-quick to manage the wireguard connection, I found that the network.firewall of nixos will cause the wg-quick connection to fail


<__init__> I'm having trouble figuring out how to debug wireguard when I don't control the server, like with hosted VPNs. when I enable the interface in systemd te connection just stops working. :)
<bqv[m]> i'm using wireguard now
<__init__> hello, have any of you set up a wireguard vpn lately? perhaps ideally/specifically with mullvad?


<hyper_ch> why does this give an error with current unstable: boot.extraModulePackages = with config.boot.kernelPackages; [ wireguard ]; --> error: The option value `boot.extraModulePackages.[definition 1-entry 1]' in `/etc/nixos/hardware-configuration.nix' is not of type `package'.


<{^_^}> [nixpkgs] @Ma27 pushed commit from @xwvvvvwx to release-19.09 « linuxPackagesFor: wireguard: noop for kernel >= 5.6 »: https://git.io/Jvp3m


<bqv[m]> internet --- zeta --- delta . Zeta has two IPs, both publicly reachable, and is wireguard connected to delta ( I'd like the internet to be able to use zeta's second IP to talk to delta, but also to be able to talk directly to delta at
<bqv[m]> but I'd also like to be able to talk to that wireguard IP directly (from the server)
<bqv[m]> I'm trying to NAT all traffic from my server's second IP to a wireguard-linked IP
<srhb> notgne2: Ah yes. Is it that wireguard got upstreamed?


<jared-w> bqv[m]: Do you happen to know if wireguard can be used as a client to connect to openvpn? Kinda curious because I have an openvpn config currently to use my work's VPN but it would be interesting to see if I'd even get any performance boost at all from wireguard
<bqv[m]> just as i get the super speed boost of switching from tinc to wireguard as well


<danderson> I guess tinc upgrades to p2p tunnels when it can, but wireguard won't do that
<danderson> I'll shill one last time, but that's pretty much exactly what tailscale does - builds a mesh VPN out of wireguard tunnels. Also features NAT traversal and TCP fallback, which plain wireguard doesn't offer
<bqv[m]> (i'm basically trying to replace my tinc mesh with wireguard
<danderson> bqv[m]: I use wireguard as part of Tailscale (shilling alert!), so I don't have configs to share, but if you have a topology or questions in mind I'm happy to help
<bqv[m]> does anyone here use wireguard


<hyper_ch> hmmm, having issues with latest master and boot.extraModulePackages: error: The option value `boot.extraModulePackages.[definition 1-entry 1]' in `/etc/nixos/hardware-configuration.nix' is not of type `package'. --> I need to have wireguard in it


<{^_^}> [nixpkgs] @rnhmjoj merged pull request #84173 → Fix wg-quick after wireguard got upstreamed → https://git.io/JvF7C
<{^_^}> [nixpkgs] @bkchr opened pull request #84173 → Fix wg-quick after wireguard got upstreamed → https://git.io/JvF7C


<emily> my best guess is maybe wireguard got incorporated ahead of schedule and so the optional condition there is wrong?
<emily> I'm trying to set up wireguard on nixos-unstable using linuxPackages_hardened_latest (5.5.9-hardened) and getting the error "FATAL: Module wireguard not found in directory /run/booted-system/kernel-modules/lib/modules/5.5.9-hardened". it seems to be injected by https://github.com/NixOS/nixpkgs/blob/master//nixos/modules/services/networking/wireguard.nix#L438


<gchristensen> gustavderdrache: (kill me) I could have it request its unlock keys over the wireguard tunnel to my laptop's vault , which reuires a yubi-tap to allow :)


<{^_^}> [nixpkgs] @Ma27 pushed to release-20.03 « prometheus-wireguard-exporter: 3.2.2 -> 3.2.4 »: https://git.io/Jvy7w
<{^_^}> [nixpkgs] @Ma27 pushed to master « prometheus-wireguard-exporter: 3.2.2 -> 3.2.4 »: https://git.io/Jvy7I


<Cadey> is there any prior art for adding nixos containers to a wireguard subnet?


<Avaq> clever: Currently just using it to explore nixops. Once I have a setup going where I can reliably update my pi using nixops, I intend to run wireguard, and possibly if I can manage run a pihole server as well.


<danderson> but it really just means "relay encrypted wireguard packets based on the destination public key"


<sigwinch28> Avaq: oh! you have wireguard allowed as a _TCP_ port: `firewall.allowedTCPPorts = [ 51820 ];`. Wireguard is UDP.
<Avaq> And I'm using my phone (with WireGuard android) to try and connect to my laptop from the outside.
<Avaq> But if we forget the forwarding for a second - is there any way I can check that my wireguard server is running and doing what it should by approaching it from localhost somehow?
<sigwinch28> Wireguard is a bit misleading to troubleshoot because wireguard servers/clients will not respond at all unless the correct keys are configured
<sigwinch28> the real method of checking whether wireguard is _working_ is to use `wg show`, probably as root
<Avaq> I also tried in various ways to connect from my localhost to the wireguard server, but I'm not sure what I'm supposed to be looking for.
<Avaq> I have the port forwarding on my router working, which I confirmed by disabling wireguard and having something else listen to 51820, and I could in fact reach it from outside the network.
<sigwinch28> Avaq: I have some experience running Wireguard (both vanilla setups and through nixos)
<Avaq> Hi folks! I'm trying to set up wireguard. First using `networking.wireguard`, and when that didn't work, I switched to `networking.wg-quick`. I've gone over things a hundred times, but whatever I do, I end up in a situation where the wireguard server appears to be running, yet cannot be reached (Connection refused) by anyone.
<Avaq> My problem is that I have no frame of reference for how a correctly running WireGuard setup should behave. So maybe one of you can help me out? Also I'm not very well versed when it comes to networking, so I might be mixing some things up. For example, I used telnet to try and connect to the wireguard server, but I fear that might be useless as wireguard expects UDP traffic.
<aminechikhaoui> gchristensen I remember you once looked at the wireguard systemd services issue where they don't start on boot correctly ? do you remember that and did you ever figure what was the problem


<Raito_Bezarius> Also, WireGuard seems to have a problem, I'm having a unit file with some \n in it


<Henson> Hi everyone, I'm trying to get wireguard working with NixOS. I'm defining the peers of an interface exactly as it's described in the NixOS wiki, and that wireguard.nix file itself, and a site a found online. But when I try to build it, I get the error: error: The option value `networking.wireguard.interfaces.wg0.peers' in `/var/lib/containers/foo1/etc/nixos/configuration.nix' is not of type `lis


<martijn> Hello, is this the right place to ask for some nixos hints? I'm running ZFS with an encrypted pool and would like to be able to unlock remotely over SSH. I've found instructions on https://nixos.wiki/wiki/NixOS_on_ZFS, but the problem is, my machine doesn't have a public address and can only be accessed over a wireguard VPN. Is this possible to do on boot?


<{^_^}> [nixpkgs] @Ma27 merged pull request #81977 → prometheus-wireguard-exporter: upgrade cargo fetcher and cargoSha256 → https://git.io/JvrWc
<{^_^}> [nixpkgs] @bhipple opened pull request #81977 → prometheus-wireguard-exporter: upgrade cargo fetcher and cargoSha256 → https://git.io/JvrWc


<aranea> Is there a way to make nix install external kernel modules such as wireguard for the currently running kernel in addition to the kernel that'll be booted by default on the next boot?


<aranea> gchristensen: Well, a user in #wireguard just mentioned that their ISP (Charter) has a routing loop for some gh ips right now.


<maxkernel> (I am not using wireguard, but seems NixOS 19.09 depends on evaluating it at least)


<v0|d> i'm having trouble while switching to nftables, wireguard seems to load iptables modules back which breaks nft. any ideas?


<{^_^}> [nixpkgs] @rnhmjoj merged pull request #80758 → nixos/wireguard: fix wireguard service as well after it got upstreamed → https://git.io/JvRAQ


<{^_^}> [nixpkgs] @ikervagyok opened pull request #80758 → nixos/wireguard: fix wireguard service as well after it got upstreamed → https://git.io/JvRAQ


<slabity> Does anyone have a config for creating a wireguard-based network with NixOps?


<floscr> I've got this service for wireguard
<clever> Twey: this spins up 2 peers, and then forms a wireguard tunnel between them, and confirms you can ping over the tunnel
<{^_^}> [nixpkgs] @Ma27 merged pull request #79429 → wireguard: rm libmnl from buildInputs → https://git.io/JvnUe
<{^_^}> [nixpkgs] @xwvvvvwx opened pull request #79429 → wireguard: rm libmnl from buildInputs → https://git.io/JvnUe


<{^_^}> [nixpkgs] @Ma27 pushed to release-19.09 « wireguard-tools: 1.0.20200121 -> 1.0.20200206 »: https://git.io/JvZPP
<{^_^}> [nixpkgs] @Ma27 pushed to master « wireguard-tools: 1.0.20200121 -> 1.0.20200206 »: https://git.io/JvZiM


* colemickens wishes for the shoe making fairies to set their efforts to making systemd-networkd, iwd, network namespaces and wireguard all work together beautifully in nixos.


<lovesegfault> worldofpeace: I want my wireguard on 5.6 though :(


<wedens[m]> how do I configure wireguard to not route some subnets via tunnel?


<{^_^}> [nixpkgs] @globin merged pull request #78191 → wireguard: 1.0.20200102 -> 1.0.20200121 → https://git.io/JvLtk


<{^_^}> [nixpkgs] @Ma27 opened pull request #78191 → Bump wireguard → https://git.io/JvLtk


<hpfr[m]> danderson: yeah, preferably FOSS haha. Nebula actually seemed cool, but I think a VPS with WireGuard might be easier and from what you just explained more reliable
<danderson> okay the simplest in terms of setup is: get a VPS, run a wireguard tunnel from your home to the VPS, and connect your laptop/etc to the VPS as well over wg


<Guanin> gchristensen, that's the path I'm taking right now. Just wanted to know if it would be possible to provide a nix-based alternative, as it seems really hard to break for a non-tech person while being remote-maintainable over wireguard+ssh, which is a big plus for me :)
<ivan> dminuoso_: I don't know but you can search journalctl -b for 'taint' which has things like `wireguard: loading out-of-tree module taints kernel.`


<kqb> Hello, I am trying to install wireguard as per https://nixos.wiki/wiki/Wireguard . When running nixos-rebuild switch I get the error modprobe: FATAL: Module wireguard not found in directory /run/booted-system/kernel-modules/lib/modules/4.14.90. This seems odd. https://github.com/NixOS/nixpkgs/blob/release-19.09/nixos/modules/services/networking/wireguard.nix contains "boot.extraModulePackages = [ kernel.wireguard ];" and for some reason sudo
<kqb> nix-env --query --installed --description | grep wireguard has zero lines. When I run "sudo nix-env --query --installed --description | grep wireguard" I see "Kernel module" in the descriptions of wireguard-0.0.20200105 . How do I debug this further?
<kqb> I am running NixOS 19.09, I have added the package wireguard to my system, but networking.wireguard.enable is said not to exist. How do I solve this?


<{^_^}> [nixpkgs] @Ma27 pushed commit from @xwvvvvwx to release-19.09 « wireguard: 0.0.20191226 -> 0.0.20200105 »: https://git.io/Jejw0
<{^_^}> [nixpkgs] @Ma27 merged pull request #77101 → wireguard: 0.0.20191226 -> 0.0.20200105 → https://git.io/JejaH
<{^_^}> [nixpkgs] @xwvvvvwx opened pull request #77101 → wireguard: 0.0.20191226 -> 0.0.20200105 → https://git.io/JejaH


<{^_^}> [nixpkgs] @Ma27 pushed to master « wireguard-go: fix darwin build »: https://git.io/JejUO


<{^_^}> [nixpkgs] @Ma27 closed pull request #76882 → wireguard-tools: 1.0.20191226 -> 1.0.20200102 → https://git.io/Jexj0
<{^_^}> [nixpkgs] @xwvvvvwx opened pull request #76882 → wireguard-tools: 1.0.20191226 -> 1.0.20200102 → https://git.io/Jexj0
<{^_^}> [nixpkgs] @Ma27 pushed to release-19.09 « wireguard-tools: 1.0.20191226 -> 1.0.20200102 »: https://git.io/Jexhi


<{^_^}> [nixpkgs] @Mic92 merged pull request #76722 → linuxPackagesFor: wireguard: respect supported kernel versions → https://git.io/JeA0W


<{^_^}> [nixpkgs] @xwvvvvwx opened pull request #76722 → linuxPackagesFor: wireguard: respect supported kernel versions → https://git.io/JeA0W
<{^_^}> [nixpkgs] @Ma27 merged pull request #76578 → wireguard-tools 1.0.20191226 / wireguard 0.0.20191226 → https://git.io/JeNJV
<zx2c4> ma27[m]: hey hoping we can get that wireguard pr merged today


<{^_^}> [nixpkgs] @xwvvvvwx opened pull request #76578 → Wireguard tools 1.0.20191226 → https://git.io/JeNJV


<gchristensen> diamondman: you might give it a try starting with a VM? :) but from a checkout of nixpkgs, try this: nix-build nixos/tests/wireguard/default.nix <- this will build a few NixOS systems, boot them in VMs, and verify the network and wireguard works correctly between them


<mrlizard> Ah.. it's wireguard issue.
<{^_^}> [nixpkgs] @jonringer pushed commit from @ivan to master « wireguard-tools: 0.0.20191212 -> 0.0.20191219 »: https://git.io/Je5zh
<{^_^}> [nixpkgs] @jonringer merged pull request #75920 → wireguard-tools: 0.0.20191212 -> 0.0.20191219 → https://git.io/Je5E9
<{^_^}> [nixpkgs] @ivan opened pull request #75920 → wireguard-tools: 0.0.20191212 -> 0.0.20191219 → https://git.io/Je5E9


<sshow> I am running a custom kernel (latest_hardened), but it does not seem to make a difference whether I include the wireguard kernel module explicitly or not
<sshow> Trying to setup a wireguard server. Unit-script fails with "fopen: No such file or directory". Any experience with this error?


<duairc> Great, they're just Ed25519 keys, I can reuse my terraform module that generates wireguard keys for this
<{^_^}> [nixpkgs] @Mic92 merged pull request #75565 → wireguard-tools: 0.0.20191127 -> 0.0.20191212 → https://git.io/JeHcx


<{^_^}> [nixpkgs] @xwvvvvwx opened pull request #75565 → wireguard-tools: 0.0.20191127 -> 0.0.20191212 → https://git.io/JeHcx


<{^_^}> [nixpkgs] @Ma27 pushed to master « prometheus-wireguard-exporter: 3.2.1 -> 3.2.2 »: https://git.io/JeDrX


<{^_^}> [nixpkgs] @Mic92 pushed commit from @iclanzan to release-19.09 « Add iptables to wireguard-tools »: https://git.io/JeXQJ
<{^_^}> [nixpkgs] @Mic92 merged pull request #74390 → wireguard-tools: fix dependencies → https://git.io/JeXia


<{^_^}> [nixpkgs] @iclanzan opened pull request #74390 → Add iptables to wireguard-tools → https://git.io/JeXia
<{^_^}> [nixpkgs] @Ma27 pushed commit from @xwvvvvwx to release-19.09 « wireguard-tools: 0.0.20191012 -> 0.0.20191127 »: https://git.io/JeXgw
<{^_^}> [nixpkgs] @Ma27 merged pull request #74347 → wireguard-tools: 0.0.20191012 -> 0.0.20191127 → https://git.io/JeXzR
<{^_^}> [nixpkgs] @xwvvvvwx opened pull request #74347 → wireguard-tools: 0.0.20191012 -> 0.0.20191127 → https://git.io/JeXzR


<{^_^}> [nixpkgs] @fpletz closed pull request #60983 → wireguard: add 'namespace' option to set interface netns → https://git.io/JerE0
<{^_^}> [nixpkgs] @fpletz merged pull request #71510 → Add namespace support to Wireguard module → https://git.io/JeRId


<tilpner> infinisil: There are some efforts to add meshing to wireguard, but it doesn't do that on its own
<infinisil> tilpner: tinc vs wireguard?


<gyroninja> and then right after it there are logs about wireguard being loaded
<sphalerite> since wireguard is stateless
<gyroninja> Is there a way to make a service depend on wireguard being up?


<srid> Basically, I'd like to run VPN. But limited in scope only to a single process of the web browser (Google Chrome). I already use Wireguard, and have a remote peer, so I'd like to use that as my VPN server.
<srid> Could someone point me to their config of running containers declaratively, with wireguard tunnelling all traffic to some server (acting as vpn), and then launching google-chrome from the container, using the local X display?


<manveru> wedens[m]: i use krops+niv+wireguard to deploy all my machines


<dhess> I have a few that participate in a WireGuard network, and those need to have secrets deployed.


<laudecay> god i have to learn to reverse binaries and get my OSCP and contribute to wireguard and do work work stuff and read marx and practice cello and implement libc and aaaAAAAAAA
<laudecay> me too it's ok i'm writing wireguard's haskell impl


<gchristensen> grr I think adding NAT to my server for my wireguard VPN broke a bunch of other things on my host


<{^_^}> [nixpkgs] @nixos-channel-bot pushed commit from @Ma27 to nixos-19.09-small « wireguard-tools: 0.0.20190913 -> 0.0.20191012 »: https://git.io/Je0Zi
<{^_^}> [nixpkgs] @Ma27 pushed to release-19.09 « wireguard-tools: 0.0.20190913 -> 0.0.20191012 »: https://git.io/Je0Zi


<{^_^}> [nixpkgs] @globin merged pull request #71364 → wireguard-tools: 0.0.20190913 -> 0.0.20191012 → https://git.io/JeBWg
<yorick> I have a wireguard tunnel with an ipv6 address and allowedips=,::/0. ipv6 works but isn't the default anywhere. how do I make it prefer ipv6 over ipv4?


<{^_^}> [nixpkgs] @asymmetric opened pull request #71510 → Add namespace support to Wireguard module → https://git.io/JeRId


<{^_^}> [nixpkgs] @Ma27 opened pull request #71364 → wireguard-tools: 0.0.20190913 -> 0.0.20191012 → https://git.io/JeBWg


<ajs124> the fork has some support for modules. my project doesn't do that much. it just builds lineageos with wireguard and included google apps. also does over the air updates. but that's about it.


<{^_^}> [nixpkgs] @mmahut merged pull request #70361 → wireguard-go: 0.0.20190517 -> 0.0.20190908 → https://git.io/JecXq
<{^_^}> [nixpkgs] @marsam opened pull request #70361 → wireguard-go: 0.0.20190517 -> 0.0.20190908 → https://git.io/JecXq


<witchof0x20> I'm looking to encapsulate a service (transmission) so that it uses a vpn (wireguard) for communication. LXC seems like a good way to accomplish this. Is there a nice way to integrate the NixOS config of a LXC guest with the NixOS config of the host?


<emily> ah, you mean because of wireguard automation?
<ddellacosta> okay. I guess this is my fault because I'm not using the built-in wireguard...because it also doesn't allow me to configure things the way I want. Grr


<ivan> I'm trying to decide how to manage all my wireguard configuration
<{^_^}> [nixpkgs] @Ma27 pushed to release-19.09 « prometheus-wireguard-exporter: 3.1.0 -> 3.1.1 »: https://git.io/JeZ1o
<{^_^}> [nixpkgs] @Ma27 pushed to master « prometheus-wireguard-exporter: 3.1.0 -> 3.1.1 »: https://git.io/JeZ1C


<{^_^}> [nixpkgs] @Ma27 pushed to release-19.09 « prometheus-wireguard-exporter: 3.0.1 -> 3.1.0 »: https://git.io/JeGEX
<{^_^}> [nixpkgs] @Ma27 pushed to master « prometheus-wireguard-exporter: 3.0.1 -> 3.1.0 »: https://git.io/JeGEV
<clever> and bypasses having to reboot after the first deploy because wireguard cant modprobe


<ivan> tilpner: ethernet, loopback, wireguard


<Guest34> Seems like wireguard-go is no longer the recommended approach?
<Guest34> Anyone have any luck with wireguard?
<Guest29> Hi all, has anyone had any luck setting up wireguard? "wg-quick up mullvad-se4" seems to just stop all traffic


<gchristensen> I made this workaround to ensure all my wireguard peers are configured after boot: https://github.com/grahamc/nixos-config/blob/master/devices/petunia/wireguard-ensure.nix since our nscd configuration causes permanent resolution failures in early boot, causing wg to think the peer will never resolve


<Nyanloutre[m]> I have trouble using the wireguard tunnel as my default route
<Nyanloutre[m]> hello, does anyone have experience with Wireguard on NixOS ?


<clever> it will deal with problems like wireguard never working on the first deploy, because you changed the kernel version


<ivan> I think ssh startup was waiting for crng init, but I also have wireguard


<ivan> Fare: I use a cgit running on a wireguard interface


<averell> i use them to give them their own network via wireguard (they can claim their own interface and move it into the container). pretty great.


<ryantrinkle> but i've got a wireguard service, which doesn't come up until it has network access


<ivan> on a host behind my wireguard but my hydra and nix-serve are unaltered


<{^_^}> #66689 (by ryantrinkle, 1 week ago, open): wireguard: allow routes to overlap with other routes


<{^_^}> [nixpkgs] @NinjaTrappeur closed pull request #64040 → systemd-networkd: Add wireguard-related options. → https://git.io/fjK82


<asymmetric> I tried a search for wireguard but only results from nixpkgs turned out