ben71: if you have kernel > 5.6, it's easier to use wireguard for 1:1 vpn, but if you want the connection between multiple peers, openvpn can save you soem configuration.
have another (verified) box connect to GP and then let us wireguard to that box
still not managed to convince IT to setup a wireguard server for us
research on ssh issue didn't come up with much. Probably should just get wireguard going and then I won't care.
hmm I wanted to run an NFS share over wireguard, but even though nfs4 doesn't require rpcbind it will always get started on both server and client (and always listens on 0.0.0.0?)
asymmetric: if your remote user on wireguard-gateway is foo and your local user on localhost is bar, bar needs to be trusted by localhost, and foo needs to be trusted by wireguard-gateway
Okay there we go somehow missing the closures for the wireguard device package. Grumble.
even after you run modprobe wireguard on the host?
mewra: Yeah that's what I thought. Probably need to fiddle some more as my container gives off an error device not found/unknown when I try a `ip link add dev wg0 type wireguard`
aleph-: the container won't be able to modprobe/insmod wireguard anyway
gchristensen: Yeah the root issue is I'm trying to get wireguard working in a container. Which given I'm stuck on 5.4~ in the container means I'm missing the kernel driver. Might just override the module def for containers and include the wg driver that way.
so wireguard at the other end discards the packet as having an incorrect src
whenever i add more than one subnet to wireguard.interfaces.wg0.ips, one of them takes over, meaning taking over the src ip on all other wireguard subnets
has anyone successfully configured more than one wireguard vpn using the wireguard module?
Hmm, what would be the proper way to generate a wireguard interface and import it into a nixOS container?
Anyone has a config for wireguard in a network namespace? (bonus points if it includes systemd service that uses that namespace)
Trying to build a setup with wireguard I get the following output. NOt sure why?
Hmm, question does anyone use nixOS containers with wireguard interfaces as the network interface?
wireguard-tools doesn't package up the contrib folder
So if I wanted to find the path of the wireguard-tools I'm using now
if wireguard is configured through NixOS, the configuration will be read-only
and a peer outside that loses connection each day because wireguard doesn't refresh its endpoint once resolved
I have a wireguard server running at home behind DDNS
hello -- does anyone know anything about configuring wireguard interfaces? i added a bunch of configurations and i would like units for them to be generated, however they seem to be enabled by default which i would like to avoid
hyper_ch: because wireguard is now part of linux itself, and you dont need extraModulePackages anymore!
To one that has wireguard built in and/or doesnt have a corresponding linuxPackages_5_x.wireguard
and before I tried this # boot.extraModulePackages = with config.boot.kernelPackages; [ wireguard ];
So does Innernet just use wireguard clients? So does that mean that I just need a wireguard client on my phone?
gchristensen: Man, Tailscale is great. I tried to do my own thing with Wireguard, but it's just impossible, because DNS on Android is basically unconfigurable.
you can stop the wireguard service, right?
Specifically, I have a wireguard VPN set up and when that server is down I can't even rebuild to kill the VPN as it needs to download the binaries.
nicolas[m], srhb: well, that worked (i have also run nixos-rebuild switch and then needed to kill some pending wireguard-go instance that i experimented with before)
clime: Okay, then you'll need something like what the wireguard module does; boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;
srhb: i have a client confg file that i copied into /etc/wireguard/wg0.conf. Normally I should be able to just run `wg-quick up wg0` but i can't right now because the wireguard kernel module is not loaded
srhb: i tried to make wireguard work on NixOS VERSION="20.09.3341.df8e3bd1109 (Nightingale)"
clime: Why aren't you using the wireguard nixos modules?
srhb: tried to make wireguard kernel module load that I found in some extras path under /nix/store but it isn't avaialable under /run/current-system/kernel-modules/lib/modules/5.4.100 where modprobe looks by default
well, i didn't make it work (wireguard), because insmod gives some unknown symbol error.
so I guess I need to modprobe that to fix: modprobe: FATAL: Module wireguard not found in directory /run/current-system/kernel-modules/lib/modules/5.4.100
can you even make wireguard work on NixOS? It requires kernel 5.6 for the new wireguard kernel module but I just updated all the packages and got kernel 5.4.100
hey, anyone using wireguard on NixOS? I have a client config file and I would like to use it to setup wg quick systemd service. There is no /etc/wireguard directory like e.g. on Fedora, however.
does it depend on me adding wireguard to boot.kernelPackages
and also, the kernel in /run/current-system doesn't have the wireguard module either, not sure why
hey, i am a bit confused by the fact that a server i'm managing can't seem to load the wireguard module
but like wireguard, the services have to restart in the right order, and i never got it right
gchristensen: yeah, but it could use some touch-ups, based on your wireguard stuff
[nixos-org-configurations] @rbvermaa pushed to master « Add macofborg1 to wireguard »: https://git.io/Jt9v8
any idea why on Raspberry pi 4 when creating a wireguard service, after rebooting the wlan0 interface does not show up?
any idea why after activating wireguard on my raspberry pi 4
with wireguard, the AllowedIPs for a remote host are punned to be the routes used for outgoing traffic
Probably... I'll go see if the #wireguard people can help
ambroisie, weird. I'm not familiar with wireguard specifically, but normally a VPN needs to replace the default route to send traffic down the tunnel.
lordcirth: but when I am using wireguard on another server (which *does* allow me to connect to the internet) I do not see any difference on the phone
So no, there's no route for wireguard
Hey people, I'm trying to set up Wireguard as a VPN provider on my server
tbh i think im shoehorning here, i was trying to make have wireguard attributes set, but now im trying a different approach
Might be wireguard's looking at some header that's not there on that kernel
No idea though, never used wireguard sorry
yeah wireguard comes in the 5.6 kernel drozdziak1
isn't wireguard only on some 5.x version and above?
(issues = it won't build because of a C build error in the wireguard build)
Has anyone else experienced issues with linuxPackages_4_14 and wireguard?
matthewcroughan5: and can be configured to route domains through wireguard and certain packages
matthewcroughan5: I use systemd-resolved and systemd-networkd for the wireguard stuff, more configuration to write but it works
if I do `networking.wg-quick.interfaces.dns = [ "192.168.4.1" ]` yeah, it'll use my server's dnsmasq, totally, great now I can have my remote server services available via wireguard. Problem, OOPS, can't get to nasa.astral now, because now the LAN DNS isn't in use anymore. Solution? Dnsmasq running on all devices. There must be a better way?
does anyone actually know how to solve the problem I proposed earlier with wireguard?
Thanks! Now my VPS works as an IPv6 tunnel with Wireguard
#52411 (by anderspapitto, 2 years ago, closed): Support network-namespace based wireguard vpn setup [feature request]
Anyone around that could answer: say I had machines A and B, where A has wg0 and wg1 that both connect to B's wg0 with the same wireguard address, is that a valid network setup, and if so how would it route things?
Been trying to get forwarding working with v6 over wireguard, having a nightmare, I thought this would be easy...
#51258 (by tmplt, 2 years ago, closed): wireguard: unable to route all traffic through interface
#51258 (by tmplt, 2 years ago, closed): wireguard: unable to route all traffic through interface
(well wg-quick is just a wireguard wrapper of sorts)
And I'm also using wg-quick, not wireguard
im trying to set up a wireguard VPN on a nixos server. when i set the AllowedIPs to the server private IP, i can ping, but when i change to 0.0.0.0/0 (route all traffic), the connection dies. is my config missing something? https://paste.ee/p/OSto0
I'm not sure how I could make it work with wireguard on its own, but wg-quick takes care of it automatically
bqv: For me, wireguard on its own doesn't work, because I want to route all my traffic through the server
bqv: But like for nixus, I don't think it makes sense to support both wg-quick and wireguard, when the former seems to be just a strict superset in functionality
infinisil: wow, I think you can legit just replace wg-quick with wireguard and it should still work. I'm very confused why there are to structurally isomorphic ways to do the same thing, at least in nixpkgs
Tried wireguard with networkmanager, but it seems network-manager is too old for it. nm-applet doesn't offer the connection for connection tries.
Hi in `networking.wireguard.enable` meant for wireguard as server or client or both?
lassulus: thank you .. I have moved to unstable, services.syncthing.openDefaultPorts seems not to affect iptables-save and syncthing connections being refused, may I ask for a sninppet of a working syncthing configuration (I need to revert my wireguard to test, else I am completely vanilla 5.4.83 NixOS x86_64 GNU/Linux)
lassulus: Thank you, it is a good way to go. I wanted to avoid tunneling (have a wireguard subnet to use in due course) and seeing the syncthing service hard coded to localhost it is a bit of learning for me to find out how to generate the service file 'correctly' with Nix. [It is the first of a set of machines to be used this way moving away from debootstrap.]
[nixos-org-configurations] @rbvermaa pushed to master « Remove mac9, is dead. Add wireguard public keys and IPs for new mac mini's (m1). »: https://git.io/JLHAe
[nixos-org-configurations] @rbvermaa pushed to master « Update mac1 public wireguard key »: https://git.io/JL9ea
I really like wireguard as vpn meanwhile
e.g. the standard wireguard setup of having ethernet/wifi in netns "physical"
pinpox: yep! I'd suggest prefixing all of your options in custom modules with your own namespace, e.g. pinpox.wireguard.publicKey, to avoid collisions with potential other modules. Not that a wireguard module is likely to be introduced at the top level in nixpkgs, but who knows :)
let's say I add an option called "publickey" in a wireguard module I put in common/wireguard.nix. How do I set the option to "something" in configuration.nix?
oh ok. So I could define options aswell? That whould be nice for something like wireguard, where the only thing I would want to change is the public key
Maybe I should just scrap this, and just WireGuard it.
andi-: surely there is a way of having a wireguard interface which is down on build?
Does anyone know how to create wireguard interfaces, but have them start down? (I use networkd)
anyone here using wireguard in a network namespace? I've spent 8hrs or so trying to get things working in the past couple days, but I think I'm in over my head
Keij0: wireguard works on some BSD's
but idk if pfSense supports wireguard since it's BSD-based
yeah, we switched to wireguard and the skies opened and the angels sang
Wireguard is the future
xenophile: it looks like windscribe has wireguard support which you can use on nixos via wg-quick
my nfs.server and a wireguard tunnel failed to load, rest looks ok at first glance
sphalerite i removed wireguard from there and only left ddci-driver but getting same error for some reason, it seems like extraModulePackage doesn't exist anymore or somethging
and you'll have your wireguard support already shipped in the kernel.
sphalerite yes i always did because i want to add ddci and wireguard packages
when is the 20.09 channel going to update with the wireguard fix
[nixpkgs] @dasJ closed pull request #103451 → wireguard: Fix building on Linux 4.5.76+ → https://git.io/JkIx9
#103451 (by dasJ, 15 seconds ago, open): wireguard: Fix building on Linux 4.5.76+
[nixpkgs] @dasJ opened pull request #103451 → wireguard: Fix building on Linux 4.5.76+ → https://git.io/JkIx9
if you try wireguard on mobile or something like this
did this commercial VPN already worked before with WireGuard?
exarkun: and on the wireguard layer?
the return traffic appears to be wireguard keepalives
imperative wg-quick could be used for debug, but I have some large WireGuard setup in NixOS (20.03 and beyond) and they're working quite well
beats me, I've never tried setting up wireguard on any other OS
What should I dump with it? traffic on the wireguard interface? traffic on the uplink interface?
Raito_Bezarius: I have no idea if it has anything to do with NixOS either but #wireguard hasn't been able to help so far either
having lots of trouble getting wireguard working on nixos
exarkun: I don't know about the container part, but for the interface part the wireguard module has support for the net namespace isolation described at the end of https://www.wireguard.com/netns/
Anyone have any guides for running a nixos container with only a wireguard-supplied interface for its network?
Anyone have any guides for running a nixos container with only a wireguard-supplied interface for its network?
I have a directory /secrets that's only visible to root, with subdirectories for each module (wireguard, openssh, etc), and write their private data in there
just type in wireguard
Trying to list the options, e.g. for wireguard
Hi, general question from a NixOS newbie: How do you deal with secrets in general when using nixOS? e.g. I've added my wireguard setup in the configuration.nix, the secret key is read from /etc/wireguard/privatekey. Where would you store that key savely so it will be placed there when putting my configuration.nix on a different machine? Same thing for SSH private keys or credentials for
tobiasBora: but some systemd services like wireguard will force a `modprobe wg` before starting the service
If I allow 0.0.0.0/0 for wireguard, then that means that everything is routed through there
cole-h: Hi, my bad, sorry, turns out it was wireguard being smart.
I think it's not wireguard itself, but I have a daemon adding a default route for every interface
How do I make wireguard *not* setup a default route?
lucus16: currently there's 11 people in the list... also those 11 get vpn connections with wireguard etc..... so I hvae a seperate secrets.nix that is imported on top of the configuration nix and in that secrets.nix I have all the individual data setup.... so I can make the list there and then just use it
no, those are not users.users.... they jus access via sambe authenticated by ip through wireguard... not actual system users
iqubic: turns out "which computers can see each other over my network" is a rapidly evolving right now due to things like wireguard replacing old tech
are there any example out-of-tree modules built for nixos? I found wireguard but their makefiles do a lot more that I expected
hyper_ch: nah 😂, I was saying that it worked on my phone but didn't work on my desktop system running nixos (suggesting that the problem is not linked to my wireguard configuration file or server)
#52411 (by anderspapitto, 1 year ago, open): Support network-namespace based wireguard vpn setup [feature request]
after rereading your message, I guess the correct message would be, what are the open issues regarding wireguard? #51258 seems interesting
There's many open issues regarding Wireguard on NixOS. If you tunnel your entire traffic through Wireguard then it doesn't work AFAIK
I'm not using nixos' builtin wireguard support, just `wg-quick` directly from the command line and have nothing in my network settings
Hi, I've been trying to connect to a wireguard server, but when I run `sudo wg-quick up ./config.conf`, I loose internet connectivity and nothing works. I have to disable wireguard for my internet to work again. I believe this is failure is linked to nixos because out of my 2 attempts to get wireguard to work on this nixos system, none of the have worked and I've been able to connect with the exact same wireguard
Hi, I just set up wireguard on nixos with wg-quick, I was wondering how can I do the equivalent of `wg-quick down wg0` ?
I couldn't really figure out a Wireguard configuration, especially with split tunneling.
wireguard is connectionless and will retry after 5 seconds or so
mullvad has wireguard endpoints, you could just use those instead
same with wireguard as well, if you configure it, is it still advised to explicitely install in ?
yay for wireguard and ssh :)
Hi! I've just started using NixOS and there are some cases where I don't want to start services automatically but rather run systemctl start service. How is that usually handled? My specific use cases are for docker and wireguard.
postgres isn't ordered after the wireguard interface...
which service definition? that of the wireguard interface?
I noticed that when I do nixos-rebuild switch manually, afterwards my wireguard link doesn't work any more. restarting the wg0 interface fixes that
jneplokh: here's my guess. You should be specifying "ens3" instead of "eth0" in the networking.nat.externalInterface line in that wiki article. The same goes for those "iptables" line in the postSetup and postShutdown sections. Change all instances of "eth0" in your wireguard config for "ens3".
jneplokh: well, your server has several network interfaces. "wg0" is your wireguard interface, "lo" is your loopback interface. If your server is connected to the Internet via an ethernet interface, you should have one of those too, although the name is hard for me to predict.
jneplokh: fire up "tcpdump -ni wg0" on your server and see if it sees the ping 220.127.116.11 packets come in on the Wireguard interface
infinisil: The client I am currently using is not running NixOS, so I am just configuring Wireguard through the app
jneplokh: so you've got a central server, connected to the Internet, running NixOS. You want to connect from a client, over the Internet using Wireguard as a VPN, and route traffic from your client, through the VPN, to the server and then out to the Internet?
jneplokh: can you describe what you're trying to achieve with wireguard?
Henson: Sorry, just a little confused. Do you mean from my "client" if I can ping the server? If so, I can ping the local IP for the wireguard interface
jneplokh: are you able to ping from the client to the server on the wireguard interface?
Hey everyone, I am trying to setup Wireguard as a "server"/forward all traffic like a VPN on a NixOS machine using the instructions here: https://nixos.wiki/wiki/Wireguard but am having issues with reaching the internet.
hmm, i want to set up wireguard to connect to a vpn
actually it seems like it tries to pull in all the firmwares, nvidia-x11, amdgpu, ati-drivers, wireguard etc
well you can run wireguard right now if you want! i ran 5.6 on stable 20.03 for a while (until an issue with rt-patch and zfs kicked me off)
somebody wants wireguard :)
I'm trying to set up a wireguard vpn tunnel. The link seems to work, I'm routing outgoing traffic through my other server now, but now I'd like to forward some external ports to the machine, but that doesn't seem to work. Could anybody help me here?
sphalerite: I checked: command not found: tinc, command not found: wireguard
magnetophon: you can build one yourself (if you have a server with a public IP somewhere) using tinc or wireguard, which are slightly more involved options, or use a service like zerotier or… I forgot the name of the other one I had in mind
in wireguard, there are no clients or servers, only peers
I'm trying out wireguard for the first time. I'll be grateful if anyone could share example configs.
energizer: One could also mitigate a bunch of security vulnerabilities by only allowing clients to access Nextcloud through a Wireguard tunnel
We just run two instances of chrome with separate data directories, so one instance runs inside a network namespace under wireguard, and connects to the self hosted one, while the regular chrome instance doesn't run under wireguard and connects to the public bitwarden
Provided you are using SSL, you shouldn't need a VPN to secure stuff - although you will need it if you want to enforce any kind of IP whitelisting (we use wireguard for the hosted instance, so only people on the company VPN can connect to it)
quinn: I suggest to give wireguard a try...
also you might be able to set the bind address to the wg address rather than 0.0.0.0. if you run wireguard and `ip a` that should tell you. no promises though
and wireguard is simple to setup and has almost no overhead
wg is the wireguard interface
samba server and wireguard server are on the same physical box
energizer: where 10.10.20.0/24 is the wireguard vpn subnet that I use
energizer: I use samba instead of nfs and I just only allow connections from predefined ip addresses (which are all wireguard vpn addresses where the same server is also the wireguard server)
Hi! I set up NixOS on my main machine a few weeks ago and I’m having trouble using WireGuard. I can set up my config using wg-quick and everything, but DNS resolution seems to fail afterwards and internet access fails. I’m using networkmanager and haven’t messed with the network setup otherwise. Can anyone help me understand what’s going wrong?
I'm using resolvconf for /etc/resolv.conf since WireGuard depends on itorres
gchristensen: ive tried removing that, and making one systemd service per block-dev, but its got some bugs, and your wireguard changes kind of fit the same style i was aiming for
Systemctl stop wireguard-wg0
i have a wireguard vpn, and i'm aware that networking.wireguard.interfaces exists
yup, I have physical access and access through wireguard
can anyone help me to set up wireguard?
[nixpkgs] @Ma27 pushed to release-20.03 « wireguard-go: keep `$bin/bin/wireguard` for backwards-compat »: https://git.io/JfaVO
[nixpkgs] @Ma27 pushed to release-20.03 « wireguard-go: fix executable name »: https://git.io/Jfaan
So I'm trying out NixOS right now, and I want to store a secret (WireGuard Private Key) declaratively. Putting it in /etc/nixos/ seems like a bad idea, but the issue for storing secrets is still open (#24288).
[nixpkgs] @Ma27 opened pull request #88610 → wireguard-go: fix executable name → https://git.io/Jf2Pw
Hi, im struggling to get wireguard running.... modprobe: FATAL: Module wireguard not found in directory /run/booted-system/kernel-modules/lib/modules/5.4.41
anyone using wireguard? i'm a nixos/linux noob and i'm having troubles setting it up the way i want it to... i've got a wg0.conf file that i'd like to use, but installing the wg-quick package and doing "wg-quick up wg0 " doesn't seem to work (can't reach any websites). i then tried using the "networking.wg-quick.interfaces.*" nixos option and while it does work, it creates a systemd service that starts on boot and i'd much
cole-h: I've tried disabling my install of inetutils since a grep of nixpkgs showed that it had a depency on help2man, and the wireguard kernel module I had enabled, but no dice so far
clever: but what if, conf A does not include WireGuard, but conf A' includes WireGuard
and then you immediately have to reboot, because the kernel is old and cant load the wireguard driver
currently, you would boot an old nixos from an AMI image, and deploy your full config with wireguard
I have seen that the current nixops does not know when to reboot apparently with respect to wireguard
to do it "securely", you would want to copy-closure the wireguard binary to the remote machines, and run the keygen commands over ssh, storing the secret remotely, and public in the nixops state
that reminds me, i was thinking about how wireguard would work in nixops
but automagic WireGuard is going to be such a killer-feature
but I'd love to contribute to nixops-encrypted-links for WireGuard
nothing that fancy :P ; but for some work, they didn't have proper private networking, so I tried to write something that put WireGuard as private networking layer with minimal assumptions and hardcoding
recently, I used a lot nixops+nixos qemu, it works pretty great, I've wrote some basic wireguard layer and it enables to test small infrastructure quite easily
[nixpkgs] @Ma27 pushed commit from @xwvvvvwx to release-20.03 « wireguard-compat: 1.0.20200413 -> 1.0.20200426 »: https://git.io/JfqlF
immae: E.g. my wireguard config references /nix/store/vjy7xbjqdx0pw0wxjijlgy0a4gkfmjqx-secret-client-private, which is a symlink to /var/keys/client-private, but the hash of the secret is incorporated into the hash of the /nix/store path
It's because the module defaults to wireguard-cli
Kyndig: As a hint, I tested out not just `wireguard-tools`, but /nix/store/7l4j4671x81k7w520mqj5m1sgr7pij6h-wireguard-tools-0.0.20190123, and I didn't build it myself, but summoned it from cache.
not for wireguard
Kyndig: The package named `wireguard-tools` can be built and installed regardless of whether the running kernel supports it.
wireguard is an exmaple
hen I manually use wg-quick to manage the wireguard connection, I found that the network.firewall of nixos will cause the wg-quick connection to fail
I'm having trouble figuring out how to debug wireguard when I don't control the server, like with hosted VPNs. when I enable the interface in systemd te connection just stops working. :)
i'm using wireguard now
hello, have any of you set up a wireguard vpn lately? perhaps ideally/specifically with mullvad?
why does this give an error with current unstable: boot.extraModulePackages = with config.boot.kernelPackages; [ wireguard ]; --> error: The option value `boot.extraModulePackages.[definition 1-entry 1]' in `/etc/nixos/hardware-configuration.nix' is not of type `package'.
[nixpkgs] @Ma27 pushed commit from @xwvvvvwx to release-19.09 « linuxPackagesFor: wireguard: noop for kernel >= 5.6 »: https://git.io/Jvp3m
internet --- zeta --- delta . Zeta has two IPs, both publicly reachable, and is wireguard connected to delta (10.0.0.3). I'd like the internet to be able to use zeta's second IP to talk to delta, but also to be able to talk directly to delta at 10.0.0.3
but I'd also like to be able to talk to that wireguard IP directly (from the server)
I'm trying to NAT all traffic from my server's second IP to a wireguard-linked IP
notgne2: Ah yes. Is it that wireguard got upstreamed?
bqv[m]: Do you happen to know if wireguard can be used as a client to connect to openvpn? Kinda curious because I have an openvpn config currently to use my work's VPN but it would be interesting to see if I'd even get any performance boost at all from wireguard
just as i get the super speed boost of switching from tinc to wireguard as well
I guess tinc upgrades to p2p tunnels when it can, but wireguard won't do that
I'll shill one last time, but that's pretty much exactly what tailscale does - builds a mesh VPN out of wireguard tunnels. Also features NAT traversal and TCP fallback, which plain wireguard doesn't offer
(i'm basically trying to replace my tinc mesh with wireguard