<edef>
sphalerite: even setting wireguard to null there doesn't cause any errors
<sphalerite>
edef: I think it'd be a matter of making an overlay that looks something like self: super: {linuxPackagesFor = kernel: let superLinuxPackages = super.linuxPackagesFor kernel; in superLinuxPackages // { wireguard = superLinuxPackages.wireguard.override {…}; }
<edef>
sphalerite: out-of-tree, i'm hacking on wireguard and want to override it with my own source/patches
2018-12-07
<{^_^}>
[nixpkgs] @c0bw3b merged pull request #50809 → wireguard: don't modprobe if boot.isContainer is set → https://git.io/fpWzz
2018-11-22
<aswanson>
srhb: I just followed what I've seen in the nixos.wiki and a few other guides I've found for wireguard. Just about everything I've seen has included the /24, with a /32 for the peer allowed ips on the server
<aswanson>
srhb: The server is functioning fine with my smartphone of all things but I can't get wireguard on nixos to send all traffic through wireguard
<srhb>
aswanson: Not sure I completely understand the question. I have a NixOS client that tunnels all traffic through wireguard... Is that what you're asking about?
<aswanson>
anyone gotten a wireguard tunnel that routes all traffic through a vps with a nixos client? I can get it working when I restrict the client's peer ip address but nothing makes it to the external interface when I open it up to `0.0.0.0/0` as outlined in the nixos wiki
<{^_^}>
[nixpkgs] @sorki opened pull request #50809 → wireguard: don't modprobe if boot.isContainer is set → https://git.io/fpWzz
2018-11-18
<aswanson>
I've been trying to get wireguard working for a while and feel like I'm missing something crucial with how NAT works on nixos. The nixos wiki says it should be enough to just enable NAT and specify the external interface and internal wireguard interface but I don't see any sort of NAT chains in iptables after running nixos-rebuild
2018-11-15
<v0|d>
aswanson: do you have wireguard package in systemPackages?
<aswanson>
anyone running wireguard on their nixos instance? I'm trying to get it running and the service fails to start after nixos-rebuild. The journal says modprobe can't find the wireguard module
2018-11-10
<ivan>
oops I did a nixos-rebuild switch --upgrade on a remote machine (incl a kernel upgrade) and that somehow took down wireguard and didn't bring it back up again
2018-11-04
<Mic92>
openvpn, tinc, wireguard seems to be popular choices
2018-10-29
<cransom>
disasm: well, it works-ish. the things that don't (wireguard, didn't look into that further) and v6 prefix delegation (I had manual set things for that in dhcpcd.conf, so i dind't expect that to work out of box). but otherwise, it did all the vlan interfaces and routing properly. so far as i can tell right now
<joko>
Does anyone know if it is possible to define a network in systemd-networkd to be manually enabled? I would like to setup wireguard as a client and I would like to be able to manual enable it
2018-10-17
<ivan>
do you need this cisco system involved? if not you can set up tunnels with wireguard
<hyper_ch2>
weird... just rebooted office server after upgrading.... it did reboot, I unlocked it remotely.... it auto-started the running VMs... . I can access the VMs just fine but I can't access the host server anymore... not through vpn (openvpn and wireguard) and not through ssh
2018-10-03
<{^_^}>
[nixpkgs] @Mic92 pushed commit from @r-ryantm to release-18.09 « wireguard-tools: 0.0.20180918 -> 0.0.20180925 »: https://git.io/fxINm
<c15ade4>
elvishjerricco: thats awesome, I have just setup wireguard but have the problem of a pointless roundtrip when I am at home
2018-08-28
<seku>
ofc. just curious why wireguard went for ChaCha20 instead of AES
2018-08-27
<yorick>
gchristensen: the wireguard job is a oneshot, so it can't restart
<yorick>
gchristensen: so I'm setting up wireguard, but if it fails (dns failure or systemd weirdness), then we can't reach the thing and need to get physical access
<srk>
yorick: I'm about to try wireguard, looks nice
<ekleog>
yeah, wireguard is among my list of things to try someday
* etu
is planning to use wireguard in the future for his private use anyways
2018-08-24
<yorick>
Mic92: oh, that means that the wireguard private key ends up in the nix store
<yorick>
wireguard failure means we have to get a plane ticket to fix the device, sadly
<Mic92>
yorick: I think if you don't have dhcp then it would stop after configuring the device. The bigger problem I see is this privateKeyFile thing. I think for the meantime it would be better to just add wireguard support to networkd itself.
<arianvp>
would really make using networkd to setup wireguard optional preferably
<yorick>
Mic92: what do you think of the wireguard PR that turns it into a networkd thing?
<{^_^}>
[nixpkgs] @yorickvP opened pull request #45569 → wireguard: change preStop to postStop, require network.target → https://git.io/fAtue
2018-08-23
<Watcher7>
My curent NOS of choice lacks wireguard support, so I plan on sticking NixOS infront of it in the mean time.
<Watcher7>
Also potentially using it as a wireguard appliance to replace some of my IPSec tunnels.
2018-08-22
<octe>
My /nix is ~14GB after running "nix-collect-garbage -d" on a pretty small server installation (nginx, wireguard, nodejs). Is this normal?
<hyper_ch2>
ha, finally figured out how I can route all my traffic from my droid through wireguard vpn through my home server and also use hotspot functionality so that all tethered devices also route through the vpn
2018-08-20
<{^_^}>
[nixpkgs] @dguibert opened pull request #45392 → wireguard via sytemd netlink → https://git.io/fAfSq
2018-08-18
<inquisitiv3>
What Wireguard derivation should one install? I get serveral matchees when I search with `nix search wireguard`. The two last hits seems promising (`nixpkgs.wireguard` and `nixpkgs.linuxPackages.wireguard`), but I'm not sure which of them I should install.
<tobiasBora>
clever: storing a list of client/key in a sql database populated by a web app, and I'd like to use this database to re-generate the configuration of wireguard.
<dhess>
tobiasBora: I had assumed all you wanted to do from the web app was add Wireguard public (client) keys to a list of all client keys. If you want to generate more complicated config, then that gets way more dangerous.
<tobiasBora>
dhess: ok thank you! I'm not sure to understand why I need to the import statement though... the web app will never change any nix file then, so I don't see how it could raise a type error in case of a malicious attacker that tries to trick the generated file. What you mean is to write in nix a code that parse the file and generate a well-typed list right to provide the the wireguard configuration right?
<dhess>
tobiasBora: if you're super careful, you could do something like this: in your /etc/nixos/configuration.nix file, add an "import" statement that reads a list of Wireguard public keys from a file that is generated by your web app, and then use the result of that import as the list of client public keys in the configuration.nix file
<tobiasBora>
I'd like to configure an http front-end to add client keys to the configuration file of the vpn-like tool wireguard. However, as far as I can say, wireguard cannot deal with sql databases, so I was wondering how I could deal with a configuration file that could be changed by an http server… The only solution I see for now would be to ask to the server to modify on the go the nix configuration file and run
2018-08-09
<sigtrm>
But for the rpi I really wanted something that used musl, and both Alpine and Void supports wireguard on aarch64, just couldn't get it working
<__monty__>
sigtrm: I think I have wireguard working on arch. Can't remember any difficulty.
<sigtrm>
If this works now then I am basically on distro nr 4 and finally gotten wireguard working
<sigtrm>
So I don't need to add wireguard to systemPackages and extraModulePackages?
<makefu>
i have wireguard running, however i am on the stable channel
<symphorien>
hum there is no wireguard nixos test
<clever>
symphorien: is wireguard still in extraModulePackages?
<sigtrm>
modprobe: FATAL: Module wireguard not found in directory /run/booted-system/kernel-modules/lib/modules/4.15.12
<clever>
sigtrm: thats from march and it lacks wireguard-tools, you need to `sudo nix-channel --update`, which will update the versions for everything
<clever>
sigtrm: did you add wireguard-tools to your configuration.nix?
<sigtrm>
Anyone know why I am getting this? "attribute 'wireguard-tools' missing, at /etc/nixos/configuration.nix:52:5"
2018-08-08
<{^_^}>
[nixpkgs] @xeji pushed commit from @dywedir to master « wireguard: 0.0.20180708 -> 0.0.20180802 (#44490) »: https://git.io/fN9Rq
<kisik21>
Probably Alpine didn't have a wireguard module built for linux-rpi
<sigtrm>
Thank you, with Alpine they had wireguard with official aarch64 support but for some reason it didn't support the rpi kernel, only the vanilla kernel
<kisik21>
sigtrm: I think NixOS could handle it. It handles wireguard, from what I know. Saw some options in configuration.nix
<sigtrm>
Quick question, does anyone know if you can run nixos on an rpi 3 and have wireguard running on it? I have tried several distros on my rpi 3 and they mostly fail with wireguard so I'd like to know if anyone had any success with it
<colemickens>
But boot.kernelModules = ["wireguard"]; doesn't seem to help...
<colemickens>
When I enable a wireguard interface in configuration.nix, the right thing happens.
2018-07-08
<bpye>
It would be nice if NixOS had better support for running things in namespaces, I know there is the containers support but the NAT support seemed to blow up when combined with Wireguard :(
<BlessJah>
Does anyone here use wireguard with wg-quick or improved rule-based routing (one that uses fwmark)? It doesn't work for me when fwmark is used and firewall is enabled (?)
2018-05-28
<{^_^}>
[nixpkgs] @xeji pushed commit from @r-ryantm to master « wireguard: 0.0.20180519 -> 0.0.20180524 (#41031) »: https://git.io/vhYZ5
<{^_^}>
[nixpkgs] @kirelagin opened pull request #40758 → wireguard-go: init at 0.0.20180514 → https://git.io/vpp9a
2018-05-18
<{^_^}>
[nixpkgs] @kirelagin opened pull request #40744 → WireGuard: Make tools available on other platforms → https://git.io/vpp0h
2018-05-12
<__monty__>
All I did was nix-shell -p rustup cargo, rustup default nightly, cargo install wireguard-p2p. Now I've cloned bulletinboard-dht and am running cargo build --release in the repo because the readme said it was need but it's not a dependency and cargo install couldn't find it.
<__monty__>
Wireguard-p2p requires nightly according to the readme and depends on bulletinboard-dht which has a deb and an rpm (and cargo build --release but not cargo install).
<ghostyy>
have any of you guys gotten wireguard working in nixos
<ghostyy>
specifically i dont want my wireguard private keys in my configuration.nix
2018-04-22
<{^_^}>
[nixpkgs] @thoughtpolice pushed commit from @abbradar to master « wireguard service: use scripts instead of ExecStarts/Stops »: https://git.io/vpOgO
<{^_^}>
[nixpkgs] @thoughtpolice merged pull request #38333 → wireguard service: use scripts instead of ExecStarts/Stops → https://git.io/vxie3
2018-04-09
<Guest29>
Anyone use Wireguard? I've followed the Nixos Wiki, but cannot seem to get it working for the life of me.
2018-04-02
<{^_^}>
[nixpkgs] @abbradar opened pull request #38333 → wireguard service: use scripts instead of ExecStarts/Stops → https://git.io/vxie3
2018-03-27
<srhb>
Phew.. Finally got some workable wireguard rules up. I wish I could just stick all my regular interfaces in a different namespace and hide them away from my user.
<srhb>
Huh, the wireguard module is really weird. It appears to add a default route just fine, but then there's no route to reach the actual wireguard endpoint via some other means. How does that make sense?
<srhb>
hyper_ch: Did you use wireguard?
<srhb>
Anyone with wireguard experience on? I'm trying it out for the first time, and it looks from wg show like I'm connected (handshakes and transfer look alive) but I can't ping anything at all. allowed ips is 0.0.0.0/0. Any clues to how I might debug this?
2018-03-12
<{^_^}>
→ a0cc592c by @jfrankenau: wireguard: 0.0.20180218 -> 0.0.20180304
<disasm>
gchristensen, clever: I'm praying we don't have any power outages in the next week... I made a number of commits to my home network repo that weren't pushed after my last rsync on my laptop before I took it in for repairs. Not the end of the world, but got to reconstruct in my head everything I did since then if I have to redeploy to copy the keys back up for wireguard.
<makefu>
regarding gsoc, weirdly enough wireguard was chosen for a gsoc project. however what jason (main dev) did was mainly linking to the wireguard todo list ( https://www.wireguard.com/gsoc/ ).
<dhess>
yay, wireguard issue resolved.
<makefu>
hyper_ch2: right now you have a script which starts the wireguard services if they crash via your script. however you could use systemd features to keep the service running instead. this is what i mean
<makefu>
wireguard-<iterfacename>.service
<dhess>
hyper_ch2: OK, and are you using any IPv6 addrs with the WireGuard interface?
<dhess>
hyper_ch2: Are you using NixOps to deploy the WireGuard private keys or pre-shared keys, by any chance?
<dhess>
anyone around who uses WireGuard with NixOS?
2018-02-13
<hyper_ch2>
sphalerite_: also tried wireguard?
2018-02-05
<NixOS_GitHub>
nixpkgs/release-17.09 4670974 Jason A. Donenfeld: wireguard: 0.0.20180118 -> 0.0.20180202...
<NixOS_GitHub>
nixpkgs/master ca78dc1 Jason A. Donenfeld: wireguard: 0.0.20180118 -> 0.0.20180202
<concatime>
"the wireguard kernel module was not installed correctly"
<hyper_ch>
you could also add wireguard to the list of installed packages and try to run their config with wg-quick but never tried and it seems bothersome
<concatime>
I have an account with Mullvad which provides WireGuard support. How to use it on NIxOS?
<fpletz>
arianvp: don't use linuxPackages.wireguard, just wireguard for the cli tool
<arianvp>
I want to install the wireguard tools, but it either installs the wireguard module or the wireguard tools depending on `kernel == null`
2018-01-02
<hyper_ch>
makefu: I think I was in #wireguard before you :)
<makefu>
yep, just saw it on #wireguard
<hyper_ch>
sphalerite: trying again with wireguard to route everything through it
2017-12-31
<makefu>
well it seems like it is not 100% automatic with default wireguard, but maybe with the nixos module? see https://www.wireguard.com/quickstart/
<hyper_ch>
makefu: "[17:36] <hyper_ch> in wireguard, how can I make that a peer routes all traffic through the vpn and uses the vpn server as endpoint for internet requests?"
<hyper_ch>
makefu: got wireguard running?
2017-12-30
<hyper_ch>
makefu: wireguard is pretty easy to setup and performs better than openvpn as far as I can tell
<hyper_ch>
makefu: added it to wireguard
<hyper_ch>
ip forwarding and masquerading is needed by both.... openvpn and wireguard... so question is where to add it best...
<hyper_ch>
this is for openvpn and wireguard
<makefu>
i also wanted to set up wireguard for my router
<makefu>
hyper_ch: just saw you are also lurking in #wireguard
<NixOS_GitHub>
nixpkgs/release-17.09 33778ff Franz Pletz: wireguard: 0.0.20171111 -> 0.0.20171221...
<NixOS_GitHub>
nixpkgs/release-17.09 b23ac40 Franz Pletz: wireguard: 0.0.20171101 -> 0.0.20171111...
2017-12-29
<NixOS_GitHub>
nixpkgs/master 4ce44d6 Franz Pletz: wireguard: 0.0.20171111 -> 0.0.20171221
2017-12-26
<andi->
mosh (with scp) would be nice.. some simple wireguard tunnel would wrk as well I guess
2017-11-30
<Mic92>
we are doing not much magic with wireguard in nixos, you can probably also ask in the #wireguard channel for help
<patrl>
@Mic92 weirdly, starting wireguard manually using wg-quick doesn't work for me on NixOS either
<Mic92>
I think andi- has used the wireguard module. I have wrote a systemd-networkd patch instead.
<patrl>
Hi all. Does anyone have a confirmed working wireguard configuration on 17.09?
2017-11-28
<patrl>
looking at the log for the generated unit wireguard-wg_home, this is the relevant error i'm getting "ip link del dev wg_home (code=exited, status=1/FAILURE)"
<patrl>
does anyone have a confirmed working wireguard config on 17.09?
<patrl>
guh, still getting "device not found" errors for wireguard
<patrl>
hi all. I'm struggling with the wireguard configuration module. I was wondering if anyone here has any experience and could help me debug
2017-11-27
<ivan>
sphalerite: wireguard
2017-11-20
<hyper_ch>
I'm starting to like wireguard more and more
2017-11-19
<NixOS_GitHub>
nixpkgs/master 265f4c5 Franz Pletz: wireguard: 0.0.20171101 -> 0.0.20171111
2017-11-05
<hyper_ch>
sphalerite: nixos wireguard has no options for adding execstart or something
<hyper_ch>
MichaelRaskin: yes, I need to konw the content of the resolv.conf when wireguard starts... so I want to alter its unit file to add a cat /etc/resolv.conf as first execstart
<hyper_ch>
vcunat: so file bug with wireguard?
<NixOS_GitHub>
nixpkgs/release-17.09 003102c Franz Pletz: wireguard module: add device name environment var...
<NixOS_GitHub>
nixpkgs/release-17.09 af9bb2d Joerg Thalheim: wireguard: fix function for adding routes...
<vcunat>
hyper_ch: it's more of a decision for wireguard upstream anyway
<NixOS_GitHub>
nixpkgs/master 7113039 Franz Pletz: wireguard module: add device name environment var...
2017-11-04
<hyper_ch>
Mic92: wireguard still doesn't automatically start
<NixOS_GitHub>
[nixpkgs] shaunren opened pull request #31250: wireguard: add support for default routing (master...wireguard) https://git.io/vFC0Z
<hyper_ch>
I think znc, openvpn, wireguard and samba run fine
2017-10-28
<hyper_ch>
ArdaXi[m]: test from yesterday.... line were slow.... direct connection was only around 750mbit... wireguard 570mbit and unoptimized openvpn 210mbit (well, I have to tweak openvpn a bit) https://paste.simplylinux.ch/view/raw/6e8f2bcf
<hyper_ch>
wireguard gives me around 650mbit/s over internet as vpn.... so not too worried about performance
2017-10-27
<hyper_ch>
Harekiet: well, just tested zfs send | ssh remote "zfs receive" through wireguard
<hyper_ch>
ha, just sent around 90Gb through wireguard vpn with zfs in 25 minutes
<tilpner>
Yes, I saw it. I found out I can't use wireguard from this location, firewall breaks it
<hyper_ch>
tilpner: btw, tested wireguard speed today between office and home
2017-10-16
<Mic92>
tilpner: restartIfChanged = false; for the service that setups wireguard
<tilpner>
Mic92 - No, actually just NixOS firewall. And then I changed something for the server config and nixops lost connection mid-activation when the wireguard service came up
<tilpner>
Mic92 - Sorry for late reply, I couldn't get wireguard to work with my firewalls. wg-quick looks like the way to go though, so thanks for that :)
<Mic92>
tilpner: systemd-networkd and wg-quick at the moment. Also I am not done yet with pull request for the latest wireguard protocol. update. This netns this is not really needed anymore
<tilpner>
Mic92 - How do you manage wireguard? Do you run the netns thing manually?
<tilpner>
hyper_ch - wireguard is available and builds on nixos-unstable-small. Is that not the problem you mentioned?
<tilpner>
hyper_ch - nixos-unstable-small seems to have wireguard substitutes O.o
<NixOS_GitHub>
nixpkgs/master 4817454 Peter Hoeg: wireguard: wg-quick systemd unit was referencing /usr/bin
2017-10-05
<nh2>
hyper_ch: how do the hardphones conflict with it? Aren't tinc and wireguard at the same level as openvpn?
<hyper_ch>
nh2: can't use tinc or wireguard with sip hardphones
<nh2>
hyper_ch: ah, do you know why openvpn is so slow? Is it on 100% CPU when you're testing with iperf3? If yes, you could try `tinc` (I've got gigabit speeds over it with no problems in the data center), or eventually, WireGuard -- both are in nixpkgs
<nh2>
Infinisil: maybe even that will be fixed at some point. He already verified WireGuard with a Haskell tool
2017-07-24
<aristid>
gchristensen: i want the channel to update so everybody can benefit from my fix to the wireguard module to allow you not to store your private keys in the /nix/store! :)
2017-07-23
<NixOS_GitHub>
nixpkgs/master 6319054 Aristid Breitkreuz: wireguard: sometimes module tries to re-add the default route, which fails - use replace to make it succeed
2017-07-17
<NixOS_GitHub>
nixpkgs/master 9b0ff95 Aristid Breitkreuz: wireguard: allow not storing private keys in world-readable /nix/store (#27433)...