Title: How to use WireGuard VPN on Guix | |
Author: Solène | |
Date: 22 May 2021 | |
Tags: guix vpn | |
Description: | |
# Introduction | |
Today I had to setup a Wireguard tunnel on my Guix computer (my email | |
server is only reachable from Wireguard) and I struggled a bit to | |
understand from the official documentation how to put the pieces | |
together. | |
In Guix (the operating system, and not the foreign Guix on an existing | |
distribution) you certainly have a /etc/config.scm file that defines | |
your system. You will have to add the Wireguard configuration in it | |
after generating a private/public keys for your Wireguard. | |
Guix project website | |
Guix Wireguard VPN documentation | |
# Key generation | |
In order to generate Wireguard keys, install the package Wireguard with | |
"guix install wireguard". | |
```shell commands | |
# umask 077 # this is so to make files only readable by root | |
# install -d -o root -g root -m 700 /etc/wireguard | |
# wg genkey > /etc/wireguard/private.key | |
# wg pubkey < /etc/wireguard/private.key > /etc/wireguard/public | |
``` | |
# Configuration | |
Edit your /etc/config.scm file, in your "(services)" definition, you | |
will define your VPN service. In this example, my Wireguard server is | |
hosted at 192.168.10.120 on port 4433, my system has the IP address | |
192.168.5.1, I also defines my public key but my private key is | |
automatically picked up from /etc/wireguard/private.key | |
```config.scm example | |
(services (append (list | |
(service wireguard-service-type | |
(wireguard-configuration | |
(addresses '("192.168.5.1/24")) | |
(peers | |
(list | |
(wireguard-peer | |
(name "myserver") | |
(endpoint "192.168.10.120:4433") | |
(public-key "z+SCmAMgNNvkeaD0nfBu4fCrhk8FaNCa1/HnnbD21wE=") | |
(allowed-ips '("192.168.5.0/24")))))))) | |
%desktop-services)) | |
``` | |
If you have the default "(services %desktop-services)" you need to use | |
"(append " to merge %desktop-services and new services all defined in a | |
"(list ... )" definition. | |
The "allowed-ips" field is important, Guix will automatically make | |
routes to these networks through the Wireguard interface, if you want | |
to route everything then use "0.0.0.0/0" (you will require a NAT on the | |
other side) and Guix will make the required work to pass all your | |
traffic through the VPN. | |
At the top of the config.scm file, you must add "vpn" in the services | |
modules, like this: | |
```config.scm services modules | |
# I added vpn to the list | |
(use-service-modules vpn desktop networking ssh xorg) | |
``` | |
Once you made the changes, you can use "guix system reconfigure" to | |
make the changes, if you do multiples reconfigure it seems Wireguard | |
doesn't reload correctly, you may have to use "herd restart | |
wireguard-wg0" to properly get the new settings (seems a bug?). | |
# Conclusion | |
As usual, setting Wireguard is easy but the functional way make it a | |
bit different. It took me some time to figure out where I had to | |
define the Wireguard service in the configuration file. |