 |
Title: How to use WireGuard VPN on Guix |
|
Author: Solène |
|
Date: 22 May 2021 |
|
Tags: guix vpn |
|
Description: |
|
|
|
# Introduction |
|
|
|
Today I had to setup a Wireguard tunnel on my Guix computer (my email |
|
server is only reachable from Wireguard) and I struggled a bit to |
|
understand from the official documentation how to put the pieces |
|
together. |
|
|
|
In Guix (the operating system, and not the foreign Guix on an existing |
|
distribution) you certainly have a /etc/config.scm file that defines |
|
your system. You will have to add the Wireguard configuration in it |
|
after generating a private/public keys for your Wireguard. |
|
|
 |
Guix project website |
|
Guix Wireguard VPN documentation |
|
|
|
# Key generation |
|
|
|
In order to generate Wireguard keys, install the package Wireguard with |
|
"guix install wireguard". |
|
|
|
```shell commands |
|
# umask 077 # this is so to make files only readable by root |
|
# install -d -o root -g root -m 700 /etc/wireguard |
|
# wg genkey > /etc/wireguard/private.key |
|
# wg pubkey < /etc/wireguard/private.key > /etc/wireguard/public |
|
``` |
|
|
|
# Configuration |
|
|
|
Edit your /etc/config.scm file, in your "(services)" definition, you |
|
will define your VPN service. In this example, my Wireguard server is |
|
hosted at 192.168.10.120 on port 4433, my system has the IP address |
|
192.168.5.1, I also defines my public key but my private key is |
|
automatically picked up from /etc/wireguard/private.key |
|
|
|
```config.scm example |
|
(services (append (list |
|
(service wireguard-service-type |
|
(wireguard-configuration |
|
(addresses '("192.168.5.1/24")) |
|
(peers |
|
(list |
|
(wireguard-peer |
|
(name "myserver") |
|
(endpoint "192.168.10.120:4433") |
|
(public-key "z+SCmAMgNNvkeaD0nfBu4fCrhk8FaNCa1/HnnbD21wE=") |
|
(allowed-ips '("192.168.5.0/24")))))))) |
|
%desktop-services)) |
|
``` |
|
|
|
If you have the default "(services %desktop-services)" you need to use |
|
"(append " to merge %desktop-services and new services all defined in a |
|
"(list ... )" definition. |
|
|
|
The "allowed-ips" field is important, Guix will automatically make |
|
routes to these networks through the Wireguard interface, if you want |
|
to route everything then use "0.0.0.0/0" (you will require a NAT on the |
|
other side) and Guix will make the required work to pass all your |
|
traffic through the VPN. |
|
|
|
At the top of the config.scm file, you must add "vpn" in the services |
|
modules, like this: |
|
|
|
```config.scm services modules |
|
# I added vpn to the list |
|
(use-service-modules vpn desktop networking ssh xorg) |
|
``` |
|
|
|
Once you made the changes, you can use "guix system reconfigure" to |
|
make the changes, if you do multiples reconfigure it seems Wireguard |
|
doesn't reload correctly, you may have to use "herd restart |
|
wireguard-wg0" to properly get the new settings (seems a bug?). |
|
|
|
# Conclusion |
|
|
|
As usual, setting Wireguard is easy but the functional way make it a |
|
bit different. It took me some time to figure out where I had to |
|
define the Wireguard service in the configuration file. |
