Title: How to setup wireguard on NixOS | |
Author: Solène | |
Date: 18 May 2021 | |
Tags: nixos networking | |
Description: | |
# Introduction | |
Today I will share my simple wireguard setup using NixOS as a wireguard | |
server. The official documentation is actually very good but it didn't | |
really fit for my use case. I have a server with multiples services | |
but some of them need to be only reachable through wireguard, but I | |
don't want to open all ports to wireguard either. | |
As a quick introduction to Wireguard, it's an UDP based VPN protocol | |
with the specificity that it's stateless, meaning it doesn't huge any | |
bandwidth when not in use and doesn't rely on your IP either. If you | |
switch from an IP to another to connect to the other wireguard peer, it | |
will be seamless in regards to wireguard. | |
NixOS wireguard documentation | |
# Wireguard setup | |
The setup is actually easy if you use the program "wireguard" to | |
generate the keys. You can use "nix-shell -p wireguard" to run the | |
following commands: | |
```shell commands | |
umask 077 # this is so to make files only readable by root | |
wg genkey > /root/wg-private | |
wg pubkey < /root/wg-private > /root/wg-public | |
``` | |
Congratulations, you generated a wireguard private key in | |
/root/wg-private and a wireguard public key in /root/wg-public, as | |
usual, you can share the public key with other peers but the private | |
key must be kept secret on this machine. | |
Now, edit your /etc/nixos/configuration.nix file, we will create a | |
network 192.168.100.0/24 in which the wireguard server will be | |
192.168.100.1 and a laptop peer will be 192.168.100.2, the wireguard | |
UDP port chosen is 5553. | |
```NixOS configuration file sample | |
networking.wireguard.interfaces = { | |
wg0 = { | |
ips = [ "192.168.100.1/24" ]; | |
listenPort = 5553; | |
privateKeyFile = "/root/wg-private"; | |
peers = [ | |
{ # laptop | |
publicKey = "uPfe4VBmYjnKaaqdDT1A2PMFldUQUreqGz6v2VWjwXA="; | |
allowedIPs = [ "192.168.100.2/32" ]; | |
}]; | |
}; | |
}; | |
``` | |
# Firewall configuration | |
Now, you will also want to enable your firewall and make the UDP port | |
5553 opened on your ethernet device (eth0 here). On the wireguard | |
tunnel, we will only allow TCP port 993. | |
```NixOS configuration file sample | |
networking.firewall.enable = true; | |
networking.firewall.interfaces.eth0.allowedTCPPorts = [ 22 25 465 587 ]; | |
networking.firewall.interfaces.eth0.allowedUDPPorts = [ 5553 ]; | |
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 993 ]; | |
``` | |
Specifically defining the firewall rules for eth0 are not useful if you | |
want to allow the same ports on wireguard (+ some other ports specifics | |
to wg0) or if you want to set the wg0 interface entirely trusted (no | |
firewall applied). | |
# Building | |
When you have done all the changes, run "nixos-rebuild switch" to apply | |
the changes, you will see a new network interface wg0. | |
# Conclusion | |
I obviously stripped down my real world use case but if for some | |
reasons you want a wireguard tunnel stricter than what's available on | |
the public network interfaces rules, this is how you do. |