💾 Archived View for perso.pw › blog › articles › nixos-wireguard.gmi captured on 2022-07-16 at 14:23:34. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-17)
-=-=-=-=-=-=-
NIL=> https://bsd.network/@solenepercent/106257702788041562 Comment on Mastodon
Today I will share my simple wireguard setup using NixOS as a wireguard server. The official documentation is actually very good but it didn't really fit for my use case. I have a server with multiples services but some of them need to be only reachable through wireguard, but I don't want to open all ports to wireguard either.
As a quick introduction to Wireguard, it's an UDP based VPN protocol with the specificity that it's stateless, meaning it doesn't huge any bandwidth when not in use and doesn't rely on your IP either. If you switch from an IP to another to connect to the other wireguard peer, it will be seamless in regards to wireguard.
The setup is actually easy if you use the program "wireguard" to generate the keys. You can use "nix-shell -p wireguard" to run the following commands:
umask 077 # this is so to make files only readable by root wg genkey > /root/wg-private wg pubkey < /root/wg-private > /root/wg-public
Congratulations, you generated a wireguard private key in /root/wg-private and a wireguard public key in /root/wg-public, as usual, you can share the public key with other peers but the private key must be kept secret on this machine.
Now, edit your /etc/nixos/configuration.nix file, we will create a network 192.168.100.0/24 in which the wireguard server will be 192.168.100.1 and a laptop peer will be 192.168.100.2, the wireguard UDP port chosen is 5553.
networking.wireguard.interfaces = { wg0 = { ips = [ "192.168.100.1/24" ]; listenPort = 5553; privateKeyFile = "/root/wg-private"; peers = [ { # laptop publicKey = "uPfe4VBmYjnKaaqdDT1A2PMFldUQUreqGz6v2VWjwXA="; allowedIPs = [ "192.168.100.2/32" ]; }]; }; };
Now, you will also want to enable your firewall and make the UDP port 5553 opened on your ethernet device (eth0 here). On the wireguard tunnel, we will only allow TCP port 993.
networking.firewall.enable = true; networking.firewall.interfaces.eth0.allowedTCPPorts = [ 22 25 465 587 ]; networking.firewall.interfaces.eth0.allowedUDPPorts = [ 5553 ]; networking.firewall.interfaces.wg0.allowedTCPPorts = [ 993 ];
Specifically defining the firewall rules for eth0 are not useful if you want to allow the same ports on wireguard (+ some other ports specifics to wg0) or if you want to set the wg0 interface entirely trusted (no firewall applied).
When you have done all the changes, run "nixos-rebuild switch" to apply the changes, you will see a new network interface wg0.
I obviously stripped down my real world use case but if for some reasons you want a wireguard tunnel stricter than what's available on the public network interfaces rules, this is how you do.