Re: Wireguard configuration - PostUp and PostDown

help-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wireguard configuration - PostUp and PostDown

From:	crodges
Subject:	Re: Wireguard configuration - PostUp and PostDown
Date:	Tue, 31 Aug 2021 09:16:46 -0700

On Monday, August 30, 2021 5:25:10 A.M. PDT Pierre Langlois wrote:
> Hi there,
> 
> crodges <crodges@csphy.pw> writes:
> > Hello everyone,
> > 
> > I managed to configure wireguard on a vps running guix and created clients
> > for my desktop and cellphone. What I want to do (and did already in a
> > Debian vps) is to make wireguard's lan accessible to anyone connected and
> > also browse the internet using this vpn.
> 
> I also have a similar setup with Guix, maybe I can help.
> 
> > As I remember, I need to allow ip forwarding using
> > 
> > sysctl net.ipv4.ip_forward=1
> 
> That one is pretty easy, you find exactly that example in the manual:
> https://guix.gnu.org/manual/en/html_node/Miscellaneous-Services.html#System-> 
> Control-Service
> > and I also need to put these rules into wireguard (the server) under
> > [interface],
> > 
> > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > 
> > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
> > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> > 
> > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't
> > seem to exist yet. Do they exist but are still undocumented?
> > 
> > If they don't exist, where should be a reasonable place to add this
> > configurations? I'm trying to do everything the guix way, when I finish
> > this machine configuration, I'd like it to be fully replicable.
> 
> Yeah, I don't think wireguard-configuration supports doing this, we
> could probably add it although I think the "Guix way" here would
> probably be to specify iptables in another service:
> https://guix.gnu.org/manual/en/html_node/Networking-Services.html#index-ipta
> bles
> 
> Probably something like this? Although I'm really not an iptables
> expert:
> 
> --8<---------------cut here---------------start------------->8---
> (service iptables-service-type
>          (iptables-configuration
>           (ipv4-rules (plain-file "iptables.rules" "*filter
> 
> :INPUT ACCEPT
> :FORWARD ACCEPT
> :OUTPUT ACCEPT
> 
> -A FORWARD -i wg0 -j ACCEPT
> -A POSTROUTING -t nat -o eth0 -j MASQUERADE
> COMMIT
> "))
>           (ipv6-rules (plain-file "ip6tables.rules" "*filter
> 
> :INPUT ACCEPT
> :FORWARD ACCEPT
> :OUTPUT ACCEPT
> 
> -A FORWARD -i wg0 -j ACCEPT
> -A POSTROUTING -t nat -o eth0 -j MASQUERADE
> COMMIT
> "))))
> --8<---------------cut here---------------end--------------->8---
> 
> That being said, it's not exactly the same as doing this with
> PostUp/PostDown, the rules will be applied independently and it would be
> good for them to be setup only when wireguard comes up, and removed when
> you bring it down.
> 
> AFAIK, there isn't a way to do this without hacking on the wireguard and
> iptables services themselves. The way to compose services together in
> Guix is to use a list of service-extension, at the moment wireguard
> doesn't have any other than itself:
> 
> --8<---------------cut here---------------start------------->8---
> (define wireguard-service-type
>   (service-type
>    (name 'wireguard)
>    (extensions
>     (list (service-extension shepherd-root-service-type
>                              wireguard-shepherd-service)
>           (service-extension activation-service-type
>                              wireguard-activation)))))
> --8<---------------cut here---------------end--------------->8---
> 
> Maybe we could have the iptable-service-type here as an extension as
> well, however that requires the iptable service itself to be modified to
> allow extensibilty. See the manual for more information
> https://guix.gnu.org/manual/en/html_node/Service-Composition.html
> 
> Hope this helps!
> 
> Thanks,
> Pierre
Pierre, 

That actually helped! I was able to enable ip forwarding using modify-services 
(after I realized that sysctl is part of base-services). As for iptables, I 
tried pasting the config but I'm getting an error when I reconfigure the 
system and restart iptables. I am not an iptables expert either! But now I 
have something to work with.

Regarding service-extension, thanks for the pointer, I'll read it carefully 
and try to make the necessary extensions.

signature.asc
Description: This is a digitally signed message part.

[Prev in Thread]

Current Thread

[Next in Thread]

Wireguard configuration - PostUp and PostDown, crodges, 2021/08/29
- Re: Wireguard configuration - PostUp and PostDown, Pierre Langlois, 2021/08/30
  - Re: Wireguard configuration - PostUp and PostDown, crodges <=

Prev by Date: Re: Guix on a cloud VM
Next by Date: Guix on a cloud VM
Previous by thread: Re: Wireguard configuration - PostUp and PostDown
Next by thread: Request for help with writing defenition for pyxel.
Index(es):
- Date
- Thread