Title: How to use WireGuard VPN on Guix Author: Solène Date: 22 May 2021 Tags: guix vpn Description: # Introduction Today I had to setup a Wireguard tunnel on my Guix computer (my email server is only reachable from Wireguard) and I struggled a bit to understand from the official documentation how to put the pieces together. In Guix (the operating system, and not the foreign Guix on an existing distribution) you certainly have a /etc/config.scm file that defines your system. You will have to add the Wireguard configuration in it after generating a private/public keys for your Wireguard. (HTM) Guix project website (HTM) Guix Wireguard VPN documentation # Key generation In order to generate Wireguard keys, install the package Wireguard with "guix install wireguard". ```shell commands # umask 077 # this is so to make files only readable by root # install -d -o root -g root -m 700 /etc/wireguard # wg genkey > /etc/wireguard/private.key # wg pubkey < /etc/wireguard/private.key > /etc/wireguard/public ``` # Configuration Edit your /etc/config.scm file, in your "(services)" definition, you will define your VPN service. In this example, my Wireguard server is hosted at 192.168.10.120 on port 4433, my system has the IP address 192.168.5.1, I also defines my public key but my private key is automatically picked up from /etc/wireguard/private.key ```config.scm example (services (append (list (service wireguard-service-type (wireguard-configuration (addresses '("192.168.5.1/24")) (peers (list (wireguard-peer (name "myserver") (endpoint "192.168.10.120:4433") (public-key "z+SCmAMgNNvkeaD0nfBu4fCrhk8FaNCa1/HnnbD21wE=") (allowed-ips '("192.168.5.0/24")))))))) %desktop-services)) ``` If you have the default "(services %desktop-services)" you need to use "(append " to merge %desktop-services and new services all defined in a "(list ... )" definition. The "allowed-ips" field is important, Guix will automatically make routes to these networks through the Wireguard interface, if you want to route everything then use "0.0.0.0/0" (you will require a NAT on the other side) and Guix will make the required work to pass all your traffic through the VPN. At the top of the config.scm file, you must add "vpn" in the services modules, like this: ```config.scm services modules # I added vpn to the list (use-service-modules vpn desktop networking ssh xorg) ``` Once you made the changes, you can use "guix system reconfigure" to make the changes, if you do multiples reconfigure it seems Wireguard doesn't reload correctly, you may have to use "herd restart wireguard-wg0" to properly get the new settings (seems a bug?). # Conclusion As usual, setting Wireguard is easy but the functional way make it a bit different. It took me some time to figure out where I had to define the Wireguard service in the configuration file.