Title: How to use WireGuard VPN on Guix
       Author: Solène
       Date: 22 May 2021
       Tags: guix vpn
       Description: 
       
       # Introduction
       
       Today I had to setup a Wireguard tunnel on my Guix computer (my email
       server is only reachable from Wireguard) and I struggled a bit to
       understand from the official documentation how to put the pieces
       together.
       
       In Guix (the operating system, and not the foreign Guix on an existing
       distribution) you certainly have a /etc/config.scm file that defines
       your system.  You will have to add the Wireguard configuration in it
       after generating a private/public keys for your Wireguard.
       
 (HTM) Guix project website
 (HTM) Guix Wireguard VPN documentation
       
       # Key generation
       
       In order to generate Wireguard keys, install the package Wireguard with
       "guix install wireguard".
       
       ```shell commands
       # umask 077 # this is so to make files only readable by root
       # install -d -o root -g root -m 700 /etc/wireguard
       # wg genkey > /etc/wireguard/private.key
       # wg pubkey < /etc/wireguard/private.key > /etc/wireguard/public
       ```
       
       # Configuration
       
       Edit your /etc/config.scm file, in your "(services)" definition, you
       will define your VPN service.  In this example, my Wireguard server is
       hosted at 192.168.10.120 on port 4433, my system has the IP address
       192.168.5.1, I also defines my public key but my private key is
       automatically picked up from /etc/wireguard/private.key
       
       ```config.scm example
       (services (append (list
             (service wireguard-service-type
                    (wireguard-configuration
                     (addresses '("192.168.5.1/24"))
                     (peers
                      (list
                       (wireguard-peer
                        (name "myserver")
                        (endpoint "192.168.10.120:4433")
                        (public-key "z+SCmAMgNNvkeaD0nfBu4fCrhk8FaNCa1/HnnbD21wE=")
                        (allowed-ips '("192.168.5.0/24"))))))))
             %desktop-services))
       ```
       
       If you have the default "(services %desktop-services)" you need to use
       "(append " to merge %desktop-services and new services all defined in a
       "(list ... )" definition.
       
       The "allowed-ips" field is important, Guix will automatically make
       routes to these networks through the Wireguard interface, if you want
       to route everything then use "0.0.0.0/0" (you will require a NAT on the
       other side) and Guix will make the required work to pass all your
       traffic through the VPN.
       
       At the top of the config.scm file, you must add "vpn" in the services
       modules, like this:
       
       ```config.scm services modules
       # I added vpn to the list
       (use-service-modules vpn desktop networking ssh xorg)
       ```
       
       Once you made the changes, you can use "guix system reconfigure" to
       make the changes, if you do multiples reconfigure it seems Wireguard
       doesn't reload correctly, you may have to use "herd restart
       wireguard-wg0" to properly get the new settings (seems a bug?).
       
       # Conclusion
       
       As usual, setting Wireguard is easy but the functional way make it a
       bit different.  It took me some time to figure out where I had to
       define the Wireguard service in the configuration file.