proxy70

Title: How to setup wireguard on NixOS
Author: Solène
Date: 18 May 2021
Tags: nixos networking
Description: 

# Introduction

Today I will share my simple wireguard setup using NixOS as a wireguard
server.  The official documentation is actually very good but it didn't
really fit for my use case.  I have a server with multiples services
but some of them need to be only reachable through wireguard, but I
don't want to open all ports to wireguard either.

As a quick introduction to Wireguard, it's an UDP based VPN protocol
with the specificity that it's stateless, meaning it doesn't huge any
bandwidth when not in use and doesn't rely on your IP either.  If you
switch from an IP to another to connect to the other wireguard peer, it
will be seamless in regards to wireguard.

NixOS wireguard documentation

# Wireguard setup

The setup is actually easy if you use the program "wireguard" to
generate the keys.  You can use "nix-shell -p wireguard" to run the
following commands:

```shell commands
umask 077 # this is so to make files only readable by root
wg genkey > /root/wg-private
wg pubkey < /root/wg-private > /root/wg-public
```

Congratulations, you generated a wireguard private key in
/root/wg-private and a wireguard public key in /root/wg-public, as
usual, you can share the public key with other peers but the private
key must be kept secret on this machine.

Now, edit your /etc/nixos/configuration.nix file, we will create a
network 192.168.100.0/24 in which the wireguard server will be
192.168.100.1 and a laptop peer will be 192.168.100.2, the wireguard
UDP port chosen is 5553.

```NixOS configuration file sample
networking.wireguard.interfaces = {
      wg0 = {
              ips = [ "192.168.100.1/24" ];
              listenPort = 5553;
              privateKeyFile = "/root/wg-private";
              peers = [
              { # laptop
               publicKey = "uPfe4VBmYjnKaaqdDT1A2PMFldUQUreqGz6v2VWjwXA=";
               allowedIPs = [ "192.168.100.2/32" ];
              }];
      };
};
```

# Firewall configuration

Now, you will also want to enable your firewall and make the UDP port
5553 opened on your ethernet device (eth0 here).  On the wireguard
tunnel, we will only allow TCP port 993.

```NixOS configuration file sample
networking.firewall.enable = true;

networking.firewall.interfaces.eth0.allowedTCPPorts = [ 22 25 465 587 ];
networking.firewall.interfaces.eth0.allowedUDPPorts = [ 5553 ];

networking.firewall.interfaces.wg0.allowedTCPPorts = [ 993 ];
```

Specifically defining the firewall rules for eth0 are not useful if you
want to allow the same ports on wireguard (+ some other ports specifics
to wg0) or if you want to set the wg0 interface entirely trusted (no
firewall applied).

# Building

When you have done all the changes, run "nixos-rebuild switch" to apply
the changes, you will see a new network interface wg0.

# Conclusion

I obviously stripped down my real world use case but if for some
reasons you want a wireguard tunnel stricter than what's available on
the public network interfaces rules, this is how you do.