Re: Wireguard
On Wednesday, October 6, 2021 11:35:02 A.M. PDT you wrote: > crodges schreef op wo 06-10-2021 om 09:28 [-0700]: > > [...] > > I was able to create and run the vm. How can I build a .iso image with my > > code changes to install in a vps? I tried to change the code, compile, > > run > > > > guix system image -t iso9660 gnu/system/install.scm > > Don't forget ./pre-inst-env: > > make && ./pre-inst-env guix system image -t iso9660 gnu/system/install.scm > > Also, the installer won't use your locally modified guix. IIUC, > it will use the 'guix' package, which is normally only used by a few > services like cuirass and guix-daemon, and for the initial installation. > > It shouldn't be necessary to reinstall Guix System, I'd recommend sending a > copy of the locally-modified guix repo to your VM, build it, and > reconfigure inside the VM (./pre-inst-env guix system reconfigure ...) > instead. > > However, it should also be possible to modify the guix used by the > installer, using the procedure (current-guix) and and the macro > modify-services, see gnu/tests/install.scm for an example. > > > then I grabbed the .iso from the /gnu/store > > > > but after installing it, it didn't contain my changes. Am I grabbing the > > wrong iso, if so, how should I do this? I may be confusing guix installed > > in my pc with the one I'm making changes. > > Greetins, > Maxime. Maxime, I'm getting closer. I'm reading up on how the kernel treats networks, guile and guix. After I solve this issue I'll definitely do a write up to pass on the acquired knowledge, it'll be good for someone that is starting with guix, like myself. That said, I have additional questions. First, in my wireguard configuration I need to call iptables. It was suggested to me that I should modify wireguard to accept iptables-service as a extension, and also modify iptables for it to be extended. Do you know any other way, or this looks like most appropriate? Also, there are several wg0.conf generated at /gnu/store (because of many generations). How do I know which one is the most recent one, so I can check if my configuration is parsing correctly from guile? I tried a simple ls -lt but everything is showing Jan 1, 1970. Thanks Maxime.
Re: Wireguard
crodges schreef op wo 06-10-2021 om 09:28 [-0700]: > [...] > I was able to create and run the vm. How can I build a .iso image with my > code > changes to install in a vps? I tried to change the code, compile, run > > guix system image -t iso9660 gnu/system/install.scm Don't forget ./pre-inst-env: make && ./pre-inst-env guix system image -t iso9660 gnu/system/install.scm Also, the installer won't use your locally modified guix. IIUC, it will use the 'guix' package, which is normally only used by a few services like cuirass and guix-daemon, and for the initial installation. It shouldn't be necessary to reinstall Guix System, I'd recommend sending a copy of the locally-modified guix repo to your VM, build it, and reconfigure inside the VM (./pre-inst-env guix system reconfigure ...) instead. However, it should also be possible to modify the guix used by the installer, using the procedure (current-guix) and and the macro modify-services, see gnu/tests/install.scm for an example. > then I grabbed the .iso from the /gnu/store > > but after installing it, it didn't contain my changes. Am I grabbing the > wrong > iso, if so, how should I do this? I may be confusing guix installed in my pc > with the one I'm making changes. Greetins, Maxime. signature.asc Description: This is a digitally signed message part
Re: Wireguard
On Wednesday, September 22, 2021 10:23:11 A.M. PDT Maxime Devos wrote: > crodges schreef op wo 22-09-2021 om 09:03 [-0700]: > > On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote: > > > crodges schreef op zo 29-08-2021 om 14:53 [-0700]: > > > > Hello everyone, > > > > > > > > Let me start thanking you for developing such a interesting project in > > > > GNU > > > > Guix. Also, I don't want to take up anyone's time, so you can just > > > > point > > > > to > > > > documentation or other resource succinctly and I'll do my best. I'm > > > > writing > > > > here because I tried the help list but not answer so far, after a few > > > > days. > > > > > > > > I managed to configure wireguard on a vps running guix and created > > > > clients > > > > for my desktop and cellphone. What I want to do (and did already in a > > > > Debian vps) is to make wireguard's lan accessible to anyone connected > > > > and > > > > also browse the internet using this vpn. > > > > > > The Wireguard service as defined in Guix System doesn't currently > > > support > > > the forwarding you appear to describe ... > > > > > > > As I remember, I need to allow ip forwarding using > > > > > > > > sysctl net.ipv4.ip_forward=1 > > > > > > > > and I also need to put these rules into wireguard (the server) under > > > > [interface], > > > > > > > > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j > > > > ACCEPT; > > > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > > > > > > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j > > > > ACCEPT; > > > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE > > > > > > However, I don't see why this couldn't be implemented in Guix System > > > (after some changes to wireguard-service-type). > > > > > > > Problem is, looking at the latest guix manual, PostUp and PostDown > > > > doesn't > > > > seem to exist yet. Do they exist but are still undocumented? > > > > > > Guix uses "wg-quick", so it would seem they do exist, but are > > > inaccessible > > > from Guix. The configuration file is created in > > > wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can > > > modify that. > > > > > > > If they don't exist, where should be a reasonable place to add this > > > > configurations? > > > > > > and wireguard-configuration-file in (gnu > > > services > > > vpn) it would seem. Also, sysctl-service-type would need to be extended > > > (in the ‘service-extension’ meaning of the word) to set > > > net.ipv4.ip_forward > > > appropriately. > > > > > > > I'm trying to do everything the guix way, when I finish this > > > > machine configuration, I'd like it to be fully replicable. > > > > > > > > Also, is this something that I could solve modifying the wireguard > > > > service > > > > definition itself? > > > > > > If replicability is all you need, you could add ‘postdown’ and ‘postup’ > > > options to , which would need to be set to the > > > commands above. However, these strings seem rather complicated for the > > > uninitiated, so I'd recommend something more high-level instead. Some > > > interface like > > > > > > (wireguard-configuration > > > > > > [...] > > > (addresses ...) > > > (peers ...) > > > (forward? #t)) > > > > > > perhaps? Make sure to add some documentation to ‘Wireguard’ in > > > (guix)VPN > > > Services. (Maybe add some example situations on how forward? can be used > > > and how it functions.) > > > > > > I want to note that I don't understand what exactly you're doing, I only > > > understand that there is some forwarding going on, and I'm not > > > unfamiliar > > > with networking issue (e.g. I recently figured out why I couldn't > > > connect > > > to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken). > > > So explaining forward? to laypeople might take some care. > > > > > > Writing a corresponding ‘system test’ in gnu/tests/networking.scm is > > > recommended. > > > > > > Greetings, > > > Maxime. > > > > Thanks for the pointers Maxime. > > > > I'm not an expert in networking but I can briefly tell about my use case > > here. basically my setup accomplishes two things: any machine connected > > to the server running guix and wireguard should be able to browse the > > internet like a normal vpn (using the server's ip address) and any client > > theoretically could see each other. Right now I use this capability to > > play 0ad with friends, in the future there will be apps running in > > different clients, accessible to anyone inside vpn. > > > > That said, I'm back here to ask one more thing. I cloned guix and followed > > the manual to create an --pure environment and authenticated the commits. > > This machine is a different one from my server, here I have guix running > > on top of
Re: Wireguard
crodges schreef op wo 22-09-2021 om 09:03 [-0700]: > On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote: > > crodges schreef op zo 29-08-2021 om 14:53 [-0700]: > > > Hello everyone, > > > > > > Let me start thanking you for developing such a interesting project in GNU > > > Guix. Also, I don't want to take up anyone's time, so you can just point > > > to > > > documentation or other resource succinctly and I'll do my best. I'm > > > writing > > > here because I tried the help list but not answer so far, after a few > > > days. > > > > > > I managed to configure wireguard on a vps running guix and created clients > > > for my desktop and cellphone. What I want to do (and did already in a > > > Debian vps) is to make wireguard's lan accessible to anyone connected and > > > also browse the internet using this vpn. > > > > The Wireguard service as defined in Guix System doesn't currently support > > the forwarding you appear to describe ... > > > > > As I remember, I need to allow ip forwarding using > > > > > > sysctl net.ipv4.ip_forward=1 > > > > > > and I also need to put these rules into wireguard (the server) under > > > [interface], > > > > > > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; > > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > > > > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; > > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE > > > > However, I don't see why this couldn't be implemented in Guix System > > (after some changes to wireguard-service-type). > > > > > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't > > > seem to exist yet. Do they exist but are still undocumented? > > > > Guix uses "wg-quick", so it would seem they do exist, but are inaccessible > > from Guix. The configuration file is created in > > wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can > > modify that. > > > > > If they don't exist, where should be a reasonable place to add this > > > configurations? > > > > and wireguard-configuration-file in (gnu services > > vpn) it would seem. Also, sysctl-service-type would need to be extended > > (in the ‘service-extension’ meaning of the word) to set net.ipv4.ip_forward > > appropriately. > > > > > I'm trying to do everything the guix way, when I finish this > > > machine configuration, I'd like it to be fully replicable. > > > > > > Also, is this something that I could solve modifying the wireguard service > > > definition itself? > > > > If replicability is all you need, you could add ‘postdown’ and ‘postup’ > > options to , which would need to be set to the > > commands above. However, these strings seem rather complicated for the > > uninitiated, so I'd recommend something more high-level instead. Some > > interface like > > > > (wireguard-configuration > > [...] > > (addresses ...) > > (peers ...) > > (forward? #t)) > > > > perhaps? Make sure to add some documentation to ‘Wireguard’ in (guix)VPN > > Services. (Maybe add some example situations on how forward? can be used > > and how it functions.) > > > > I want to note that I don't understand what exactly you're doing, I only > > understand that there is some forwarding going on, and I'm not unfamiliar > > with networking issue (e.g. I recently figured out why I couldn't connect > > to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken). > > So explaining forward? to laypeople might take some care. > > > > Writing a corresponding ‘system test’ in gnu/tests/networking.scm is > > recommended. > > > > Greetings, > > Maxime. > Thanks for the pointers Maxime. > > I'm not an expert in networking but I can briefly tell about my use case here. > basically my setup accomplishes two things: any machine connected to the > server running guix and wireguard should be able to browse the internet like > a > normal vpn (using the server's ip address) and any client theoretically could > see each other. Right now I use this capability to play 0ad with friends, in > the future there will be apps running in different clients, accessible to > anyone inside vpn. > > That said, I'm back here to ask one more thing. I cloned guix and followed > the > manual to create an --pure environment and authenticated the commits. This > machine is a different one from my server, here I have guix running on top of > manjaro (an arch gnu/linux flavor). > > I started changing code inside vpn.scm and my approach was to "make && make > check" after changes to see if it would still build. But this week, after a > git pull to update the repo and using make, I'm now greeted with > > error: failed to load 'gnu/packages/perl.scm': > ice-9/eval.scm:293:34: In procedure abi-check: #>: > record ABI
Re: Wireguard
On Wednesday, September 22, 2021 9:03:58 A.M. PDT crodges wrote: > On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote: > > crodges schreef op zo 29-08-2021 om 14:53 [-0700]: > > > Hello everyone, > > > > > > Let me start thanking you for developing such a interesting project in > > > GNU > > > Guix. Also, I don't want to take up anyone's time, so you can just point > > > to > > > documentation or other resource succinctly and I'll do my best. I'm > > > writing > > > here because I tried the help list but not answer so far, after a few > > > days. > > > > > > I managed to configure wireguard on a vps running guix and created > > > clients > > > for my desktop and cellphone. What I want to do (and did already in a > > > Debian vps) is to make wireguard's lan accessible to anyone connected > > > and > > > also browse the internet using this vpn. > > > > The Wireguard service as defined in Guix System doesn't currently support > > the forwarding you appear to describe ... > > > > > As I remember, I need to allow ip forwarding using > > > > > > sysctl net.ipv4.ip_forward=1 > > > > > > and I also need to put these rules into wireguard (the server) under > > > [interface], > > > > > > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j > > > ACCEPT; > > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > > > > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j > > > ACCEPT; > > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE > > > > However, I don't see why this couldn't be implemented in Guix System > > (after some changes to wireguard-service-type). > > > > > Problem is, looking at the latest guix manual, PostUp and PostDown > > > doesn't > > > seem to exist yet. Do they exist but are still undocumented? > > > > Guix uses "wg-quick", so it would seem they do exist, but are inaccessible > > from Guix. The configuration file is created in > > wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can > > modify that. > > > > > If they don't exist, where should be a reasonable place to add this > > > configurations? > > > > and wireguard-configuration-file in (gnu > > services > > vpn) it would seem. Also, sysctl-service-type would need to be extended > > (in the ‘service-extension’ meaning of the word) to set > > net.ipv4.ip_forward > > appropriately. > > > > > I'm trying to do everything the guix way, when I finish this > > > machine configuration, I'd like it to be fully replicable. > > > > > > Also, is this something that I could solve modifying the wireguard > > > service > > > definition itself? > > > > If replicability is all you need, you could add ‘postdown’ and ‘postup’ > > options to , which would need to be set to the > > commands above. However, these strings seem rather complicated for the > > uninitiated, so I'd recommend something more high-level instead. Some > > interface like > > > > (wireguard-configuration > > > > [...] > > (addresses ...) > > (peers ...) > > (forward? #t)) > > > > perhaps? Make sure to add some documentation to ‘Wireguard’ in (guix)VPN > > Services. (Maybe add some example situations on how forward? can be used > > and how it functions.) > > > > I want to note that I don't understand what exactly you're doing, I only > > understand that there is some forwarding going on, and I'm not unfamiliar > > with networking issue (e.g. I recently figured out why I couldn't connect > > to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken). > > So explaining forward? to laypeople might take some care. > > > > Writing a corresponding ‘system test’ in gnu/tests/networking.scm is > > recommended. > > > > Greetings, > > Maxime. > > Thanks for the pointers Maxime. > > I'm not an expert in networking but I can briefly tell about my use case > here. basically my setup accomplishes two things: any machine connected to > the server running guix and wireguard should be able to browse the internet > like a normal vpn (using the server's ip address) and any client > theoretically could see each other. Right now I use this capability to play > 0ad with friends, in the future there will be apps running in different > clients, accessible to anyone inside vpn. > > That said, I'm back here to ask one more thing. I cloned guix and followed > the manual to create an --pure environment and authenticated the commits. > This machine is a different one from my server, here I have guix running on > top of manjaro (an arch gnu/linux flavor). > > I started changing code inside vpn.scm and my approach was to "make && make > check" after changes to see if it would still build. But this week, after a > git pull to update the repo and using make, I'm now greeted with > > error: failed to load 'gnu/packages/perl.scm': >
Re: Wireguard
On Wednesday, September 1, 2021 12:07:43 A.M. PDT Maxime Devos wrote: > crodges schreef op zo 29-08-2021 om 14:53 [-0700]: > > Hello everyone, > > > > Let me start thanking you for developing such a interesting project in GNU > > Guix. Also, I don't want to take up anyone's time, so you can just point > > to > > documentation or other resource succinctly and I'll do my best. I'm > > writing > > here because I tried the help list but not answer so far, after a few > > days. > > > > I managed to configure wireguard on a vps running guix and created clients > > for my desktop and cellphone. What I want to do (and did already in a > > Debian vps) is to make wireguard's lan accessible to anyone connected and > > also browse the internet using this vpn. > > The Wireguard service as defined in Guix System doesn't currently support > the forwarding you appear to describe ... > > > As I remember, I need to allow ip forwarding using > > > > sysctl net.ipv4.ip_forward=1 > > > > and I also need to put these rules into wireguard (the server) under > > [interface], > > > > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; > > ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; > > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE > > However, I don't see why this couldn't be implemented in Guix System > (after some changes to wireguard-service-type). > > > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't > > seem to exist yet. Do they exist but are still undocumented? > > Guix uses "wg-quick", so it would seem they do exist, but are inaccessible > from Guix. The configuration file is created in > wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can > modify that. > > > If they don't exist, where should be a reasonable place to add this > > configurations? > > and wireguard-configuration-file in (gnu services > vpn) it would seem. Also, sysctl-service-type would need to be extended > (in the ‘service-extension’ meaning of the word) to set net.ipv4.ip_forward > appropriately. > > > I'm trying to do everything the guix way, when I finish this > > machine configuration, I'd like it to be fully replicable. > > > > Also, is this something that I could solve modifying the wireguard service > > definition itself? > > If replicability is all you need, you could add ‘postdown’ and ‘postup’ > options to , which would need to be set to the > commands above. However, these strings seem rather complicated for the > uninitiated, so I'd recommend something more high-level instead. Some > interface like > > (wireguard-configuration > [...] > (addresses ...) > (peers ...) > (forward? #t)) > > perhaps? Make sure to add some documentation to ‘Wireguard’ in (guix)VPN > Services. (Maybe add some example situations on how forward? can be used > and how it functions.) > > I want to note that I don't understand what exactly you're doing, I only > understand that there is some forwarding going on, and I'm not unfamiliar > with networking issue (e.g. I recently figured out why I couldn't connect > to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken). > So explaining forward? to laypeople might take some care. > > Writing a corresponding ‘system test’ in gnu/tests/networking.scm is > recommended. > > Greetings, > Maxime. Thanks for the pointers Maxime. I'm not an expert in networking but I can briefly tell about my use case here. basically my setup accomplishes two things: any machine connected to the server running guix and wireguard should be able to browse the internet like a normal vpn (using the server's ip address) and any client theoretically could see each other. Right now I use this capability to play 0ad with friends, in the future there will be apps running in different clients, accessible to anyone inside vpn. That said, I'm back here to ask one more thing. I cloned guix and followed the manual to create an --pure environment and authenticated the commits. This machine is a different one from my server, here I have guix running on top of manjaro (an arch gnu/linux flavor). I started changing code inside vpn.scm and my approach was to "make && make check" after changes to see if it would still build. But this week, after a git pull to update the repo and using make, I'm now greeted with error: failed to load 'gnu/packages/perl.scm': ice-9/eval.scm:293:34: In procedure abi-check: #>: record ABI mismatch; recompilation needed I will still spend some time with this error, but I found worth to ask: is this approach of "make && make check" a reasonable one? Is there a way to test a guix system without installing it? Packages I know we can, but system capabilities
Re: Wireguard
crodges schreef op zo 29-08-2021 om 14:53 [-0700]: > Hello everyone, > > Let me start thanking you for developing such a interesting project in GNU > Guix. Also, I don't want to take up anyone's time, so you can just point to > documentation or other resource succinctly and I'll do my best. I'm writing > here because I tried the help list but not answer so far, after a few days. > > I managed to configure wireguard on a vps running guix and created clients > for > my desktop and cellphone. What I want to do (and did already in a Debian vps) > is to make wireguard's lan accessible to anyone connected and also browse the > internet using this vpn. The Wireguard service as defined in Guix System doesn't currently support the forwarding you appear to describe ... > As I remember, I need to allow ip forwarding using > > sysctl net.ipv4.ip_forward=1 > > and I also need to put these rules into wireguard (the server) under > [interface], > > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING > -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t > nat > -A POSTROUTING -o eth0 -j MASQUERADE > > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; > ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE However, I don't see why this couldn't be implemented in Guix System (after some changes to wireguard-service-type). > Problem is, looking at the latest guix manual, PostUp and PostDown doesn't > seem to exist yet. Do they exist but are still undocumented? Guix uses "wg-quick", so it would seem they do exist, but are inaccessible from Guix. The configuration file is created in wireguard-configuration-file (in gnu/services/vpn.scm), maybe you can modify that. > If they don't exist, where should be a reasonable place to add this > configurations? and wireguard-configuration-file in (gnu services vpn) it would seem. Also, sysctl-service-type would need to be extended (in the ‘service-extension’ meaning of the word) to set net.ipv4.ip_forward appropriately. > I'm trying to do everything the guix way, when I finish this > machine configuration, I'd like it to be fully replicable. > > Also, is this something that I could solve modifying the wireguard service > definition itself? If replicability is all you need, you could add ‘postdown’ and ‘postup’ options to , which would need to be set to the commands above. However, these strings seem rather complicated for the uninitiated, so I'd recommend something more high-level instead. Some interface like (wireguard-configuration [...] (addresses ...) (peers ...) (forward? #t)) perhaps? Make sure to add some documentation to ‘Wireguard’ in (guix)VPN Services. (Maybe add some example situations on how forward? can be used and how it functions.) I want to note that I don't understand what exactly you're doing, I only understand that there is some forwarding going on, and I'm not unfamiliar with networking issue (e.g. I recently figured out why I couldn't connect to the Internet with the ISP-provided ‘4G minimodem’ -- DNS was b0rken). So explaining forward? to laypeople might take some care. Writing a corresponding ‘system test’ in gnu/tests/networking.scm is recommended. Greetings, Maxime. signature.asc Description: This is a digitally signed message part
