search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
16.51k stars 13k forks source link

wireguard service does not have an option for a config file #321950

Open auroraanna opened 2 weeks ago

auroraanna commented 2 weeks ago

Describe the bug

wireguard supports configuration files but with the wireguard service some config options are missing like DNS in the [Interface] section. This means that with my current setup, the DNS server is running on 127.0.0.53 (systemd-resolved) but obviously can't be reached from inside the network namespace i set wireguard up to run in.

Steps To Reproduce

Steps to reproduce the behavior:

  1. sudo ip netns add tun0
  2. run wireguard service with interfaceNamespace = "tun0"; option
  3. sudo ip netns exec tun0 nslookup … -> ;; communications error to 127.0.0.53#53: connection refused

Expected behavior

A configFile option and/or extraConfig option exists for the wireguard service and there should be a dns option for the wireguard service.

Notify maintainers

@stuebinm @jonringer

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.6.33, NixOS, 24.11 (Vicuna), 24.11.20240620.d603719`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.2`
 - channels(root): `"nixos"`
 - nixpkgs: `/nix/store/xfpiyfgf6y30fxk5ngv0cjn474qfr3sj-source`

Add a :+1: reaction to issues you find important.

stuebinm commented 2 weeks ago

Hi! unfortunately I can't really help you with this, since I don't actually do anything related to wireguard in nixpkgs, nor have i ever done so. I'm actually somewhat curious how you decided on pinging me & jonringer? (usually when i get pinged like this, it's because one of my treewide-change commits happened to be the last commit that touched a file, but that's not the case for the wireguard module; and I can't find anything by jonringer touching it at all — incidentally, jonringer was recently permanently banned from nixpkgs, so pinging him is also unlikely to get any result)

auroraanna commented 2 weeks ago

oopsie… i picked you because you both the last people that touched the wireguard module though.

i just realized though that the DNS config option is specific to wg-quick, aswell as other config options it seems. still, VPN providers say that the config they give you is a wireguard config, not a wg-quick config.

still, the wg command supports config files

stuebinm commented 2 weeks ago

the last people that touched the wireguard module though

ah, i think i see the confusion: we are, but only on the release-24.05 branch, while on master there's newer commits.

anyways, if you need wg-quick features: have you looked at the networking.wg-quick options?

auroraanna commented 2 weeks ago

i can't use the wg-quick service because it doesn't support network namespacing. writing my own systemd service with the wg-quick command also didn't work because it would configure the wireguard interface (as the default gateway) before i could put it into the namespace.