User talk: Amscto

From NixOS Wiki
Jump to: navigation, search

The first client setup has tripped a few people up: https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 https://github.com/NixOS/nixpkgs/issues/51258

I suggest pointing people to use the wg-quick solution instead. That uses fwmark to neatly handle the routing to endpoint connections. In my test, (fresh Nixos, only adding wireguard as the first thing) wg-quick worked as documented in the Wiki (client setup without it did not).

iptables-save gives a clue to how it operates:

  • mangle

-A PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff -A POSTROUTING -p udp -m mark --mark 0xca6c -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff

  • raw

-A PREROUTING -d 10.0.0.108/32 ! -i wg0 -m addrtype ! --src-type LOCAL -m comment --comment "wg-quick(8) rule for wg0" -j DROP

Retrieved from "https://nixos.wiki/index.php?title=User_talk:Amscto&oldid=5202"