I’m thinking about using NixOS for a home router. (or vanlife)
Or use non declarative OPNsense?
Has anyone done this successfully before? or am I in uncharted waters?
What hardware did you use?
The things I’m thinking about possibilities:
multiple rj45 1G
dual wifi 2.4 & 5
sims: 1 or 2 (1 or 2 modems)
x86 or aarch
low power
ecc memory (zfs)
open source
more advanced/future proof:
rj45 10G
sfp
software:
auto boot after power failure / unencrypted disk
firewall
forward some traffic to home server
wireguard vpn(some home server services only available behind vpn)
I do, but it’s not handling WiFi or switching. I have a Raspberry Pi Compute Module 4 on this DFRobot router carrier board acting as NAT, DHCP server, and DNS server on my local network. It plugs into a Ubiquiti switch that powers two Ubiquiti wireless access points. So it’s not full NixOS like I’d like, but I had a really hard time finding acceptable hardware for a good DIY WiFi AP.
It works great though. I had to fumble about getting NixOS to boot on it because the CM4 wasn’t supported at the time, but it should work with the standard SD image as of a week or so ago. I tested it with devices on either side of the NAT and it was able to get full gigabit speed across it.
And I really like having NixOS on the thing. More than once, I’ve made use of NixOS’s ability to rollback generations in the boot loader. I also have the root fs on ZFS (sidenote: You don’t need ECC for ZFS; that’s a myth. I’m running ZFS on a pi on an SD card. You’ll be fine). All in all, great experience, would recommend, as long as your hardware is well supported.
I don’t really use it for VPN in any meaningful capacity. It is on my tailscale account though, just so I can remote into it easily when necessary. Testing iperf3 over that, looks like I get about 200Mbps over the gigabit link between my desktop and the pi, if that’s any indication of how well it handles encrypting network traffic.
Thank you, that should be enough for my use case
Now I only have to wait for the Pis to become available…
@mackenzie a lot of people use these for home built routers but I don’t really know how up to date the hardware is and if it works with NixOS. https://pcengines.ch/apu2.htm
However I can tell you that they are running quite well.
Once you managed to install them, only possible with serial console…
You can configure a wifi access point on NixOS with hostapd. I’ve done it with the Pi’s wifi interface, and it does work. But the hard part is getting good wifi hardware for the task, particularly if you want a dual-band network.
I use NixOS on my router. You can see the config here. I use a Protectli Vault firewall appliance for my router. Wi-Fi is handled by a pair of Orbis in AP mode.
I’m thinking about using NixOS for a home router. (or vanlife) Or use non declarative OPNsense? Has anyone done this successfully before? or am I in uncharted waters?
I’m using both which obviously both come with their own pros and cons.
The NixOS router is for home use. Having a canonical source of truth for your network and using that to generate DNS/DHCP configuration and so on is just fantastic. Current software:
dnsmasq for DNS/DHCP
VPN (wireguard)
mosquitto (MQTT broker)
mitmproxy
The main “pro” is of course that you can make it do anything you need. The largest downside compared to OPNsense (which we’re currently using for work and it’s awesome - it’s far better than any of the watchguard, sophos, fortinet stuff you can otherwise find) is that OPNsense will let you know when you try to apply an invalid configuration and just not let you do that. With NixOS you can end up hosing dnsmasq on the router and then be without DNS.
What hardware did you use?
A super old Sophos (then Astaro) ASG 120 r4 small-business firewall. I mean, this thing was outdated 5 years ago. Someone was throwing it away due to getting a replacement and after swapping the HDD for a small SSD, this thing flies.
I hadn’t actually tried to see how much it would handle, so I just gave it a go. CPU is maxed out when doing about 200mbps over the wireguard VPN (it’s a 500/500 connection).
CPU is Atom N450 @ 1.66GHz (single core with HT). Keep in mind that this is a 12 years old CPU and anything made within the last couple of years is going to be able to saturate the 500/500 without breaking a sweat.
This does make me wonder what the minimal requirements for running nixos are. I’ve contemplated this a few times before, but my router doesn’t have the 20GB of disk space all my other systems seem to need for NixOS (I think it has barely 2GB or so).
That, or write my own router-targeting nixos Thanks, I was wondering how all these people are pulling this off, guess not everybody uses puny hardware.
I use NixOS on a Turris Omnia. Wifi works fine. Biggest pain points are lacking binary caches and Firewall software. Writing manual nftables rules does get a bit annoying at times.
I’m running NixOS as a router/firewall/vpn on a PC Engines apu1c4 product file The only downside I found is that the device can do max 500Mbps PPPoE. I’m not running WiFi on it because configuring multiple SSIDs on different VLANs proved too difficult, my UniFi access points now handle this.
Thanks, I was wondering how all these people are pulling this off, guess not everybody uses puny hardware.