[SOLVED] Wireguard and firewall weirdness

Until recently this was working, then it stopped working - which is odd - but I do have nixos automatic updates setup.

I host a wireguard ‘server’ and this appears to be working. I’m not using nixos for the server side.

My nixos is a wireguard client. Configured basically like: WireGuard - NixOS Wiki

  networking.firewall = { 
    allowedUDPPorts = [ 51820 ]; # wireguard 
  };     
          
  # Enable WireGuard 
  networking.wg-quick.interfaces = { 
    # "wg0" is the network interface name. You can name the interface arbitrarily. 
    wg0 = { 
      # Determines the IP address and subnet of the client's end of the tunnel interface. 
      address = [ "10.13.13.4/32" ]; 
      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) 
      privateKeyFile = "/etc/nixos/secrets/privatekey.wg"; 
      
      peers = [ 
        { 
          # Public key of the server (not a file path). 
          publicKey = "SECRETKEY="; 
          
          # Pre-shared key file 
          presharedKeyFile = "/etc/nixos/secrets/preshare.wg"; 
          
          # Forward only particular subnets 
          allowedIPs = [ "192.168.1.0/24" ]; 
          
          # Set this to the server IP and port. 
          endpoint = "mydomain.com:51820";  
          
          # Send keepalives every 25 seconds. Important to keep NAT tables alive. 
          persistentKeepalive = 25; 
        } 
      ]; 
    }; 
  };

As I said above - this worked great. The remote machine would connect to my server, and could get to things on the network my server was on. Super great.

Even better - from the server machine, with a few ip route tricks, I could

ssh myuser@10.13.13.4

and get a shell into the remote nixos machine that had initiated the wireguard connection.

Then… it stopped working. I can see from both ends that wg show that the connection seems to be being made, but I can’t figure out why bits are not flowing.

So I start poking around trying to figure it out - and I discover that if I change the firewall

networking.firewall.enable = false;

Yup, disable it entirely - then I can successfully do the

ssh myuser@10.13.13.4

just fine… it seems there is some iptables issue here? But why all of a sudden?

and… I’m left scratching my head as to what I need to do in order to debug the iptables stuff…

Ok – progress… keeping the firewall enabled but adding

  networking.firewall.checkReversePath = false; 

Also fixes me. Still very strange that this wasn’t a problem until recently with no nixos configuration changes (but consuming updates via automatic updates)

My update configuration

  # Perform automatic updates
  system.autoUpgrade.enable = true;
  system.autoUpgrade.allowReboot = true;

  # Periodic garbage collection the nix store
  nix.gc.automatic = true;

  # Also use links to reduce disk usage
  nix.optimise.automatic = true;
1 Like

Well - look at that - this is the same conclusion as was found in [SOLVED] Minimal firewall setup for Wireguard client? which matched my subject - but when I read it, I didn’t understand enough to know it was the fix.

While there is a mystery here for me as to why this worked - then suddenly didn’t work - I can live with some mysteries in life.

My ‘client’ nixos wireguard connection wasn’t working. It appears this was due to the RPFilter that NixOS firewall has by default.

Disabling the filter allows me to still run the firewall, but also get wireguard to behave.

  networking.firewall.checkReversePath = false; 

This may be excessively permissive - but isn’t running with no firewall which was my other option.