Which should I use: `networking.wg-quick` or `networking.wireguard`?

rvl · June 6, 2021, 12:30am

There are both wg-quick and wireguard modules in NixOS. Their options are slightly different, but mostly the same, and they seem to do the same thing (I tried both).

Which one is better for when using wireguard as a vpn client?

I have currently configured networking.wireguard, but have two issues with its systemd service.

I don’t want it to start automatically, but didn’t figure out how to stop that. (systemd.services.wireguard-wg0.wantedBy = lib.mkForce [] didn’t seem to work)
The connection doesn’t come up properly after laptop sleep (probably the routes need to added again).

Thoughts?

hmenke · June 7, 2021, 7:56am

On my server I use networking.wireguard sort of like this

# server config
{
   networking.wireguard.enable = true;
   networking.wireguard.interfaces."wg0" = {
     privateKeyFile = "/var/keys/wg0-priv-key";
     ips = [ "10.10.10.1/24" "fc10:10:10::1/64" ];
     listenPort = 1194;
     peers = [                                                                                                                                                                                                                        
       { publicKey = "XnBofROntu+DYUaGC8VK6t8SRpKoYuQ6GjDSZNmFME4=";
         allowedIPs = [ "10.10.10.2/32" "fc10:10:10::2/128" ]; }
     ];
   };
}

On my laptop (the client) I use NetworkManager, so I first write a wg0.conf like

[Interface]
Address = 10.10.10.2/32, fc10:10:10::2/128
PrivateKey = 4FZ5mL3tP/CT7+mo6Vm6pjQuJDl9HiINsYEfLA+GyGk=

[Peer]
PublicKey = 3yR10otKsJmoQc6GAhGcyIgRg1wZmqol9S2QqkgYdB0=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = example.com:1194

Then I run

nmcli connection import type wireguard file wg0.conf

which converts the wg0.conf into /etc/NetworkManager/system-connections/wg0.nmconnection and can from then on be managed with the nm-connection-editor. Of course, you can also deploy this file declaratively using

# client config
{
  environment.etc."NetworkManager/system-connections/wg0.nmconnection".text = ''
    [connection]
    id=wg0
    ...
  '';
}

rvl · June 23, 2021, 7:03am

Thanks @hmenke. Why did you choose networking.wireguard over networking.wg-quick?

In my configuration, I have all the peers, addresses, etc., defined in an attrset, and I generate either a networking.wireguard.interfaces configuration, or .nmconnection file from that.

hmenke · June 27, 2021, 10:23am

networking.wireguard generates one unit per peer, whereas networking.wg-quick generates one unit per interface. This means that with networking.wireguard you can add more peers in configuration.nix without restarting the interface. Personally I use networking.wireguard because it was the first thing that I found when searching the docs for Wireguard

vcunat · February 4, 2023, 1:11pm

@hmenke you didn’t post your real private key, right? (I know it’s been a long time ago, but still.)

hmenke · February 4, 2023, 1:23pm

Of course that’s my very real private key for my very real Wireguard deployment at example.com.