I follow the nixos wiki guide to use networking.wireguard.interfaces to set the server and client.
After sudo nixos-rebuild switch a new interface wg0 appeared and no error is reported.
But the client seems does not perform the handshaking at all.
I ping the gateway IP (wireguard server allowedIPs) and the ping complained
$> ping 172.168.0.1
From 172.168.0.2 icmp_seq=143 Destination Host Unreachable
ping: sendmsg: Required key not available
I used dmesg to check the connection and the error message
wireguard: wg0: No peer has allowed IPs matching 172.168.0.1
No other information about wireguard shown in dmesg.
I have confirmed that the udp://server:51820 is reachable from the client by using netcat
I also use NetworkManager to perform the connection, but the same dmesg is shown.
Can anyone give me some adivces? Thanks
The server side configuration is as follows:
{
networking.firewall = {
enable = true;
allowedUDPPorts = [ 51820];
};
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = lib.mkOverride 98 true;
"net.ipv4.conf.default.forwarding" = lib.mkOverride 98 true;
};
networking.nat = {
enable = true;
externalInterface = "ens3";
internalInterfaces = [ "wg0" ];
};
networking.wireguard.interfaces = {
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "172.168.0.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.168.0.0/24 -o ens3 -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.168.0.0/24 -o ens3 -j MASQUERADE
'';
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/etc/nixos/wireguard-keys/private";
peers = [
# List of allowed peers.
{
publicKey = "9SHyFIJn1C+upZh2WrLr67c0w09lPuhJ5dExGcEH1X0=";
allowedIPs = [ "172.168.0.2/32" ];
}
];
};
};
}
the client side configuration is
{
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [ "172.168.0.2/24" ];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKey = "wCnDRMWbqrtQs0EafPRWyM7DAfkFfsRH0aWYOXvWYWI=";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# Public key of the server (not a file path).
publicKey = "9SHyFIJn1C+upZh2WrLr67c0w09lPuhJ5dExGcEH1X0=";
# Forward all the traffic via VPN.
allowedIPs = [ "172.168.0.0/24" ];
endpoint = "<SERVER_IP>:51820";
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
}
The NetworkManager config is attached as
[Interface]
# your own IP on the wireguard network
Address = 172.168.0.2/24
Table = auto
PrivateKey = wCnDRMWbqrtQs0EafPRWyM7DAfkFfsRH0aWYOXvWYWI=
[Peer]
PublicKey = 9SHyFIJn1C+upZh2WrLr67c0w09lPuhJ5dExGcEH1X0=
# restrict this to the wireguard subnet if you don't want to route everything to the tunnel
AllowedIPs = 172.168.0.0/24, ::/0
# ip and port of the peer
Endpoint = <server IPv4>:51820