WireGuard is partially broken on NixOS

foobar · August 5, 2023, 6:46pm

Hi folks,

A year ago when I used Debian I remember that I used two WireGuard tunnels at the same time:

# first.conf
...
AllowedIPs = 0.0.0.0/0
...

# second.conf
...
AllowedIPs = 1.2.3.4/32, 5.6.7.8/32
...

And it worked (simply via wg-quick up). In other words everything went through first except when I wanted to connect 1.2.3.4 and 5.6.7.8. Those connections used the second interface.

For some strange reasons, it doesn’t work now when I’m on NixOS. I confirmed that both first and second work with AllowedIPs = 0.0.0.0/0 but when I connect both or when I connect the second only, I can’t reach 1.2.3.4 and 5.6.7.8.

I spent several hours trying to debug it, it’s not FW issue (I nft flush ruleset to make sure) and it’s not DNS issue since I tried to connect 1.2.3.4 and 5.6.7.8 directly.

Could you please help?

Is it possible that WireGuard is somehow broken on NixOS?

Thank you.

dschrempf · August 5, 2023, 8:45pm

Could it be that the order of the configurations does matter. Maybe, you need the special case first and then the catch all one?

ius · August 5, 2023, 9:14pm

Check your routing table & rules:

ip route show table all
ip rule

foobar · August 6, 2023, 6:35pm

Thank you for the reply.

That looks as it should - the default rule adds ip rule and the non-default just adds items into the default routing table.

foobar · August 7, 2023, 8:36am

I discovered that it is Network Manager that causes the issue. When I reboot and do all configuration via wg-quick, everything works fine. All traffic uses the default VPN except traffic to AllowedIps in the second VPN.

But when I nmcli connection import type wireguard file via Network Manager, only the default VPN works. The VPN with specified IPs doesn’t. So it’s definitely not a problem in NixOS.

Thank you.