NixOS Networking

Sender	Message	Time
17 Apr 2026
	c4lliope changed their profile picture.	08:41:50
	dish [Fox/It/She] changed their profile picture.	16:58:37
antifuchs	Kind= might be a bit less painful tbh, but ughhh testing this means a reboot each time	17:47:45
hexa	you can check networkctl for the correct kind	18:08:16
22 Apr 2026
	gamayagama joined the room.	19:19:00
24 Apr 2026
	@d:bugpara.de left the room.	20:52:21
25 Apr 2026
Luke	I just tried to swap a wireguard client from wg-quick to systemd.network, and did not have a good time	00:11:34
hexa	how so	00:12:28
Luke	Well, I made an attempt to go from this: networking.wg-quick.interfaces = { wg0 = { address = [ "10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64" ]; dns = [ "10.0.0.1" "fdc9:281f:04d7:9ee9::1" ]; privateKeyFile = "/root/wireguard-keys/privatekey"; peers = [ { publicKey = "key1"; presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key"; allowedIPs = [ # only route vpn related services #"10.0.0.0/24" #"fdc9:281f:04d7:9ee9::/64" # send everything and do NAT "0.0.0.0/0" "::/0" ]; endpoint = "ip1:ip1"; persistentKeepalive = 25; } ]; }; wg1 = { address = [ "10.0.1.2/24" "fdc9:281f:04d7:9eea::2/64" ]; dns = [ "10.0.1.1" "fdc9:281f:04d7:9eea::1" ]; privateKeyFile = "/root/wireguard-keys/privatekey_wg1"; peers = [ { publicKey = "key2"; allowedIPs = [ "10.0.1.0/24" "fdc9:281f:04d7:9eea::/64" ]; endpoint = "ip2:port2"; persistentKeepalive = 25; } ]; }; }; to this: networking.useNetworkd = true; systemd.network = { networks."10-enp5s0" = { matchConfig.Name = "enp5s0"; networkConfig.DHCP = "yes"; }; networks."50-wg0" = { matchConfig.Name = "wg0"; address = [ "fdc9:281f:04d7:9ee9::2/64" "10.0.0.2/24" ]; domains = [ "~." ]; dns = [ "10.0.0.1" "fdc9:281f:04d7:9ee9::1" ]; #networkConfig = { # DNSDefaultRoute = true; #}; routingPolicyRules = [ { Family = "both"; InvertRule = true; FirewallMark = 94; Table = 1337; Priority = 10; } { To = "ip1/32"; # use /32 for IPv4 Priority = 5; } ]; }; netdevs."50-wg0" = { netdevConfig = { Kind = "wireguard"; Name = "wg0"; }; wireguardConfig = { PrivateKeyFile = "/var/lib/wireguard-keys/privatekey"; #RouteTable = "main"; FirewallMark = 94; }; wireguardPeers = [ { PublicKey = "key1"; PresharedKeyFile = "/var/lib/wireguard-keys/preshared_from_peer0_key"; AllowedIPs = [ #"10.0.0.0/24" #"fdc9:281f:04d7:9ee9::/64" # send everything and do NAT "0.0.0.0/0" "::/0" ]; RouteTable = 1337; Endpoint = "ip1:port1"; PersistentKeepalive = 25; } ]; }; networks."50-wg1" = { matchConfig.Name = "wg1"; address = [ "fdc9:281f:04d7:9eea::2/64" "10.0.1.2/24" ]; domains = [ "~." ]; dns = [ "10.0.1.1" "fdc9:281f:04d7:9eea::1" ]; }; netdevs."50-wg1" = { netdevConfig = { Kind = "wireguard"; Name = "wg1"; }; wireguardConfig = { PrivateKeyFile = "/var/lib/wireguard-keys/privatekey_wg1"; RouteTable = "main"; }; wireguardPeers = [ { PublicKey = "key2"; AllowedIPs = [ "10.0.1.0/24" "fdc9:281f:04d7:9eea::/64" ]; Endpoint = "ip2:port2"; PersistentKeepalive = 25; } ]; }; }; and it kinda worked.	04:54:13
Luke	But I have major gripes	04:54:57
Luke	First, systemd.network does not behave like you expect from a deterministic sense - I had to manually tear down wg interfaces multiple times because I screwed something up.	04:55:50
Luke	Second, for some reason this broke docker container to container networking when using the host network, and I have no idea why, other than that there must be something I have massively misconfigured	04:56:45
Luke	I ended up swapping back to wg-quick for now since it's been such a pain	04:57:23
Luke	I guess my routing table there was sending docker's traffic to the remote as well? I don't know, it's just a frustrating swap to try to make	04:59:28
26 Apr 2026
	debugloop joined the room.	03:44:06
	debugloop left the room.	23:25:18
29 Apr 2026
	brittonr removed their profile picture.	14:44:31
30 Apr 2026
Cadair	hey, I'm slowly going insane trying to configure my router to send certain traffic over a wireguard tunnel. As far as I can tell I have the wireguard connection up (I see handshakes and sent / recieved bytes in wg status). I set a route over the tunnel though and no traffic actually makes it across. I'd really appreciate some pointers in how to debug, I've exhausted my realatively limited networking knowledge. I'm using systemd-networkd, I have a brigde interface (for my lan switch) a wan interface, and a whole bunch of wireguard interfaces and routing across most of the wireguard interfaces work fine, but they are in private subnets. What I'm trying to do with this one is send some traffic to a public IP on the internet over a wireguard interface rather than my default route.	13:53:52
K900	Is the machine on the other end configured to actually forward packets?	13:56:05
Cadair	yeah it's mullvad	14:00:03
K900	And what is allowedIPs set to on the interface?	14:00:32
Cadair	0.0.0.0/0	14:00:57
K900	That looks normal then	14:01:21
K900	Are you doing NAT on the router?	14:01:23
K900	It's possible that Mullvad won't NAT random packets	14:01:33
K900	So you have to double NAT	14:01:35
Cadair	I have a very very similar config running on another host but where I've made it my default route	14:02:17
Cadair	and that works	14:02:19
K900	That would imply no NAT	14:02:35
Cadair	I've also tried making it the default route on this host and that didn't work either	14:03:31

c4lliope changed their profile picture.

08:41:50

dish [Fox/It/She] changed their profile picture.

16:58:37

antifuchs

Kind= might be a bit less painful tbh, but ughhh testing this means a reboot each time

17:47:45

hexa

you can check networkctl for the correct kind

18:08:16

gamayagama joined the room.

19:19:00

@d:bugpara.de left the room.

20:52:21

Luke

I just tried to swap a wireguard client from wg-quick to systemd.network, and did not have a good time

how so

Well, I made an attempt to go from this:

  networking.wg-quick.interfaces = {
    wg0 = {
      address = [
        "10.0.0.2/24"
        "fdc9:281f:04d7:9ee9::2/64"
      ];
      dns = [
        "10.0.0.1"
        "fdc9:281f:04d7:9ee9::1"
      ];
      privateKeyFile = "/root/wireguard-keys/privatekey";

      peers = [
        {
          publicKey = "key1";
          presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key";
          allowedIPs = [
            # only route vpn related services
            #"10.0.0.0/24"
            #"fdc9:281f:04d7:9ee9::/64"
            # send everything and do NAT
            "0.0.0.0/0"
            "::/0"
          ];
          endpoint = "ip1:ip1";
          persistentKeepalive = 25;
        }
      ];
    };
    wg1 = {
      address = [
        "10.0.1.2/24"
        "fdc9:281f:04d7:9eea::2/64"
      ];
      dns = [
        "10.0.1.1"
        "fdc9:281f:04d7:9eea::1"
      ];
      privateKeyFile = "/root/wireguard-keys/privatekey_wg1";

      peers = [
        {
          publicKey = "key2";
          allowedIPs = [
            "10.0.1.0/24"
            "fdc9:281f:04d7:9eea::/64"
          ];
          endpoint = "ip2:port2";
          persistentKeepalive = 25;
        }
      ];
    };
  };

to this:

  networking.useNetworkd = true;
  systemd.network = {
    networks."10-enp5s0" = {
      matchConfig.Name = "enp5s0";
      networkConfig.DHCP = "yes";
    };
    networks."50-wg0" = {
      matchConfig.Name = "wg0";
      address = [
        "fdc9:281f:04d7:9ee9::2/64"
        "10.0.0.2/24"
      ];
      domains = [ "~." ];
      dns = [
        "10.0.0.1"
        "fdc9:281f:04d7:9ee9::1"
      ];
      #networkConfig = {
      #  DNSDefaultRoute = true;
      #};
      routingPolicyRules = [
        {
          Family = "both";
          InvertRule = true;
          FirewallMark = 94;
          Table = 1337;
          Priority = 10;
        }
        {
          To = "ip1/32"; # use /32 for IPv4
          Priority = 5;
        }
      ];
    };
    netdevs."50-wg0" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg0";
      };
      wireguardConfig = {
        PrivateKeyFile = "/var/lib/wireguard-keys/privatekey";
        #RouteTable = "main";
        FirewallMark = 94;
      };
      wireguardPeers = [
        {
          PublicKey = "key1";
          PresharedKeyFile = "/var/lib/wireguard-keys/preshared_from_peer0_key";
          AllowedIPs = [
            #"10.0.0.0/24"
            #"fdc9:281f:04d7:9ee9::/64"
            # send everything and do NAT
            "0.0.0.0/0"
            "::/0"
          ];
          RouteTable = 1337;
          Endpoint = "ip1:port1";
          PersistentKeepalive = 25;
        }
      ];
    };
    networks."50-wg1" = {
      matchConfig.Name = "wg1";
      address = [
        "fdc9:281f:04d7:9eea::2/64"
        "10.0.1.2/24"
      ];
      domains = [ "~." ];
      dns = [
        "10.0.1.1"
        "fdc9:281f:04d7:9eea::1"
      ];
    };
    netdevs."50-wg1" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg1";
      };
      wireguardConfig = {
        PrivateKeyFile = "/var/lib/wireguard-keys/privatekey_wg1";
        RouteTable = "main";
      };
      wireguardPeers = [
        {
          PublicKey = "key2";
          AllowedIPs = [
            "10.0.1.0/24"
            "fdc9:281f:04d7:9eea::/64"
          ];
          Endpoint = "ip2:port2";
          PersistentKeepalive = 25;
        }
      ];
    };
  };

and it kinda worked.

04:54:13

Luke

But I have major gripes

04:54:57

Luke

First, systemd.network does not behave like you expect from a deterministic sense - I had to manually tear down wg interfaces multiple times because I screwed something up.

04:55:50

Luke

Second, for some reason this broke docker container to container networking when using the host network, and I have no idea why, other than that there must be something I have massively misconfigured

04:56:45

Luke

I ended up swapping back to wg-quick for now since it's been such a pain

04:57:23

Luke

I guess my routing table there was sending docker's traffic to the remote as well? I don't know, it's just a frustrating swap to try to make

04:59:28

debugloop joined the room.

03:44:06

debugloop left the room.

23:25:18

brittonr removed their profile picture.

14:44:31

Cadair

hey, I'm slowly going insane trying to configure my router to send certain traffic over a wireguard tunnel. As far as I can tell I have the wireguard connection up (I see handshakes and sent / recieved bytes in wg status). I set a route over the tunnel though and no traffic actually makes it across. I'd really appreciate some pointers in how to debug, I've exhausted my realatively limited networking knowledge.

I'm using systemd-networkd, I have a brigde interface (for my lan switch) a wan interface, and a whole bunch of wireguard interfaces and routing across most of the wireguard interfaces work fine, but they are in private subnets. What I'm trying to do with this one is send some traffic to a public IP on the internet over a wireguard interface rather than my default route.

13:53:52

K900