!tCyGickeVqkHsYjWnh:nixos.org

NixOS Networking

914 Members
Declaratively manage your switching, routing, wireless, tunneling and more.272 Servers

Load older messages

SenderMessageTime
16 Apr 2026
@antifuchs:asf.computerantifuchs yeuuuup, looks like [Match] block semantics changed: previously in a .network file I had to match the "old" name (enp*) when now I have to match the renamed name that a preceding .link file effects 19:09:41
@magic_rb:matrix.redalder.orgmagic_rbHow wonderful20:28:33
@oddlama:matrix.orgoddlama
In reply to @antifuchs:asf.computer
yeuuuup, looks like [Match] block semantics changed: previously in a .network file I had to match the "old" name (enp*) when now I have to match the renamed name that a preceding .link file effects
I always had the least amount of pain when I matched hardware interfaces by MACAddress 		20:44:22
@tyisi:matrix.orgTyIsI joined the room.23:14:12
17 Apr 2026
@antifuchs:asf.computerantifuchs
In reply to @oddlama:matrix.org
I always had the least amount of pain when I matched hardware interfaces by MACAddress
Well, I did that in addition but since there are bridges with inherited Mac’s in the mix, the config also has to match on device names 		02:59:52
@antifuchs:asf.computerantifuchsIt’s supremely annoying and makes me want to redo the whole thing but also … not03:00:11
@hexa:lossy.networkhexathat breaks with vlans though03:06:55
@hexa:lossy.networkhexaRedacted or Malformed Event03:07:07
@c4lliope:matrix.orgc4lliope set a profile picture.08:36:58
@c4lliope:matrix.orgc4lliope changed their profile picture.08:41:50
@pyrox:pyrox.devdish [Fox/It/She] changed their profile picture.16:58:37
@antifuchs:asf.computerantifuchsKind= might be a bit less painful tbh, but ughhh testing this means a reboot each time17:47:45
@hexa:lossy.networkhexayou can check networkctl for the correct kind18:08:16
22 Apr 2026
@gamayagama:tchncs.degamayagama joined the room.19:19:00
24 Apr 2026
@d:bugpara.de@d:bugpara.de left the room.20:52:21
25 Apr 2026
@luke:vuksta.comLukeI just tried to swap a wireguard client from wg-quick to systemd.network, and did not have a good time00:11:34
@hexa:lossy.networkhexahow so00:12:28
@luke:vuksta.comLuke

Well, I made an attempt to go from this:

  networking.wg-quick.interfaces = {
    wg0 = {
      address = [
        "10.0.0.2/24"
        "fdc9:281f:04d7:9ee9::2/64"
      ];
      dns = [
        "10.0.0.1"
        "fdc9:281f:04d7:9ee9::1"
      ];
      privateKeyFile = "/root/wireguard-keys/privatekey";

      peers = [
        {
          publicKey = "key1";
          presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key";
          allowedIPs = [
            # only route vpn related services
            #"10.0.0.0/24"
            #"fdc9:281f:04d7:9ee9::/64"
            # send everything and do NAT
            "0.0.0.0/0"
            "::/0"
          ];
          endpoint = "ip1:ip1";
          persistentKeepalive = 25;
        }
      ];
    };
    wg1 = {
      address = [
        "10.0.1.2/24"
        "fdc9:281f:04d7:9eea::2/64"
      ];
      dns = [
        "10.0.1.1"
        "fdc9:281f:04d7:9eea::1"
      ];
      privateKeyFile = "/root/wireguard-keys/privatekey_wg1";

      peers = [
        {
          publicKey = "key2";
          allowedIPs = [
            "10.0.1.0/24"
            "fdc9:281f:04d7:9eea::/64"
          ];
          endpoint = "ip2:port2";
          persistentKeepalive = 25;
        }
      ];
    };
  };

to this:

  networking.useNetworkd = true;
  systemd.network = {
    networks."10-enp5s0" = {
      matchConfig.Name = "enp5s0";
      networkConfig.DHCP = "yes";
    };
    networks."50-wg0" = {
      matchConfig.Name = "wg0";
      address = [
        "fdc9:281f:04d7:9ee9::2/64"
        "10.0.0.2/24"
      ];
      domains = [ "~." ];
      dns = [
        "10.0.0.1"
        "fdc9:281f:04d7:9ee9::1"
      ];
      #networkConfig = {
      #  DNSDefaultRoute = true;
      #};
      routingPolicyRules = [
        {
          Family = "both";
          InvertRule = true;
          FirewallMark = 94;
          Table = 1337;
          Priority = 10;
        }
        {
          To = "ip1/32"; # use /32 for IPv4
          Priority = 5;
        }
      ];
    };
    netdevs."50-wg0" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg0";
      };
      wireguardConfig = {
        PrivateKeyFile = "/var/lib/wireguard-keys/privatekey";
        #RouteTable = "main";
        FirewallMark = 94;
      };
      wireguardPeers = [
        {
          PublicKey = "key1";
          PresharedKeyFile = "/var/lib/wireguard-keys/preshared_from_peer0_key";
          AllowedIPs = [
            #"10.0.0.0/24"
            #"fdc9:281f:04d7:9ee9::/64"
            # send everything and do NAT
            "0.0.0.0/0"
            "::/0"
          ];
          RouteTable = 1337;
          Endpoint = "ip1:port1";
          PersistentKeepalive = 25;
        }
      ];
    };
    networks."50-wg1" = {
      matchConfig.Name = "wg1";
      address = [
        "fdc9:281f:04d7:9eea::2/64"
        "10.0.1.2/24"
      ];
      domains = [ "~." ];
      dns = [
        "10.0.1.1"
        "fdc9:281f:04d7:9eea::1"
      ];
    };
    netdevs."50-wg1" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg1";
      };
      wireguardConfig = {
        PrivateKeyFile = "/var/lib/wireguard-keys/privatekey_wg1";
        RouteTable = "main";
      };
      wireguardPeers = [
        {
          PublicKey = "key2";
          AllowedIPs = [
            "10.0.1.0/24"
            "fdc9:281f:04d7:9eea::/64"
          ];
          Endpoint = "ip2:port2";
          PersistentKeepalive = 25;
        }
      ];
    };
  };

and it kinda worked.

04:54:13
@luke:vuksta.comLukeBut I have major gripes04:54:57
@luke:vuksta.comLukeFirst, systemd.network does not behave like you expect from a deterministic sense - I had to manually tear down wg interfaces multiple times because I screwed something up.04:55:50
@luke:vuksta.comLukeSecond, for some reason this broke docker container to container networking when using the host network, and I have no idea why, other than that there must be something I have massively misconfigured04:56:45
@luke:vuksta.comLukeI ended up swapping back to wg-quick for now since it's been such a pain 04:57:23
@luke:vuksta.comLukeI guess my routing table there was sending docker's traffic to the remote as well? I don't know, it's just a frustrating swap to try to make04:59:28
26 Apr 2026
@debugloop:bugpara.dedebugloop joined the room.03:44:06
@debugloop:bugpara.dedebugloop left the room.23:25:18
29 Apr 2026
@brittonr_:matrix.orgbrittonr removed their profile picture.14:44:31
30 Apr 2026
@cadair:cadair.comCadair

hey, I'm slowly going insane trying to configure my router to send certain traffic over a wireguard tunnel. As far as I can tell I have the wireguard connection up (I see handshakes and sent / recieved bytes in wg status). I set a route over the tunnel though and no traffic actually makes it across. I'd really appreciate some pointers in how to debug, I've exhausted my realatively limited networking knowledge.

I'm using systemd-networkd, I have a brigde interface (for my lan switch) a wan interface, and a whole bunch of wireguard interfaces and routing across most of the wireguard interfaces work fine, but they are in private subnets. What I'm trying to do with this one is send some traffic to a public IP on the internet over a wireguard interface rather than my default route.

13:53:52
@k900:0upti.meK900Is the machine on the other end configured to actually forward packets?13:56:05
@cadair:cadair.comCadairyeah it's mullvad14:00:03
@k900:0upti.meK900And what is allowedIPs set to on the interface?14:00:32

Show newer messages

Back to Room ListRoom Version: 6