NixOS Networking

Sender	Message	Time
25 Apr 2026
Luke	I just tried to swap a wireguard client from wg-quick to systemd.network, and did not have a good time	00:11:34
hexa (clat on linux when)	how so	00:12:28
Luke	Well, I made an attempt to go from this: networking.wg-quick.interfaces = { wg0 = { address = [ "10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64" ]; dns = [ "10.0.0.1" "fdc9:281f:04d7:9ee9::1" ]; privateKeyFile = "/root/wireguard-keys/privatekey"; peers = [ { publicKey = "key1"; presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key"; allowedIPs = [ # only route vpn related services #"10.0.0.0/24" #"fdc9:281f:04d7:9ee9::/64" # send everything and do NAT "0.0.0.0/0" "::/0" ]; endpoint = "ip1:ip1"; persistentKeepalive = 25; } ]; }; wg1 = { address = [ "10.0.1.2/24" "fdc9:281f:04d7:9eea::2/64" ]; dns = [ "10.0.1.1" "fdc9:281f:04d7:9eea::1" ]; privateKeyFile = "/root/wireguard-keys/privatekey_wg1"; peers = [ { publicKey = "key2"; allowedIPs = [ "10.0.1.0/24" "fdc9:281f:04d7:9eea::/64" ]; endpoint = "ip2:port2"; persistentKeepalive = 25; } ]; }; }; to this: networking.useNetworkd = true; systemd.network = { networks."10-enp5s0" = { matchConfig.Name = "enp5s0"; networkConfig.DHCP = "yes"; }; networks."50-wg0" = { matchConfig.Name = "wg0"; address = [ "fdc9:281f:04d7:9ee9::2/64" "10.0.0.2/24" ]; domains = [ "~." ]; dns = [ "10.0.0.1" "fdc9:281f:04d7:9ee9::1" ]; #networkConfig = { # DNSDefaultRoute = true; #}; routingPolicyRules = [ { Family = "both"; InvertRule = true; FirewallMark = 94; Table = 1337; Priority = 10; } { To = "ip1/32"; # use /32 for IPv4 Priority = 5; } ]; }; netdevs."50-wg0" = { netdevConfig = { Kind = "wireguard"; Name = "wg0"; }; wireguardConfig = { PrivateKeyFile = "/var/lib/wireguard-keys/privatekey"; #RouteTable = "main"; FirewallMark = 94; }; wireguardPeers = [ { PublicKey = "key1"; PresharedKeyFile = "/var/lib/wireguard-keys/preshared_from_peer0_key"; AllowedIPs = [ #"10.0.0.0/24" #"fdc9:281f:04d7:9ee9::/64" # send everything and do NAT "0.0.0.0/0" "::/0" ]; RouteTable = 1337; Endpoint = "ip1:port1"; PersistentKeepalive = 25; } ]; }; networks."50-wg1" = { matchConfig.Name = "wg1"; address = [ "fdc9:281f:04d7:9eea::2/64" "10.0.1.2/24" ]; domains = [ "~." ]; dns = [ "10.0.1.1" "fdc9:281f:04d7:9eea::1" ]; }; netdevs."50-wg1" = { netdevConfig = { Kind = "wireguard"; Name = "wg1"; }; wireguardConfig = { PrivateKeyFile = "/var/lib/wireguard-keys/privatekey_wg1"; RouteTable = "main"; }; wireguardPeers = [ { PublicKey = "key2"; AllowedIPs = [ "10.0.1.0/24" "fdc9:281f:04d7:9eea::/64" ]; Endpoint = "ip2:port2"; PersistentKeepalive = 25; } ]; }; }; and it kinda worked.	04:54:13
Luke	But I have major gripes	04:54:57
Luke	First, systemd.network does not behave like you expect from a deterministic sense - I had to manually tear down wg interfaces multiple times because I screwed something up.	04:55:50
Luke	Second, for some reason this broke docker container to container networking when using the host network, and I have no idea why, other than that there must be something I have massively misconfigured	04:56:45
Luke	I ended up swapping back to wg-quick for now since it's been such a pain	04:57:23
Luke	I guess my routing table there was sending docker's traffic to the remote as well? I don't know, it's just a frustrating swap to try to make	04:59:28

Luke

I just tried to swap a wireguard client from wg-quick to systemd.network, and did not have a good time

00:11:34

hexa (clat on linux when)

how so

00:12:28

Luke

Well, I made an attempt to go from this:

  networking.wg-quick.interfaces = {
    wg0 = {
      address = [
        "10.0.0.2/24"
        "fdc9:281f:04d7:9ee9::2/64"
      ];
      dns = [
        "10.0.0.1"
        "fdc9:281f:04d7:9ee9::1"
      ];
      privateKeyFile = "/root/wireguard-keys/privatekey";

      peers = [
        {
          publicKey = "key1";
          presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key";
          allowedIPs = [
            # only route vpn related services
            #"10.0.0.0/24"
            #"fdc9:281f:04d7:9ee9::/64"
            # send everything and do NAT
            "0.0.0.0/0"
            "::/0"
          ];
          endpoint = "ip1:ip1";
          persistentKeepalive = 25;
        }
      ];
    };
    wg1 = {
      address = [
        "10.0.1.2/24"
        "fdc9:281f:04d7:9eea::2/64"
      ];
      dns = [
        "10.0.1.1"
        "fdc9:281f:04d7:9eea::1"
      ];
      privateKeyFile = "/root/wireguard-keys/privatekey_wg1";

      peers = [
        {
          publicKey = "key2";
          allowedIPs = [
            "10.0.1.0/24"
            "fdc9:281f:04d7:9eea::/64"
          ];
          endpoint = "ip2:port2";
          persistentKeepalive = 25;
        }
      ];
    };
  };

to this:

  networking.useNetworkd = true;
  systemd.network = {
    networks."10-enp5s0" = {
      matchConfig.Name = "enp5s0";
      networkConfig.DHCP = "yes";
    };
    networks."50-wg0" = {
      matchConfig.Name = "wg0";
      address = [
        "fdc9:281f:04d7:9ee9::2/64"
        "10.0.0.2/24"
      ];
      domains = [ "~." ];
      dns = [
        "10.0.0.1"
        "fdc9:281f:04d7:9ee9::1"
      ];
      #networkConfig = {
      #  DNSDefaultRoute = true;
      #};
      routingPolicyRules = [
        {
          Family = "both";
          InvertRule = true;
          FirewallMark = 94;
          Table = 1337;
          Priority = 10;
        }
        {
          To = "ip1/32"; # use /32 for IPv4
          Priority = 5;
        }
      ];
    };
    netdevs."50-wg0" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg0";
      };
      wireguardConfig = {
        PrivateKeyFile = "/var/lib/wireguard-keys/privatekey";
        #RouteTable = "main";
        FirewallMark = 94;
      };
      wireguardPeers = [
        {
          PublicKey = "key1";
          PresharedKeyFile = "/var/lib/wireguard-keys/preshared_from_peer0_key";
          AllowedIPs = [
            #"10.0.0.0/24"
            #"fdc9:281f:04d7:9ee9::/64"
            # send everything and do NAT
            "0.0.0.0/0"
            "::/0"
          ];
          RouteTable = 1337;
          Endpoint = "ip1:port1";
          PersistentKeepalive = 25;
        }
      ];
    };
    networks."50-wg1" = {
      matchConfig.Name = "wg1";
      address = [
        "fdc9:281f:04d7:9eea::2/64"
        "10.0.1.2/24"
      ];
      domains = [ "~." ];
      dns = [
        "10.0.1.1"
        "fdc9:281f:04d7:9eea::1"
      ];
    };
    netdevs."50-wg1" = {
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg1";
      };
      wireguardConfig = {
        PrivateKeyFile = "/var/lib/wireguard-keys/privatekey_wg1";
        RouteTable = "main";
      };
      wireguardPeers = [
        {
          PublicKey = "key2";
          AllowedIPs = [
            "10.0.1.0/24"
            "fdc9:281f:04d7:9eea::/64"
          ];
          Endpoint = "ip2:port2";
          PersistentKeepalive = 25;
        }
      ];
    };
  };

and it kinda worked.