cc @grahamc

I am the super wrong person to review this :x cc @flokli @andir

@grahamc No worries! Just saw some large commits from you in this module.

FWIW, I've been using this on my machine for some time, and it seems to work. In particular, my use case is that I am always connected via wireguard to my office and home networks, but I don't want to use wireguard to connect to whatever network I'm actually physically connected to. This seems to achieve that. I'm not sure how to test more thoroughly, though.

@fpletz Helped me at NixCon to debug route issues also involving add/replace, he may also be useful here.

I am not so sure this is a good idea. With 6319054 we started replacing routes instead of adding them. Neither are perfect but we might want to get some insights from @aristidb on this.

@andir I think it makes sense for wireguard to replace routes that it created, but not other routes that exist independently. Perhaps we can make the replace command more specific, or make it so that it specifically deletes any obsolete routes that it might have produced before adding them back?

I am not sure there ever is one-size-fits-all solution to this. I think replace will probably break more configs than add. There's definitely something to be said for Wireguard keeping track of its own routes, but I think the best way to do this is to give it its own routing table, and then doing setup/teardown of the rules to pick table manually. I do something like this:

ip -4 rule add to all lookup 80 pref 40
ip -4 rule add to ${endpoint} lookup main pref 30    # Traffic to wireguard host
ip -4 rule add to 192.168.0.0/16 lookup main pref 30 # local /16
ip -4 rule add to all lookup 80 pref 40

where 80 is the routing table I picked for wireguard to use. This is obviously not perfect, because there's still manual decisions to be made (just for rules instead of routes) -- but on the other hand we completely avoid clobbering the main routing table under any circumstances.

A completely different approach is to have proper network namespacing, but that's a rather large overhaul.

Using a different routing table seems to be the way to go here. It's also what wg-quick does, and should allow cleaner removal/adding. However, it is quite a different change than what is proposed in the PR. The question is now, do we merge the change in the PR as an intertim solution or do we leave it as it is until we have a better solution?

I see this a somewhat bigger task, and don't really see a clear consensus yet (how this should be done, and if it should be part of nixpkgs or your network manager)

As soon as we add an "interim solution" option to nixpkgs, people might use it, and then we need to worry about how to these configurations to whatever new solutions, and how it can break in between.

Hello, I'm a bot and I thank you in the name of the community for your contributions.

Nixpkgs is a busy repository, and unfortunately sometimes PRs get left behind for too long. Nevertheless, we'd like to help committers reach the PRs that are still important. This PR has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

If this is still important to you and you'd like to remove the stale label, we ask that you leave a comment. Your comment can be as simple as "still important to me". But there's a bit more you can do:

If you received an approval by an unprivileged maintainer and you are just waiting for a merge, you can @ mention someone with merge permissions and ask them to help. You might be able to find someone relevant by using Git blame on the relevant files, or via GitHub's web interface. You can see if someone's a member of the nixpkgs-committers team, by hovering with the mouse over their username on the web interface, or by searching them directly on the list.

If your PR wasn't reviewed at all, it might help to find someone who's perhaps a user of the package or module you are changing, or alternatively, ask once more for a review by the maintainer of the package/module this is about. If you don't know any, you can use Git blame on the relevant files, or GitHub's web interface to find someone who touched the relevant files in the past.

If your PR has had reviews and nevertheless got stale, make sure you've responded to all of the reviewer's requests / questions. Usually when PR authors show responsibility and dedication, reviewers (privileged or not) show dedication as well. If you've pushed a change, it's possible the reviewer wasn't notified about your push via email, so you can always officially request them for a review, or just @ mention them and say you've addressed their comments.

Lastly, you can always ask for help at our Discourse Forum, or more specifically, at this thread or at #nixos' IRC channel.

I marked this as stale due to inactivity. → More info