f57fc6c881
Ideally, private keys never leave the host they're generated on - like SSH. Setting generatePrivateKeyFile to true causes the PK to be generate automatically.
57 lines
1.7 KiB
Nix
57 lines
1.7 KiB
Nix
import ../make-test.nix ({ pkgs, ...} : {
|
|
name = "wireguard-generated";
|
|
meta = with pkgs.stdenv.lib.maintainers; {
|
|
maintainers = [ ma27 grahamc ];
|
|
};
|
|
|
|
nodes = {
|
|
peer1 = {
|
|
networking.firewall.allowedUDPPorts = [ 12345 ];
|
|
networking.wireguard.interfaces.wg0 = {
|
|
ips = [ "10.10.10.1/24" ];
|
|
listenPort = 12345;
|
|
privateKeyFile = "/etc/wireguard/private";
|
|
generatePrivateKeyFile = true;
|
|
|
|
};
|
|
};
|
|
|
|
peer2 = {
|
|
networking.firewall.allowedUDPPorts = [ 12345 ];
|
|
networking.wireguard.interfaces.wg0 = {
|
|
ips = [ "10.10.10.2/24" ];
|
|
listenPort = 12345;
|
|
privateKeyFile = "/etc/wireguard/private";
|
|
generatePrivateKeyFile = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
startAll;
|
|
|
|
$peer1->waitForUnit("wireguard-wg0.service");
|
|
$peer2->waitForUnit("wireguard-wg0.service");
|
|
|
|
my ($retcode, $peer1pubkey) = $peer1->execute("wg pubkey < /etc/wireguard/private");
|
|
$peer1pubkey =~ s/\s+$//;
|
|
if ($retcode != 0) {
|
|
die "Could not read public key from peer1";
|
|
}
|
|
|
|
my ($retcode, $peer2pubkey) = $peer2->execute("wg pubkey < /etc/wireguard/private");
|
|
$peer2pubkey =~ s/\s+$//;
|
|
if ($retcode != 0) {
|
|
die "Could not read public key from peer2";
|
|
}
|
|
|
|
$peer1->succeed("wg set wg0 peer $peer2pubkey allowed-ips 10.10.10.2/32 endpoint 192.168.1.2:12345 persistent-keepalive 1");
|
|
$peer1->succeed("ip route replace 10.10.10.2/32 dev wg0 table main");
|
|
|
|
$peer2->succeed("wg set wg0 peer $peer1pubkey allowed-ips 10.10.10.1/32 endpoint 192.168.1.1:12345 persistent-keepalive 1");
|
|
$peer2->succeed("ip route replace 10.10.10.1/32 dev wg0 table main");
|
|
|
|
$peer1->succeed("ping -c1 10.10.10.2");
|
|
$peer2->succeed("ping -c1 10.10.10.1");
|
|
'';
|
|
})
|