aryeh.fun Aryeh Hillman's Blog

NixOS with Mozilla VPN and Wireguard

Let’s set up Mozilla VPN on the NixOS Linux distribution using WireGuard.

  1. Run nix-shell -p mozwire; then, within the resulting shell, do the following:

     # Fetch a Mozilla VPN token and set MOZ_TOKEN for future invocations of mozwire.
     # This will open a browser that will instruct you to login using your Mozilla VPN credentials.
     [nix-shell:]$ export MOZ_TOKEN=$(mozwire --print-token)
     Please visit https://vpn.mozilla.org/api/v2... Link opened in browser.
        
     # Create `/secret` to store your configuration 
     [nix-shell:]$ sudo mkdir -p /secret`
        
     # List available Mozilla VPN relays 
     [nix-shell:]$ mozwire relay save zrh
     Albania (al)
     	Tirana (tia) @ 41.327953°N, 19.819025°W
     		al-tia-wg-001 (31.171.153.66, 2a04:27c0:0:3::a01f)
     Australia (au)
     	Adelaide (adl) @ -34.92123°N, 138.599503°W
     		au-adl-wg-301 (103.214.20.50, 2404:f780:0:deb::c1f)
     		au-adl-wg-302 (103.214.20.130, 2404:f780:0:dec::c2f)
     	Brisbane (bne) @ -27.471°N, 153.0234°W
     		au-bne-wg-301 (103.216.220.18, 2404:f780:4:deb::a01f)
     		au-bne-wg-302 (103.216.220.34, 2404:f780:4:dec::a02f)
     ...
        
     # Save a configuration with your desired relay. In this example,
     # we'll use ZRH. Though one can choose their own location, you'll
     # typically want to use a location that is nearest to your ISP. 
     [nix-shell:]$ mozwire relay save zrh
     Public key not in device list, uploading it.
     Wrote configuration to ./ch-zrh-wg-404.conf.
        
     # Copy the configuration file to /secret
     [nix-shell:]$ sudo mv ch-zrh-wg-404.conf /secret/
    
  2. Setup the VPN using WireGuard by editing /etc/nixos/configuration.nix such that it contains the following:

     environment.systemPackges = with pkgs;[
         wireguard-tools
         ... # don't add this ellipsis!
     ];
        
     networking.wg-quick.interfaces.wg0.configFile = "/secret/ch-zrh-wg-404.conf`
    
  3. Run sudo nixos-rebuild switch to update NixOS’ current configuration
  4. Test that the VPN is active by observing the output of curl https://ifconfig.co/json ; echo

Postscript (teaching how to fish): figuring all this out was aided, yet again, by the use of search.nixos.org; specifcally the NixOS Options section. That said, the source for wg-quick.nix could be updated such that the networking.wg-quick.interfaces.*.configFile appears in a NixOS Options search for WireGuard; we’ll see if maintainers of NixOS/nixpkgs agree with the patch I authored that makes this change. Related: a NixOS/nixpkgs issue which suggests the potential addition of keywords to package metadata.

Postscript 2 (regarding Rust): the source for mozwire is worth considering; it demonstrates the concision and clarity of Rust; and is a lovely example of reverse-engineering of a public yet (to my knowledge) undocumented protocol. Tentatively, I would propose that such packages are a net-positive for users as they enable creative developers to implement alternative means of engaging with a given service. Such implementations are a far-cry from the GNU foundation’s visions for truly “free” software, but certainly bring us closer to those aims.