NixOS with Mozilla VPN and Wireguard
Let’s set up Mozilla VPN on the NixOS Linux distribution using WireGuard
.
-
Run
nix-shell -p mozwire
; then, within the resulting shell, do the following:# Fetch a Mozilla VPN token and set MOZ_TOKEN for future invocations of mozwire. # This will open a browser that will instruct you to login using your Mozilla VPN credentials. [nix-shell:]$ export MOZ_TOKEN=$(mozwire --print-token) Please visit https://vpn.mozilla.org/api/v2... Link opened in browser. # Create `/secret` to store your configuration [nix-shell:]$ sudo mkdir -p /secret` # List available Mozilla VPN relays [nix-shell:]$ mozwire relay save zrh Albania (al) Tirana (tia) @ 41.327953°N, 19.819025°W al-tia-wg-001 (31.171.153.66, 2a04:27c0:0:3::a01f) Australia (au) Adelaide (adl) @ -34.92123°N, 138.599503°W au-adl-wg-301 (103.214.20.50, 2404:f780:0:deb::c1f) au-adl-wg-302 (103.214.20.130, 2404:f780:0:dec::c2f) Brisbane (bne) @ -27.471°N, 153.0234°W au-bne-wg-301 (103.216.220.18, 2404:f780:4:deb::a01f) au-bne-wg-302 (103.216.220.34, 2404:f780:4:dec::a02f) ... # Save a configuration with your desired relay. In this example, # we'll use ZRH. Though one can choose their own location, you'll # typically want to use a location that is nearest to your ISP. [nix-shell:]$ mozwire relay save zrh Public key not in device list, uploading it. Wrote configuration to ./ch-zrh-wg-404.conf. # Copy the configuration file to /secret [nix-shell:]$ sudo mv ch-zrh-wg-404.conf /secret/
-
Setup the VPN using WireGuard by editing
/etc/nixos/configuration.nix
such that it contains the following:environment.systemPackges = with pkgs;[ wireguard-tools ... # don't add this ellipsis! ]; networking.wg-quick.interfaces.wg0.configFile = "/secret/ch-zrh-wg-404.conf`
- Run
sudo nixos-rebuild switch
to update NixOS’ current configuration - Test that the VPN is active by observing the output of
curl https://ifconfig.co/json ; echo
Postscript (teaching how to fish): figuring all this out was aided, yet again, by the use of search.nixos.org
; specifcally the NixOS Options
section. That said, the source for wg-quick.nix
could be updated such that the networking.wg-quick.interfaces.*.configFile
appears in a NixOS Options
search for WireGuard; we’ll see if maintainers of NixOS/nixpkgs
agree with the patch I authored that makes this change. Related: a NixOS/nixpkgs
issue which suggests the potential addition of keywords
to package metadata.
Postscript 2 (regarding Rust
): the source for mozwire
is worth considering; it demonstrates the concision and clarity of Rust; and is a lovely example of reverse-engineering of a public yet (to my knowledge) undocumented protocol. Tentatively, I would propose that such packages are a net-positive for users as they enable creative developers to implement alternative means of engaging with a given service. Such implementations are a far-cry from the GNU foundation’s visions for truly “free” software, but certainly bring us closer to those aims.