Hello there:-)
Please note that I’m new to incus and incusOS!
I want to configure incusOS to be accessible through a wireguard VPN. For that I’m following the documentation and prepared a json file but now, I just don’t see how to give it to incusOS?
I know this is basic but could not find how
Also, how do I make sure only incusOS can access this VPN and especially not the instances “behind” it (those which are source-NAT’ed I mean)
Many thanks in advance!
slt
incus admin os system network edit will let you edit the network configuration.
You should be able to create an ACL in Incus and assign it to the relevant Incus network.
Thank you but I’m still not sure, editing the network configuration this way shows me a YAML like configuration:
config:
interfaces:
- addresses:
- dhcp4
- slaac
hwaddr: f8:0d:ac:39:ef:be
name: eno1
required_for_online: "no"
roles:
- instances
time:
timezone: UTC
state:
interfaces:
[...]
But, when following the documentation, I prepared something like this:
{
"config": {
"wireguard": [
{
"name": "wg0",
"port": 51820,
"private_key": "AE1SCwtkp8ruDYlUa9x9wsoTzEOePl3P9sMdFFa9PmI=",
"addresses": [
"10.234.234.100/24",
"fd42:3cfb:8972:abcd::100/64"
],
"routes" : [
{
"to": "10.234.110.0/24",
"via": "10.234.234.110"
}
],
"peers": [
{
"allowed_ips": [
"10.234.234.110/24",
"fd42:3cfb:8972:abcd::110/64",
"10.234.110.0/24"
],
"endpoint": "10.102.89.110:51820",
"public_key": "rJhRcAtHUldTAA/J+TPQPQpr6G9C2Arf5FiTVwjOYCE="
},
{
"allowed_ips": [
"10.234.234.120/24",
"fd42:3cfb:8972:abcd::120/64"
],
"persistent_keepalive": 30,
"public_key": "qPYSgwaJe0VZb4M8smTPpd2rfKHz0X0ypq54ZY4ATVQ="
}
]
}
]
}
}
So I’m not sure how to insert this in the yaml-like network configuration?
Ok, I will try playing with this! thank you!
YAML is a super-set of JSON. So you can put a JSON document and pass it as YAML.
Our API is all JSON but we render as YAML in the interactive editor as that’s a bit easier to interact with for users and also a bit less strict syntax wise so more tolerant to human input.
oh! ok 
So, am I supposed to replace the whole YAML content with the JSON I prepared? Append it? Or may be even try to merge it somehow if I don’t want to lose the current configuration and only *add* one wireguard config?
I’m sorry to ask this, but I have not found the answers in the documentation and I would not want to lose access to my current incusOS because of my ignorance!
You’d need to merge the two together.
You can either do it by dumping the relevant JSON chunk inside of the YAML, like:
config:
interfaces:
- addresses:
- dhcp4
- slaac
hwaddr: f8:0d:ac:39:ef:be
name: eno1
required_for_online: "no"
roles:
- instances
wireguard:
- {
"name": "wg0",
"port": 51820,
"private_key": "AE1SCwtkp8ruDYlUa9x9wsoTzEOePl3P9sMdFFa9PmI=",
"addresses": [
"10.234.234.100/24",
"fd42:3cfb:8972:abcd::100/64"
],
"routes" : [
{
"to": "10.234.110.0/24",
"via": "10.234.234.110"
}
],
"peers": [
{
"allowed_ips": [
"10.234.234.110/24",
"fd42:3cfb:8972:abcd::110/64",
"10.234.110.0/24"
],
"endpoint": "10.102.89.110:51820",
"public_key": "rJhRcAtHUldTAA/J+TPQPQpr6G9C2Arf5FiTVwjOYCE="
},
{
"allowed_ips": [
"10.234.234.120/24",
"fd42:3cfb:8972:abcd::120/64"
],
"persistent_keepalive": 30,
"public_key": "qPYSgwaJe0VZb4M8smTPpd2rfKHz0X0ypq54ZY4ATVQ="
}
]
}
time:
timezone: UTC
state:
interfaces:
[...]
Or just convert your config to YAML and then merge the two:
config:
wireguard:
- name: wg0
port: 51820
private_key: AE1SCwtkp8ruDYlUa9x9wsoTzEOePl3P9sMdFFa9PmI=
addresses:
- 10.234.234.100/24
- fd42:3cfb:8972:abcd::100/64
routes:
- to: 10.234.110.0/24
via: 10.234.234.110
peers:
- allowed_ips:
- 10.234.234.110/24
- fd42:3cfb:8972:abcd::110/64
- 10.234.110.0/24
endpoint: 10.102.89.110:51820
public_key: rJhRcAtHUldTAA/J+TPQPQpr6G9C2Arf5FiTVwjOYCE=
- allowed_ips:
- 10.234.234.120/24
- fd42:3cfb:8972:abcd::120/64
persistent_keepalive: 30
public_key: qPYSgwaJe0VZb4M8smTPpd2rfKHz0X0ypq54ZY4ATVQ=
Giving you:
config:
interfaces:
- addresses:
- dhcp4
- slaac
hwaddr: f8:0d:ac:39:ef:be
name: eno1
required_for_online: "no"
roles:
- instances
wireguard:
- name: wg0
port: 51820
private_key: AE1SCwtkp8ruDYlUa9x9wsoTzEOePl3P9sMdFFa9PmI=
addresses:
- 10.234.234.100/24
- fd42:3cfb:8972:abcd::100/64
routes:
- to: 10.234.110.0/24
via: 10.234.234.110
peers:
- allowed_ips:
- 10.234.234.110/24
- fd42:3cfb:8972:abcd::110/64
- 10.234.110.0/24
endpoint: 10.102.89.110:51820
public_key: rJhRcAtHUldTAA/J+TPQPQpr6G9C2Arf5FiTVwjOYCE=
- allowed_ips:
- 10.234.234.120/24
- fd42:3cfb:8972:abcd::120/64
persistent_keepalive: 30
public_key: qPYSgwaJe0VZb4M8smTPpd2rfKHz0X0ypq54ZY4ATVQ=
time:
timezone: UTC
state:
interfaces:
[...]
Thank you Stéphane for taking the time to guide me through this!
I got the VPN up and running but initially faced two surprising ‘invalid endpoint’ errors:
WARNING: The IncusOS API and configuration is subject to change
Config parsing error: wireguard 0 peer 0 invalid endpoint 'example.net:41322'
Press enter to open the editor again or ctrl+c to abort change
Config parsing error: wireguard 0 peer 0 invalid endpoint '[2606:4700::6812:46a]:41322'
Press enter to open the editor again or ctrl+c to abort change
It looks like it does not support having a hostname or an IPv6 address in the endpoint. I could configure an IPv4 instead but it felt weird as wireguard supports this. I haven’t found this as a known issue on the github issue tracking system. Should I create one?
EDIT: well, actually, the wireguard interface is up and running but I can no longer ‘show’ the network configuration:
$ incus admin os system network show
WARNING: The IncusOS API and configuration is subject to change
Error: Invalid value: 1.29KiB
Same error with ‘edit’ :.-O any idea to help me fix this? I merged the config following your first recommendation: pasting part of the json into the yaml configuration
We fixed that one already, the next stable update will have that fix.
Oh, yeah, the Wireguard endpoint validation isn’t good, let me send a fix for that one.
Does it affect the client or the server? (Just trying to know if you’re talking abour the next stable update to the client or to the daemon -and incusOS itself as a whole then-)
It’s a server-side check. The next stable update which should come out in a few hours will have the fix.
Oki, great! many thanks in advance