How to use Wireguard on NixOS with GNOME

A quick and simple guide to getting Wireguard running on NixOS when using the Gnome desktop environment (and NetworkManager).

Last updated for NixOS 25.11.

Requirements

• A functioning wireguard server that you are connecting to
• A NixOS device or virtual machine to act as the wireguard client

Steps

• Install wireguard tools and allow wireguard through the firewall via nix config

{ config, pkgs, ... }:

{
  environment.systemPackages = [
    pkgs.networkmanager
    pkgs.networkmanagerapplet # Adds nm-connection-editor
    pkgs.wireguard-tools # Allows using wg and wg-quick commands
  ];

  # Enable networking
  networking.networkmanager.enable = true;

  # Allow wireguard connections through firewall
  networking.firewall.checkReversePath = "loose";
}

You can either create this as a separate .nix file and import it with:

{
  imports = [
    ./path/to/file.nix
  ];
}

Or simply embed the relevant lines into your existing configuration (e.g. within configuration.nix).

• Rebuild to install wg and wg-quick commands and reboot to apply firewall changes
• Generate a private and public key for wireguard

umask will invert the bits given for any new files, in this case it will make the privatekey and publickey files be marked with 700, or read/write/execute for current user, and no access for group or global.

mkdir ~/wireguardtemp
cd ~/wireguardtemp
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

• Create a wireguard config

You can name this whatever you like, for example: home_network.conf. wg0 is also a commonly chosen name.

Remove all < and >, they are to indicate values you provide.

cd ~/wireguardtemp
nano ./home_network.conf

[Interface]
PrivateKey = <client private key>
Address = <client wireguard ip>/32
DNS = <internal dns address for wireguard network>

[Peer]
PublicKey = <server public key>
Endpoint = <server public ip>:13231
AllowedIPs = 0.0.0.0/0

You can replace AllowedIPs = 0.0.0.0/0 with specific ranges to route only traffic destined for your internal network. For example AllowedIPs = 192.168.0.0/16, 10.0.0.0/8

• On your wireguard server, create a new peer using the client public key that you generated, ensuring that the allowed address on the server matches what’s set in the .conf file
• Test the configuration with wg-quick to ensure it’s working

cd ~/wireguardtemp
wg-quick up ./home_network.conf

If this doesn’t work, try searching for solutions using wg-quick as a key term.

Assuming you’ve got it working, spin down the connection with:

cd ~/wireguardtemp
wg-quick down ./home_network.conf

• Import the configuration into NetworkManager

Using the GUI to import the file DOES NOT WORK at the time of writing. You MUST use nmcli to add the file.

cd ~/wireguardtemp
nmcli con import type wireguard file ./home_network.conf
nmcli connection modify home_network autoconnect no
nmcli connection down home_network

• (optional) Give the vpn network a pretty name

nmcli connection modify home_network con-name "Home Network"

• (optional) Save the private key and/or .conf file to your password manager of choice (e.g. 1Password or VaultWarden)
• Remove the temp files (privatekey, publickey, and home_network.conf)

rm -rf ~/wireguardtemp

• Theoretically, you should be set! You can now enable or disable the wireguard connection through the vpn option in network manager (available in the system menu on the top right).