chore(test): Move the wireguard key generation in the integration tests to the test script to make the derivations deterministc while keeping random keys

2025-12-12 07:40:30 -08:00 · 2025-08-28 12:03:50 +02:00
parent 7d4ae23db9
commit 48e9dd2a86
2 changed files with 154 additions and 122 deletions
--- a/tests/integration/rp-key-sync.nix
+++ b/tests/integration/rp-key-sync.nix
@@ -32,8 +32,8 @@ let
          description = "network address of the host that runs rosenpass";
        };
-        peerPubkey = lib.mkOption {
+        peerPubkeyFile = lib.mkOption {
-          type = lib.types.str;
+          type = lib.types.path;
          description = "Public key of wireguard peer";
        };
@@ -73,10 +73,11 @@ in
        # The script downloads the key generated by rosenpass from the key exchange node and sets it as the preshared key for the specified wireguard peer.
        script = ''
          set -euo pipefail
          PEER_PUB_KEY=$(cat ${instanceCfg.peerPubkeyFile})
          ${pkgs.openssh}/bin/ssh ${instanceCfg.rpHost} "cat ${instanceCfg.remoteKeyPath}" \
            | ${pkgs.wireguard-tools}/bin/wg \
              set ${instanceCfg.wgInterface} \
-              peer ${instanceCfg.peerPubkey} \
+              peer $PEER_PUB_KEY \
              endpoint ${instanceCfg.endpoint} \
              allowed-ips ${instanceCfg.allowedIps} \
              preshared-key /dev/stdin
--- a/tests/integration/rpsc-test.nix
+++ b/tests/integration/rpsc-test.nix
@@ -10,6 +10,7 @@ let
  rpPort = 51821;
  rosenpassKeyFolder = "/var/secrets";
  wireguardKeyFolder = "/var/wgKeys";
  keyExchangePathAB = "/root/peer-ab.osk";
  keyExchangePathBA = "/root/peer-ba.osk";
  keyExchangePathAC = "/root/peer-ac.osk";
@@ -32,33 +33,12 @@ let
  peerBConfigFileVersion = getConfigFileVersion pkgs.rosenpass-peer-b;
  peerCConfigFileVersion = if multiPeer then getConfigFileVersion pkgs.rosenpass-peer-c else null;
  generateWgKeys =
    name: sk:
    let
      # The trailing line break that is generated by `wg genkey` and `wg pubkey` breaks the script rp-key-sync.nix to copy the preshared keys.
      # We therefore remove the trailing spaces here.
      privateKey = pkgs.runCommand "wg-private-${name}" { } ''
        echo ${sk} > $out
      '';
      publicKey = pkgs.runCommand "wg-public-${name}" { } ''
        cat ${privateKey} | ${pkgs.wireguard-tools}/bin/wg pubkey > $out
      '';
    in
    {
      inherit privateKey publicKey;
    };
  peerAWgKeys = generateWgKeys "peerA" "EMeaSKGSSWQFuA8xhca+potK7B43hPsJ9XkUXtfaNF0=";
  peerBWgKeys = generateWgKeys "peerB" "ANLij+xiMYmxpFjYcOTt4z8pX1a91Gsg4ZLpcCrjGVg=";
  peerCWgKeys =
    if multiPeer then generateWgKeys "peerC" "COOk7sSt34r3xtwCvOdqQiv2Pf4auKI+Btgyce2fw1w=" else null;
  staticConfig =
    {
      peerA = {
        innerIp = "10.100.0.1";
-        privateKey = lib.removeSuffix "\n" (builtins.readFile peerAWgKeys.privateKey);
+        wgPrivateKeyFile = "${wireguardKeyFolder}/peerA.sk";
-        publicKey = lib.removeSuffix "\n" (builtins.readFile peerAWgKeys.publicKey);
+        wgPublicKeyFile = "${wireguardKeyFolder}/peerA.pk";
        rosenpassConfig = builtins.toFile "peer-a.toml" (
          ''
            public_key = "${rosenpassKeyFolder}/self.pk"
@@ -81,8 +61,8 @@ let
      };
      peerB = {
        innerIp = "10.100.0.2";
-        privateKey = lib.removeSuffix "\n" (builtins.readFile peerBWgKeys.privateKey);
+        wgPrivateKeyFile = "${wireguardKeyFolder}/peerB.sk";
-        publicKey = lib.removeSuffix "\n" (builtins.readFile peerBWgKeys.publicKey);
+        wgPublicKeyFile = "${wireguardKeyFolder}/peerB.pk";
        rosenpassConfig = builtins.toFile "peer-b.toml" (
          ''
            public_key = "${rosenpassKeyFolder}/self.pk"
@@ -108,8 +88,8 @@ let
      # peerC is only defined if we are in a multiPeer context.
      peerC = {
        innerIp = "10.100.0.3";
-        privateKey = lib.removeSuffix "\n" (builtins.readFile peerCWgKeys.privateKey);
+        wgPrivateKeyFile = "${wireguardKeyFolder}/peerC.sk";
-        publicKey = lib.removeSuffix "\n" (builtins.readFile peerCWgKeys.publicKey);
+        wgPublicKeyFile = "${wireguardKeyFolder}/peerC.pk";
        rosenpassConfig = builtins.toFile "peer-c.toml" ''
          public_key = "${rosenpassKeyFolder}/self.pk"
          secret_key = "${rosenpassKeyFolder}/self.sk"
@@ -157,27 +137,6 @@ in
    {
      # peerA and peerB are the only neccessary peers unless we are in the multiPeer test.
      peerA = {
        networking.wireguard.interfaces.${wgInterface} = {
          listenPort = wgPort;
          ips = [ "${staticConfig.peerA.innerIp}/32" ];
          inherit (staticConfig.peerA) privateKey;
          peers =
            [
              {
                inherit (staticConfig.peerB) publicKey;
                allowedIPs = [ "${staticConfig.peerB.innerIp}/32" ];
                endpoint = "peerB:${builtins.toString wgPort}";
                presharedKey = "AR/yvSvMAzW6eS27PsRHUMWwC8cLhaD96t42cysxrb0=";
              } # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded.
            ]
            ++ (lib.optional multiPeer {
              inherit (staticConfig.peerC) publicKey;
              allowedIPs = [ "${staticConfig.peerC.innerIp}/32" ];
              endpoint = "peerC:${builtins.toString wgPort}";
              presharedKey = "LfWvJCN8h7NhS+JWRG7GMIY20JxUV4WUs7MJ45ZGoCE=";
            } # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded.
            );
        };
        networking.firewall.allowedUDPPorts = [ wgPort ];
        # Each instance of the key sync service loads a symmetric key from a rosenpass keyexchanger node and sets it as the preshared key for the appropriate wireguard tunnel.
@@ -188,7 +147,7 @@ in
              enable = false;
              inherit wgInterface;
              rpHost = "peerakeyexchanger";
-              peerPubkey = staticConfig.peerB.publicKey;
+              peerPubkeyFile = staticConfig.peerB.wgPublicKeyFile;
              remoteKeyPath = keyExchangePathAB;
              endpoint = "peerB:${builtins.toString wgPort}";
              allowedIps = "${staticConfig.peerB.innerIp}/32";
@@ -200,7 +159,7 @@ in
              enable = false;
              inherit wgInterface;
              rpHost = "peerakeyexchanger";
-              peerPubkey = staticConfig.peerC.publicKey;
+              peerPubkeyFile = staticConfig.peerC.wgPublicKeyFile;
              remoteKeyPath = keyExchangePathAC;
              endpoint = "peerC:${builtins.toString wgPort}";
              allowedIps = "${staticConfig.peerC.innerIp}/32";
@@ -208,28 +167,6 @@ in
          };
      };
      peerB = {
        networking.wireguard.interfaces.${wgInterface} = {
          listenPort = wgPort;
          ips = [ "${staticConfig.peerB.innerIp}/32" ];
          inherit (staticConfig.peerB) privateKey;
          peers =
            [
              {
                inherit (staticConfig.peerA) publicKey;
                allowedIPs = [ "${staticConfig.peerA.innerIp}/32" ];
                endpoint = "peerA:${builtins.toString wgPort}";
                presharedKey = "o25fjoIOI623cnRyhvD4YEGtuSY4BFRZmY3UHvZ0BCA=";
                # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded.
              }
            ]
            ++ (lib.optional multiPeer {
              inherit (staticConfig.peerC) publicKey;
              allowedIPs = [ "${staticConfig.peerC.innerIp}/32" ];
              endpoint = "peerC:${builtins.toString wgPort}";
              presharedKey = "GsYTUd/4Ph7wMy5r+W1no9yGe0UeZlmCPeiyu4tb6yM=";
              # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded.
            });
        };
        networking.firewall.allowedUDPPorts = [ wgPort ];
        # Each instance of the key sync service loads a symmetric key from a rosenpass keyexchanger node and sets it as the preshared key for the appropriate wireguard tunnel.
@@ -240,7 +177,7 @@ in
              enable = false;
              inherit wgInterface;
              rpHost = "peerbkeyexchanger";
-              peerPubkey = staticConfig.peerA.publicKey;
+              peerPubkeyFile = staticConfig.peerA.wgPublicKeyFile;
              remoteKeyPath = keyExchangePathBA;
              endpoint = "peerA:${builtins.toString wgPort}";
              allowedIps = "${staticConfig.peerA.innerIp}/32";
@@ -252,7 +189,7 @@ in
              enable = false;
              inherit wgInterface;
              rpHost = "peerbkeyexchanger";
-              peerPubkey = staticConfig.peerC.publicKey;
+              peerPubkeyFile = staticConfig.peerC.wgPublicKeyFile;
              remoteKeyPath = keyExchangePathBC;
              endpoint = "peerC:${builtins.toString wgPort}";
              allowedIps = "${staticConfig.peerC.innerIp}/32";
@@ -291,25 +228,6 @@ in
    }
    // lib.optionalAttrs multiPeer {
      peerC = {
        networking.wireguard.interfaces.${wgInterface} = {
          listenPort = wgPort;
          ips = [ "${staticConfig.peerC.innerIp}/32" ];
          inherit (staticConfig.peerC) privateKey;
          peers = [
            {
              inherit (staticConfig.peerA) publicKey;
              allowedIPs = [ "${staticConfig.peerA.innerIp}/32" ];
              endpoint = "peerA:${builtins.toString wgPort}";
              presharedKey = "s9aIG1pY6nj2lH6p61tP8WRETNgQvoTfgel5BmVjYeI=";
            } # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded.
            {
              inherit (staticConfig.peerB) publicKey;
              allowedIPs = [ "${staticConfig.peerB.innerIp}/32" ];
              endpoint = "peerB:${builtins.toString wgPort}";
              presharedKey = "DYlFqWg/M6EfnMolBO+b4DFNrRyS6YWr4lM/2xRE1FQ=";
            } # NOTE: We use mismatching preshared keys on purpose to make the wireguard key exchange fail until the rosenpass key exchange succeeded.
          ];
        };
        networking.firewall.allowedUDPPorts = [ wgPort ];
        # Each instance of the key sync service loads a symmetric key from a rosenpass keyexchanger node and sets it as the preshared key for the appropriate wireguard tunnel.
@@ -319,7 +237,7 @@ in
            enable = false;
            inherit wgInterface;
            rpHost = "peerckeyexchanger";
-            peerPubkey = staticConfig.peerA.publicKey;
+            peerPubkeyFile = staticConfig.peerA.wgPublicKeyFile;
            remoteKeyPath = keyExchangePathCA;
            endpoint = "peerA:${builtins.toString wgPort}";
            allowedIps = "${staticConfig.peerA.innerIp}/32";
@@ -329,7 +247,7 @@ in
            enable = false;
            inherit wgInterface;
            rpHost = "peerckeyexchanger";
-            peerPubkey = staticConfig.peerB.publicKey;
+            peerPubkeyFile = staticConfig.peerB.wgPublicKeyFile;
            remoteKeyPath = keyExchangePathCB;
            endpoint = "peerB:${builtins.toString wgPort}";
            allowedIps = "${staticConfig.peerB.innerIp}/32";
@@ -420,15 +338,128 @@ in
        m.wait_for_unit("network-online.target")
    ''}
    # Generate the normal wireguard key pairs
    peerA.succeed("mkdir ${wireguardKeyFolder}")
    peerA.succeed("${pkgs.wireguard-tools}/bin/wg genkey > ${staticConfig.peerA.wgPrivateKeyFile}")
    peerA.succeed("cat ${staticConfig.peerA.wgPrivateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > ${staticConfig.peerA.wgPublicKeyFile}")
    peerAWgSk = peerA.succeed("cat ${staticConfig.peerA.wgPrivateKeyFile} | tr -d '\n'")
    peerAWgPk = peerA.succeed("cat ${staticConfig.peerA.wgPublicKeyFile} | tr -d '\n'")
    peerA.succeed("echo -n AR/yvSvMAzW6eS27PsRHUMWwC8cLhaD96t42cysxrb0= > ${wireguardKeyFolder}/peerB.psk")
    peerB.succeed("mkdir ${wireguardKeyFolder}")
    peerB.succeed("${pkgs.wireguard-tools}/bin/wg genkey > ${staticConfig.peerB.wgPrivateKeyFile}")
    peerB.succeed("cat ${staticConfig.peerB.wgPrivateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > ${staticConfig.peerB.wgPublicKeyFile}")
    peerBWgSk = peerB.succeed("cat ${staticConfig.peerB.wgPrivateKeyFile} | tr -d '\n'")
    peerBWgPk = peerB.succeed("cat ${staticConfig.peerB.wgPublicKeyFile} | tr -d '\n'")
    peerB.succeed("echo -n o25fjoIOI623cnRyhvD4YEGtuSY4BFRZmY3UHvZ0BCA= > ${wireguardKeyFolder}/peerA.psk")
    ${lib.optionalString multiPeer ''
      peerC.succeed("mkdir ${wireguardKeyFolder}")
      peerC.succeed("${pkgs.wireguard-tools}/bin/wg genkey > ${staticConfig.peerC.wgPrivateKeyFile}")
      peerC.succeed("cat ${staticConfig.peerC.wgPrivateKeyFile} | ${pkgs.wireguard-tools}/bin/wg pubkey > ${staticConfig.peerC.wgPublicKeyFile}")
      peerCWgSk = peerC.succeed("cat ${staticConfig.peerC.wgPrivateKeyFile} | tr -d '\n'")
      peerCWgPk = peerC.succeed("cat ${staticConfig.peerC.wgPublicKeyFile} | tr -d '\n'")
      peerA.succeed("echo -n LfWvJCN8h7NhS+JWRG7GMIY20JxUV4WUs7MJ45ZGoCE= > ${wireguardKeyFolder}/peerC.psk")
      peerB.succeed("echo -n GsYTUd/4Ph7wMy5r+W1no9yGe0UeZlmCPeiyu4tb6yM= > ${wireguardKeyFolder}/peerC.psk")
      peerC.succeed("echo -n s9aIG1pY6nj2lH6p61tP8WRETNgQvoTfgel5BmVjYeI= > ${wireguardKeyFolder}/peerA.psk")
      peerC.succeed("echo -n DYlFqWg/M6EfnMolBO+b4DFNrRyS6YWr4lM/2xRE1FQ= > ${wireguardKeyFolder}/peerB.psk")
    ''}
    # Distribute the respective public keys
    peerA.succeed(f"echo -n {peerBWgPk} > ${wireguardKeyFolder}/peerB.pk")
    peerB.succeed(f"echo -n {peerAWgPk} > ${wireguardKeyFolder}/peerA.pk")
    ${lib.optionalString multiPeer ''
      peerA.succeed(f"echo -n {peerCWgPk} > ${wireguardKeyFolder}/peerC.pk")
      peerB.succeed(f"echo -n {peerCWgPk} > ${wireguardKeyFolder}/peerC.pk")
      peerC.succeed(f"echo -n {peerAWgPk} > ${wireguardKeyFolder}/peerA.pk")
      peerC.succeed(f"echo -n {peerBWgPk} > ${wireguardKeyFolder}/peerB.pk")
    ''}
    # Make the wireguard public keys readable for the key-sync service.
    peerA.succeed("chmod -R 0555 ${wireguardKeyFolder}")
    peerB.succeed("chmod -R 0555 ${wireguardKeyFolder}")
    ${lib.optionalString multiPeer ''
      peerC.succeed("chmod -R 0555 ${wireguardKeyFolder}")
    ''}
    # Set up wireguard on peerA
    peerA.succeed("ip link add ${wgInterface} type wireguard")
    peerA.succeed("${pkgs.wireguard-tools}/bin/wg set ${wgInterface} private-key ${staticConfig.peerA.wgPrivateKeyFile} listen-port ${builtins.toString wgPort}")
    peerA.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerBWgPk} allowed-ips ${staticConfig.peerB.innerIp}/32 endpoint peerB:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerB.psk")
    ${lib.optionalString multiPeer ''
      peerA.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerCWgPk} allowed-ips ${staticConfig.peerC.innerIp}/32 endpoint peerC:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerC.psk")
    ''}
    peerA.succeed("ip addr add ${staticConfig.peerA.innerIp}/32 dev ${wgInterface}")
    peerA.succeed("ip link set ${wgInterface} up")
    peerA.succeed("ip route add ${staticConfig.peerB.innerIp} dev ${wgInterface} scope link")
    ${lib.optionalString multiPeer ''
      peerA.succeed("ip route add ${staticConfig.peerC.innerIp} dev ${wgInterface} scope link")
    ''}
    # Set up wireguard on peerB
    peerB.succeed("ip link add ${wgInterface} type wireguard")
    peerB.succeed("${pkgs.wireguard-tools}/bin/wg set ${wgInterface} private-key ${staticConfig.peerB.wgPrivateKeyFile} listen-port ${builtins.toString wgPort}")
    peerB.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerAWgPk} allowed-ips ${staticConfig.peerA.innerIp}/32 endpoint peerA:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerA.psk")
    ${lib.optionalString multiPeer ''
      peerB.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerCWgPk} allowed-ips ${staticConfig.peerC.innerIp}/32 endpoint peerC:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerC.psk")
    ''}
    peerB.succeed("ip addr add ${staticConfig.peerB.innerIp}/32 dev ${wgInterface}")
    peerB.succeed("ip link set ${wgInterface} up")
    peerB.succeed("ip route add ${staticConfig.peerA.innerIp} dev ${wgInterface} scope link")
    ${lib.optionalString multiPeer ''
      peerB.succeed("ip route add ${staticConfig.peerC.innerIp} dev ${wgInterface} scope link")
    ''}
    # Set up wireguard on peerC
    ${lib.optionalString multiPeer ''
      peerC.succeed("ip link add ${wgInterface} type wireguard")
      peerC.succeed("${pkgs.wireguard-tools}/bin/wg set ${wgInterface} private-key ${staticConfig.peerC.wgPrivateKeyFile} listen-port ${builtins.toString wgPort}")
      peerC.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerAWgPk} allowed-ips ${staticConfig.peerA.innerIp}/32 endpoint peerA:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerA.psk")
      peerC.succeed(f"${pkgs.wireguard-tools}/bin/wg set ${wgInterface} peer {peerBWgPk} allowed-ips ${staticConfig.peerB.innerIp}/32 endpoint peerB:${builtins.toString wgPort} preshared-key ${wireguardKeyFolder}/peerB.psk")
      peerC.succeed("ip addr add ${staticConfig.peerC.innerIp}/32 dev ${wgInterface}")
      peerC.succeed("ip link set ${wgInterface} up")
      peerC.succeed("ip route add ${staticConfig.peerA.innerIp} dev ${wgInterface} scope link")
      peerC.succeed("ip route add ${staticConfig.peerB.innerIp} dev ${wgInterface} scope link")
    ''}
    # Dump current state of WireGuard tunnels
    peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
    peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
    ${lib.optionalString multiPeer ''
      peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
    ''}
    peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
    peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
    ${lib.optionalString multiPeer ''
      peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
    ''}
    # Dump current network config
    peerA.succeed("ip addr 1>&2")
    peerA.succeed("ip route 1>&2")
    peerakeyexchanger.succeed("ip addr 1>&2")
    peerakeyexchanger.succeed("ip route 1>&2")
    peerB.succeed("ip addr 1>&2")
    peerB.succeed("ip route 1>&2")
    peerbkeyexchanger.succeed("ip addr 1>&2")
    peerbkeyexchanger.succeed("ip route 1>&2")
    ${lib.optionalString multiPeer ''
      peerC.succeed("ip addr 1>&2")
      peerC.succeed("ip route 1>&2")
      peerckeyexchanger.succeed("ip addr 1>&2")
      peerckeyexchanger.succeed("ip route 1>&2")
    ''}
    # The wireguard connection can't work because the sync services fail on
    # non-recognized SSH host keys, we didn't deploy the secrets and because the preshared keyes don't match.
-    peerB.fail("ping -c 1 ${staticConfig.peerA.innerIp}")
+    peerB.fail("ping -W 2 -c 1 ${staticConfig.peerA.innerIp}")
-    peerA.fail("ping -c 1 ${staticConfig.peerB.innerIp}")
+    peerA.fail("ping -W 2 -c 1 ${staticConfig.peerB.innerIp}")
    ${lib.optionalString multiPeer ''
-      peerA.fail("ping -c 1 ${staticConfig.peerC.innerIp}")
+      peerA.fail("ping -W 2 -c 1 ${staticConfig.peerC.innerIp}")
-      peerB.fail("ping -c 1 ${staticConfig.peerC.innerIp}")
+      peerB.fail("ping -W 2 -c 1 ${staticConfig.peerC.innerIp}")
-      peerC.fail("ping -c 1 ${staticConfig.peerA.innerIp}")
+      peerC.fail("ping -W 2 -c 1 ${staticConfig.peerA.innerIp}")
-      peerC.fail("ping -c 1 ${staticConfig.peerB.innerIp}")
+      peerC.fail("ping -W 2 -c 1 ${staticConfig.peerB.innerIp}")
    ''}
    # In admin-reality, this should be done with your favorite secret
@@ -518,15 +549,15 @@ in
    ''}
    # Dump current state of WireGuard tunnels
-    peerA.succeed("wg show all 1>&2")
+    peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
-    peerB.succeed("wg show all 1>&2")
+    peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
    ${lib.optionalString multiPeer ''
-      peerC.succeed("wg show all 1>&2")
+      peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
    ''}
-    peerA.succeed("wg show all preshared-keys 1>&2")
+    peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
-    peerB.succeed("wg show all preshared-keys 1>&2")
+    peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
    ${lib.optionalString multiPeer ''
-      peerC.succeed("wg show all preshared-keys 1>&2")
+      peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
    ''}
    # Start key sync services and wait for them to start.
@@ -569,15 +600,15 @@ in
    ''}
    # Dump current state of WireGuard tunnels
-    peerA.succeed("wg show all 1>&2")
+    peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
-    peerB.succeed("wg show all 1>&2")
+    peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
    ${lib.optionalString multiPeer ''
-      peerC.succeed("wg show all 1>&2")
+      peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
    ''}
-    peerA.succeed("wg show all preshared-keys 1>&2")
+    peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
-    peerB.succeed("wg show all preshared-keys 1>&2")
+    peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
    ${lib.optionalString multiPeer ''
-      peerC.succeed("wg show all preshared-keys 1>&2")
+      peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
    ''}
    # Voila!
@@ -591,15 +622,15 @@ in
    peerA.succeed("ping -c 1 -W 10 ${staticConfig.peerB.innerIp}")
    # Dump current state of WireGuard tunnels
-    peerA.succeed("wg show all 1>&2")
+    peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
-    peerB.succeed("wg show all 1>&2")
+    peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
    ${lib.optionalString multiPeer ''
-      peerC.succeed("wg show all 1>&2")
+      peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all 1>&2")
    ''}
-    peerA.succeed("wg show all preshared-keys 1>&2")
+    peerA.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
-    peerB.succeed("wg show all preshared-keys 1>&2")
+    peerB.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
    ${lib.optionalString multiPeer ''
-      peerC.succeed("wg show all preshared-keys 1>&2")
+      peerC.succeed("${pkgs.wireguard-tools}/bin/wg show all preshared-keys 1>&2")
    ''}
  '');