🌐 Networking Diagnostics
If you have no internet access or are experiencing slow connections, use these commands to diagnose the network stack.
🔌 Verifying Network Interfaces
First, ensure your network interfaces are recognized and have IP addresses assigned.
ip aTo check the status of devices managed by NetworkManager:
nmcli device statusExpected result: You should see your Ethernet (enp*) or Wi-Fi (wlan*) interface listed as connected.
📡 Testing Connectivity
Test basic connectivity by pinging an external IP address (bypassing DNS):
ping -c 4 1.1.1.1If this succeeds but websites don't load, you have a DNS issue.
📇 Diagnosing DNS (systemd-resolved)
The platform explicitly routes DNS through systemd-resolved using Cloudflare DNS over TLS.
To check the current status and upstream servers:
resolvectl statusTo manually query a domain and see which server responded:
resolvectl query example.comThe workstation also includes traditional and modern DNS clients:
nslookup example.com
dig example.com
q example.comIf systemd-resolved is failing, check its logs:
journalctl -u systemd-resolved -eRoute, HTTP, and TLS Diagnostics
Trace the network route to a host:
traceroute example.comInspect an HTTP response without downloading its body:
curl --head https://example.comInspect the remote TLS certificate and handshake:
openssl s_client -connect example.com:443 -servername example.comUse jq when an HTTP endpoint returns JSON:
curl --silent https://api.github.com | jq .VPN and Tor Clients
The workstation includes OpenVPN, WireGuard, and Tor command-line clients:
openvpn --version
wg --version
wg-quick --help
tor --versionNo VPN or Tor profile, interface, system service, firewall exception, or secret is configured by the repository. Keep configuration and credentials outside the repository and start a client explicitly when needed. The WireGuard kernel module is provided by the kernel and loads on demand.
🧱 Firewall Rules
The desktop keeps the NixOS firewall enabled and adds OpenSnitch for per-process outbound connection rules. OpenSnitch uses its native nftables backend and starts its UI service in the background with the graphical session. The main window stays hidden until opened manually, while permission dialogs appear for unknown connections. Existing rules continue to work without the UI; if the UI is unavailable, unknown connections use the permissive allow fallback.
systemctl status opensnitchd
journalctl -u opensnitchd
doas nft list ruleset
opensnitch-uiRules created through the GUI are local runtime state under /var/lib/opensnitch/rules.
⚙️ Runtime Network Tuning Checks
The workstation profile applies specific TCP tuning (bbr, fq, and fastopen). To verify these are active:
sysctl net.ipv4.tcp_congestion_controlsysctl net.core.default_qdiscsysctl net.ipv4.tcp_fastopen