Wireguard

• https://www.wireguard.com/netns/
• High Availability WireGuard Site to Site

• sending: list of allowed IPs behaves as routing table
• receiving: list of allowed IPs behaves as ACL

Duplicated peer IPS (allowed IPs):

• not allowed
• technically wg is working but traffic is directed only to last connected peer ???

The same peer IP (allowed IPs) on 2 or more wg interfaces:

• allowed
• kernel routing makes decision

Best and clear option:

• P2P wg links
• OSPF or other dynamic routing protocol

/24 subnet routing:

• Kernel: traffic to /24 subnet will be directed to WG interface by Kernel
• WG: if routed IP is in AllowedIPs in WG, WG will accept this traffic.
• WG: if routed IP belongs to one of known peers, it will route it automatically

Tested on star topology, where one peer with external IP accepts connection from others peers. All peers were in one /24 subnet.

NOTE: trying to MESH with /24 doesn't work. When additional P2P connection between two “client” peers was added, connection to “server” peer stop working.

cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey
chmod 400 publickey privatekey

/etc/wireguard/wg0.conf

[Interface]
ListenPort = 12345
PrivateKey = ...
 
[Peer]
PublicKey = ...
AllowedIPs = 192.168.1.24/32
 
[Peer]
PublicKey = ...
AllowedIPs = 192.168.1.25/32

/etc/wireguard/wg0.conf

[Interface]
PrivateKey = ...
 
[Peer]
PublicKey = ...
Endpoint = ip1.example.com:12345
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 55

wg syncconf wg0 /etc/wireguard/wg0.conf
#wg setconf wg0 /etc/wireguard/wg0.conf

Note:

• setconf Sets the current configuration of interface to the contents of configuration file
• syncconf Like setconf, but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient than setconf, but has the benefit of not disrupting current peer sessions.

# activate on boot
auto wg0
 
# interface configuration
iface wg0 inet static
    address 192.168.1.24/24
    pre-up ip link add wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
 
    post-up ...
 
    post-down ...
    post-down ip link del wg0

Usefull when client config is generated in wg-quick format.

# activate on boot
auto user-tunnel
 
# interface configuration
iface user-tunnel inet static
    address 192.168.1.24/24
    pre-up wg-quick up $IFACE
    post-down wg-quick down $IFACE

PostUp and PostDown scripting are possible:

/etc/wireguard/wg0.conf

[Interface]
Address = 192.168.x.1/24
ListenPort = ...
PrivateKey = ...
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT

sudo systemctl enable --now wg-quick@wg0