meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
linux:vpn:wireguard [2021/10/27 20:17] – created niziaklinux:vpn:wireguard [2025/01/07 20:42] (current) niziak
Line 1: Line 1:
 ====== Wireguard ====== ====== Wireguard ======
  
-===== Server setup =====+  * [[https://www.wireguard.com/netns/]] 
 +  * [[https://www.procustodibus.com/blog/2021/10/ha-wireguard-site-to-site/|High Availability WireGuard Site to Site]] 
 + 
 +===== routing ===== 
 + 
 +  * sending: list of allowed IPs behaves as routing table 
 +  * receiving: list of allowed IPs behaves as ACL 
 + 
 +==== mesh ==== 
 + 
 +Duplicated peer IPS (allowed IPs): 
 +  * not allowed 
 +  * technically wg is working but traffic is directed only to last connected peer ??? 
 + 
 +The same peer IP (allowed IPs) on 2 or more wg interfaces: 
 +  * allowed 
 +  * kernel routing makes decision 
 + 
 +Best and clear option: 
 +  * P2P wg links 
 +  * OSPF or other dynamic routing protocol 
 + 
 +==== working example ==== 
 + 
 +''/24'' subnet routing: 
 +  * Kernel: traffic to ''/24'' subnet will be directed to WG interface by Kernel 
 +  * WG: if routed IP is in ''AllowedIPs'' in WG, WG will accept this traffic. 
 +  * WG: if routed IP belongs to one of known peers, it will route it automatically 
 +Tested on ''star'' topology, where one peer with external IP accepts connection from others peers. 
 +All peers were in one ''/24'' subnet. 
 + 
 +NOTE: trying to ''MESH'' with ''/24'' doesn't work. When additional P2P connection between two "client" peers was added, connection to "server" peer stop working. 
 + 
 + 
 +===== Setup =====
  
 <code bash> <code bash>
Line 9: Line 43:
 </code> </code>
  
-<file wg0.conf>+===== Server setup ===== 
 + 
 +<file ini /etc/wireguard/wg0.conf> 
 +[Interface] 
 +ListenPort = 12345 
 +PrivateKey = ... 
 + 
 +[Peer] 
 +PublicKey = ... 
 +AllowedIPs = 192.168.1.24/32 
 + 
 +[Peer] 
 +PublicKey = ... 
 +AllowedIPs = 192.168.1.25/32 
 +</file> 
 + 
 +===== Client setup ===== 
 + 
 +<file ini /etc/wireguard/wg0.conf> 
 + 
 +[Interface] 
 +PrivateKey = ... 
 + 
 +[Peer] 
 +PublicKey = ... 
 +Endpoint = ip1.example.com:12345 
 +AllowedIPs = 0.0.0.0/0 
 +PersistentKeepalive = 55 
 +</file> 
 + 
 +===== Applying changes ===== 
 + 
 +<code bash> 
 +wg syncconf wg0 /etc/wireguard/wg0.conf 
 +#wg setconf wg0 /etc/wireguard/wg0.conf 
 +</code> 
 + 
 +Note: 
 +  * ''setconf'' Sets the current configuration of interface to the contents of configuration file 
 +  * ''syncconf'' Like setconf, but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient than setconf, but has the benefit of not disrupting current peer sessions. 
 + 
 +===== Interface autostart ===== 
 + 
 +==== using ifupdown ==== 
 + 
 +<file /etc/network/interfaces.d/wg0> 
 +# activate on boot 
 +auto wg0 
 +# interface configuration 
 +iface wg0 inet static 
 +    address 192.168.1.24/24 
 +    pre-up ip link add wg0 type wireguard 
 +    pre-up wg setconf wg0 /etc/wireguard/wg0.conf 
 + 
 +    post-up ... 
 + 
 +    post-down ... 
 +    post-down ip link del wg0 
 +</file> 
 + 
 + 
 + 
 +==== using wgquick service ==== 
 + 
 +''PostUp'' and ''PostDown'' scripting are possible: 
 +<file ini /etc/wireguard/wg0.conf>
 [Interface] [Interface]
 Address = 192.168.x.1/24 Address = 192.168.x.1/24
Line 15: Line 114:
 PrivateKey = ... PrivateKey = ...
 SaveConfig = true SaveConfig = true
 +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
 +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
 </file> </file>
  
Line 20: Line 121:
 sudo systemctl enable --now wg-quick@wg0 sudo systemctl enable --now wg-quick@wg0
 </code> </code>
 +
 +