Differences

This shows you the differences between two versions of the page.

--- linux:vpn:wireguard [2024/12/20 18:25] – niziak
+++ linux:vpn:wireguard [2025/09/23 08:14] (current) – niziak
@@ Line 1: / Line 1: @@
 ====== Wireguard ======
-===== Server setup =====
+  * [[https://www.wireguard.com/netns/]]
+  * [[https://www.procustodibus.com/blog/2021/10/ha-wireguard-site-to-site/|High Availability WireGuard Site to Site]]
+===== routing =====
+  * sending: list of allowed IPs behaves as routing table
+  * receiving: list of allowed IPs behaves as ACL
+==== mesh ====
+Duplicated peer IPS (allowed IPs):
+  * not allowed
+  * technically wg is working but traffic is directed only to last connected peer ???
+The same peer IP (allowed IPs) on 2 or more wg interfaces:
+  * allowed
+  * kernel routing makes decision
+Best and clear option:
+  * P2P wg links
+  * OSPF or other dynamic routing protocol
+==== working example ====
+''/24'' subnet routing:
+  * Kernel: traffic to ''/24'' subnet will be directed to WG interface by Kernel
+  * WG: if routed IP is in ''AllowedIPs'' in WG, WG will accept this traffic.
+  * WG: if routed IP belongs to one of known peers, it will route it automatically
+Tested on ''star'' topology, where one peer with external IP accepts connection from others peers.
+All peers were in one ''/24'' subnet.
+NOTE: trying to ''MESH'' with ''/24'' doesn't work. When additional P2P connection between two "client" peers was added, connection to "server" peer stop working.
+===== Setup =====
 <code bash>
@@ Line 8: / Line 42: @@
 chmod 400 publickey privatekey
 </code>
+===== Server setup =====
 <file ini /etc/wireguard/wg0.conf>
 [Interface]
-Address = 192.168.x.1/24
+ListenPort = 12345
-ListenPort = ...
 PrivateKey = ...
-SaveConfig = true
+[Peer]
+PublicKey = ...
+AllowedIPs = 192.168.1.24/32
+[Peer]
+PublicKey = ...
+AllowedIPs = 192.168.1.25/32
 </file>
+===== Client setup =====
+<file ini /etc/wireguard/wg0.conf>
+[Interface]
+PrivateKey = ...
+[Peer]
+PublicKey = ...
+Endpoint = ip1.example.com:12345
+AllowedIPs = 0.0.0.0/0
+PersistentKeepalive = 55
+</file>
+===== Applying changes =====
+<code bash>
+wg syncconf wg0 /etc/wireguard/wg0.conf
+#wg setconf wg0 /etc/wireguard/wg0.conf
+</code>
+Note:
+  * ''setconf'' Sets the current configuration of interface to the contents of configuration file
+  * ''syncconf'' Like setconf, but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient than setconf, but has the benefit of not disrupting current peer sessions.
 ===== Interface autostart =====
-<file ini /etc/network/interfaces.d/wg0>
+==== using ifupdown ====
+<file /etc/network/interfaces.d/wg0>
+# activate on boot
 auto wg0
+# interface configuration
 iface wg0 inet static
-    address 192.168.176.101/24
+    address 192.168.1.24/24
     pre-up ip link add wg0 type wireguard
     pre-up wg setconf wg0 /etc/wireguard/wg0.conf
+    post-up ...
+    post-down ...
     post-down ip link del wg0
+</file>
+==== using ifupdown + wgquick ====
+Usefull when client config is generated in ''wg-quick'' format.
+<file /etc/network/interfaces.d/user-tunnel>
+# activate on boot
+auto user-tunnel
+# interface configuration
+iface user-tunnel inet static
+    address 192.168.1.24/24
+    pre-up wg-quick up $IFACE
+    post-down wg-quick down $IFACE
 </file>
@@ Line 46: / Line 136: @@
 sudo systemctl enable --now wg-quick@wg0
 </code>
-==== using ifupdown ====
-<file wg0.conf>
-[Interface]
-ListenPort = ...
-PrivateKey = ...
-</file>
-<file /etc/network/interfaces.d/wg0>
-# activate on boot
-auto wg0
-# interface configuration
-iface wg0 inet static
-    address 192.168.x.1/24
-    pre-up ip link add wg0 type wireguard
-    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
-    post-up ...
-    post-down ...
-    post-down ip link del wg0
-</file>

Tools

menus and quick search

quick search

site status

Page Tools

meta data for this page

Differences