meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:vpn:wireguard [2024/12/20 18:25] niziaklinux:vpn:wireguard [2025/01/07 20:42] (current) niziak
Line 1: Line 1:
 ====== Wireguard ====== ====== Wireguard ======
  
-===== Server setup =====+  * [[https://www.wireguard.com/netns/]] 
 +  * [[https://www.procustodibus.com/blog/2021/10/ha-wireguard-site-to-site/|High Availability WireGuard Site to Site]] 
 + 
 +===== routing ===== 
 + 
 +  * sending: list of allowed IPs behaves as routing table 
 +  * receiving: list of allowed IPs behaves as ACL 
 + 
 +==== mesh ==== 
 + 
 +Duplicated peer IPS (allowed IPs): 
 +  * not allowed 
 +  * technically wg is working but traffic is directed only to last connected peer ??? 
 + 
 +The same peer IP (allowed IPs) on 2 or more wg interfaces: 
 +  * allowed 
 +  * kernel routing makes decision 
 + 
 +Best and clear option: 
 +  * P2P wg links 
 +  * OSPF or other dynamic routing protocol 
 + 
 +==== working example ==== 
 + 
 +''/24'' subnet routing: 
 +  * Kernel: traffic to ''/24'' subnet will be directed to WG interface by Kernel 
 +  * WG: if routed IP is in ''AllowedIPs'' in WG, WG will accept this traffic. 
 +  * WG: if routed IP belongs to one of known peers, it will route it automatically 
 +Tested on ''star'' topology, where one peer with external IP accepts connection from others peers. 
 +All peers were in one ''/24'' subnet. 
 + 
 +NOTE: trying to ''MESH'' with ''/24'' doesn't work. When additional P2P connection between two "client" peers was added, connection to "server" peer stop working. 
 + 
 + 
 +===== Setup =====
  
 <code bash> <code bash>
Line 8: Line 42:
 chmod 400 publickey privatekey chmod 400 publickey privatekey
 </code> </code>
 +
 +===== Server setup =====
  
 <file ini /etc/wireguard/wg0.conf> <file ini /etc/wireguard/wg0.conf>
 [Interface] [Interface]
-Address = 192.168.x.1/24 +ListenPort = 12345
-ListenPort = ...+
 PrivateKey = ... PrivateKey = ...
-SaveConfig = true 
-</file> 
  
-===== Interface autostart =====+[Peer] 
 +PublicKey ... 
 +AllowedIPs 192.168.1.24/32
  
-<file ini /etc/network/interfaces.d/wg0> +[Peer] 
-auto wg0 +PublicKey = ..
- +AllowedIPs = 192.168.1.25/32
-iface wg0 inet static +
-    address 192.168.176.101/24 +
-    pre-up ip link add wg0 type wireguard +
-    pre-up wg setconf wg0 /etc/wireguard/wg0.conf +
-    post-down ip link del wg0+
 </file> </file>
  
 +===== Client setup =====
  
-==== using wgquick service ====+<file ini /etc/wireguard/wg0.conf>
  
-''PostUp'' and ''PostDown'' scripting are possible: 
-<file ini /etc/wireguard/wg0.conf> 
 [Interface] [Interface]
-Address = 192.168.x.1/24 
-ListenPort = ... 
 PrivateKey = ... PrivateKey = ...
-SaveConfig true + 
-PostUp iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT +[Peer] 
-PostDown iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT+PublicKey = ... 
 +Endpoint ip1.example.com:12345 
 +AllowedIPs 0.0.0.0/0 
 +PersistentKeepalive 55
 </file> </file>
 +
 +===== Applying changes =====
  
 <code bash> <code bash>
-sudo systemctl enable --now wg-quick@wg0+wg syncconf wg0 /etc/wireguard/wg0.conf 
 +#wg setconf wg0 /etc/wireguard/wg0.conf
 </code> </code>
  
-==== using ifupdown ====+Note: 
 +  * ''setconf'' Sets the current configuration of interface to the contents of configuration file 
 +  * ''syncconf'' Like setconf, but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient than setconf, but has the benefit of not disrupting current peer sessions.
  
-<file wg0.conf> +===== Interface autostart ===== 
-[Interface+ 
-ListenPort ... +==== using ifupdown ====
-PrivateKey ... +
-</file>+
  
 <file /etc/network/interfaces.d/wg0> <file /etc/network/interfaces.d/wg0>
Line 60: Line 93:
 # interface configuration # interface configuration
 iface wg0 inet static iface wg0 inet static
-    address 192.168.x.1/24+    address 192.168.1.24/24
     pre-up ip link add wg0 type wireguard     pre-up ip link add wg0 type wireguard
     pre-up wg setconf wg0 /etc/wireguard/wg0.conf     pre-up wg setconf wg0 /etc/wireguard/wg0.conf
Line 69: Line 102:
     post-down ip link del wg0     post-down ip link del wg0
 </file> </file>
 +
 +
 +
 +==== using wgquick service ====
 +
 +''PostUp'' and ''PostDown'' scripting are possible:
 +<file ini /etc/wireguard/wg0.conf>
 +[Interface]
 +Address = 192.168.x.1/24
 +ListenPort = ...
 +PrivateKey = ...
 +SaveConfig = true
 +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
 +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
 +</file>
 +
 +<code bash>
 +sudo systemctl enable --now wg-quick@wg0
 +</code>