meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:vpn:wireguard [2024/12/20 18:28] niziaklinux:vpn:wireguard [2025/09/23 08:14] (current) niziak
Line 1: Line 1:
 ====== Wireguard ====== ====== Wireguard ======
 +
 +  * [[https://www.wireguard.com/netns/]]
 +  * [[https://www.procustodibus.com/blog/2021/10/ha-wireguard-site-to-site/|High Availability WireGuard Site to Site]]
 +
 +===== routing =====
 +
 +  * sending: list of allowed IPs behaves as routing table
 +  * receiving: list of allowed IPs behaves as ACL
 +
 +==== mesh ====
 +
 +Duplicated peer IPS (allowed IPs):
 +  * not allowed
 +  * technically wg is working but traffic is directed only to last connected peer ???
 +
 +The same peer IP (allowed IPs) on 2 or more wg interfaces:
 +  * allowed
 +  * kernel routing makes decision
 +
 +Best and clear option:
 +  * P2P wg links
 +  * OSPF or other dynamic routing protocol
 +
 +==== working example ====
 +
 +''/24'' subnet routing:
 +  * Kernel: traffic to ''/24'' subnet will be directed to WG interface by Kernel
 +  * WG: if routed IP is in ''AllowedIPs'' in WG, WG will accept this traffic.
 +  * WG: if routed IP belongs to one of known peers, it will route it automatically
 +Tested on ''star'' topology, where one peer with external IP accepts connection from others peers.
 +All peers were in one ''/24'' subnet.
 +
 +NOTE: trying to ''MESH'' with ''/24'' doesn't work. When additional P2P connection between two "client" peers was added, connection to "server" peer stop working.
 +
  
 ===== Setup ===== ===== Setup =====
Line 8: Line 42:
 chmod 400 publickey privatekey chmod 400 publickey privatekey
 </code> </code>
 +
 +===== Server setup =====
  
 <file ini /etc/wireguard/wg0.conf> <file ini /etc/wireguard/wg0.conf>
 [Interface] [Interface]
-Address = 192.168.x.1/24 +ListenPort = 12345
-ListenPort = ...+
 PrivateKey = ... PrivateKey = ...
-SaveConfig true+ 
 +[Peer] 
 +PublicKey ... 
 +AllowedIPs = 192.168.1.24/32 
 + 
 +[Peer] 
 +PublicKey = ... 
 +AllowedIPs = 192.168.1.25/32
 </file> </file>
  
Line 22: Line 64:
  
 [Interface] [Interface]
-Address = 192.168.x.1/24 
 PrivateKey = ... PrivateKey = ...
  
Line 32: Line 73:
 </file> </file>
  
- +===== Applying changes =====
-===== Interface autostart ===== +
- +
-==== using wgquick service ==== +
- +
-''PostUp'' and ''PostDown'' scripting are possible: +
-<file ini /etc/wireguard/wg0.conf> +
-[Interface] +
-Address = 192.168.x.1/24 +
-ListenPort = ... +
-PrivateKey = ... +
-SaveConfig = true +
-PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT +
-PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT +
-</file>+
  
 <code bash> <code bash>
-sudo systemctl enable --now wg-quick@wg0+wg syncconf wg0 /etc/wireguard/wg0.conf 
 +#wg setconf wg0 /etc/wireguard/wg0.conf
 </code> </code>
  
-==== using ifupdown ====+Note: 
 +  * ''setconf'' Sets the current configuration of interface to the contents of configuration file 
 +  * ''syncconf'' Like setconf, but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient than setconf, but has the benefit of not disrupting current peer sessions.
  
-<file ini wg0.conf> +===== Interface autostart ===== 
-[Interface+ 
-ListenPort ... +==== using ifupdown ====
-PrivateKey ... +
-</file>+
  
 <file /etc/network/interfaces.d/wg0> <file /etc/network/interfaces.d/wg0>
 # activate on boot # activate on boot
 auto wg0 auto wg0
 +
 # interface configuration # interface configuration
 iface wg0 inet static iface wg0 inet static
-    address 192.168.x.1/24+    address 192.168.1.24/24
     pre-up ip link add wg0 type wireguard     pre-up ip link add wg0 type wireguard
     pre-up wg setconf wg0 /etc/wireguard/wg0.conf     pre-up wg setconf wg0 /etc/wireguard/wg0.conf
Line 74: Line 103:
     post-down ip link del wg0     post-down ip link del wg0
 </file> </file>
 +
 +==== using ifupdown + wgquick ====
 +
 +Usefull when client config is generated in ''wg-quick'' format.
 +
 +<file /etc/network/interfaces.d/user-tunnel>
 +# activate on boot
 +auto user-tunnel
 +
 +# interface configuration
 +iface user-tunnel inet static
 +    address 192.168.1.24/24
 +    pre-up wg-quick up $IFACE
 +    post-down wg-quick down $IFACE
 +</file>
 +
 +
 +==== using wgquick service ====
 +
 +''PostUp'' and ''PostDown'' scripting are possible:
 +<file ini /etc/wireguard/wg0.conf>
 +[Interface]
 +Address = 192.168.x.1/24
 +ListenPort = ...
 +PrivateKey = ...
 +SaveConfig = true
 +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
 +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
 +</file>
 +
 +<code bash>
 +sudo systemctl enable --now wg-quick@wg0
 +</code>