meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:vpn:wireguard [2024/12/20 18:37] niziaklinux:vpn:wireguard [2025/09/23 08:14] (current) niziak
Line 1: Line 1:
 ====== Wireguard ====== ====== Wireguard ======
 +
 +  * [[https://www.wireguard.com/netns/]]
 +  * [[https://www.procustodibus.com/blog/2021/10/ha-wireguard-site-to-site/|High Availability WireGuard Site to Site]]
 +
 +===== routing =====
 +
 +  * sending: list of allowed IPs behaves as routing table
 +  * receiving: list of allowed IPs behaves as ACL
 +
 +==== mesh ====
 +
 +Duplicated peer IPS (allowed IPs):
 +  * not allowed
 +  * technically wg is working but traffic is directed only to last connected peer ???
 +
 +The same peer IP (allowed IPs) on 2 or more wg interfaces:
 +  * allowed
 +  * kernel routing makes decision
 +
 +Best and clear option:
 +  * P2P wg links
 +  * OSPF or other dynamic routing protocol
 +
 +==== working example ====
 +
 +''/24'' subnet routing:
 +  * Kernel: traffic to ''/24'' subnet will be directed to WG interface by Kernel
 +  * WG: if routed IP is in ''AllowedIPs'' in WG, WG will accept this traffic.
 +  * WG: if routed IP belongs to one of known peers, it will route it automatically
 +Tested on ''star'' topology, where one peer with external IP accepts connection from others peers.
 +All peers were in one ''/24'' subnet.
 +
 +NOTE: trying to ''MESH'' with ''/24'' doesn't work. When additional P2P connection between two "client" peers was added, connection to "server" peer stop working.
 +
  
 ===== Setup ===== ===== Setup =====
Line 39: Line 73:
 </file> </file>
  
 +===== Applying changes =====
 +
 +<code bash>
 +wg syncconf wg0 /etc/wireguard/wg0.conf
 +#wg setconf wg0 /etc/wireguard/wg0.conf
 +</code>
 +
 +Note:
 +  * ''setconf'' Sets the current configuration of interface to the contents of configuration file
 +  * ''syncconf'' Like setconf, but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient than setconf, but has the benefit of not disrupting current peer sessions.
  
 ===== Interface autostart ===== ===== Interface autostart =====
Line 47: Line 91:
 # activate on boot # activate on boot
 auto wg0 auto wg0
 +
 # interface configuration # interface configuration
 iface wg0 inet static iface wg0 inet static
Line 59: Line 104:
 </file> </file>
  
 +==== using ifupdown + wgquick ====
 +
 +Usefull when client config is generated in ''wg-quick'' format.
 +
 +<file /etc/network/interfaces.d/user-tunnel>
 +# activate on boot
 +auto user-tunnel
 +
 +# interface configuration
 +iface user-tunnel inet static
 +    address 192.168.1.24/24
 +    pre-up wg-quick up $IFACE
 +    post-down wg-quick down $IFACE
 +</file>