meta data for this page
This is an old revision of the document!
Wireguard
/24 subnet routing:
- Kernel: traffic to
/24subnet will be directed to WG interface by Kernel - WG: if routed IP is in
AllowedIPsin WG, WG will accept this traffic. - WG: if routed IP belongs to one of known peers, it will route it automatically
Tested on star topology, where one peer with external IP accepts connection from others peers.
All peers were in one /24 subnet.
Setup
cd /etc/wireguard wg genkey | tee privatekey | wg pubkey > publickey chmod 400 publickey privatekey
Server setup
- /etc/wireguard/wg0.conf
[Interface] ListenPort = 12345 PrivateKey = ... [Peer] PublicKey = ... AllowedIPs = 192.168.1.24/32 [Peer] PublicKey = ... AllowedIPs = 192.168.1.25/32
Client setup
- /etc/wireguard/wg0.conf
[Interface] PrivateKey = ... [Peer] PublicKey = ... Endpoint = ip1.example.com:12345 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 55
Applying changes
wg syncconf wg0 /etc/wireguard/wg0.conf #wg setconf wg0 /etc/wireguard/wg0.conf
Note:
setconfSets the current configuration of interface to the contents of configuration filesyncconfLike setconf, but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient than setconf, but has the benefit of not disrupting current peer sessions.
Interface autostart
using ifupdown
# activate on boot
auto wg0
# interface configuration
iface wg0 inet static
address 192.168.1.24/24
pre-up ip link add wg0 type wireguard
pre-up wg setconf wg0 /etc/wireguard/wg0.conf
post-up ...
post-down ...
post-down ip link del wg0
using wgquick service
PostUp and PostDown scripting are possible:
- /etc/wireguard/wg0.conf
[Interface] Address = 192.168.x.1/24 ListenPort = ... PrivateKey = ... SaveConfig = true PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
sudo systemctl enable --now wg-quick@wg0