Linux/Wireguard: Difference between revisions

Latest revision as of 16:59, 23 November 2025

Internal Links

Installation

apt install wireguard

Enable IP forwarding

/etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

reload sysctl

sudo sysctl -p

Generate keys

wg genkey > privatekey                 # generate private key

wg pubkey < privatekey > publickey     # derive public key from private key

Generate ipv6 prefix

date +%s%N
cat /var/lib/dbus/machine-id
printf <timestamp><machine-id> | sha1sum
printf <sha1sum>| cut -c 31-
1a2b3c4d5e
fd1a:2b3c:4d5e::/64    <- subnet
fd1a:2b3c:4d5e::1/64   <- wireguard server ip

Server config

/etc/wireguard/wg0.conf

[Interface]
Address = 10.13.13.1/24, fd12:3456:7890::1/64            # VPN addresses of this machine 
ListenPort = 51820
PrivateKey = {server_privatekey}
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostUp   = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# peer_homerouter
PublicKey    = {peer_homerouter_publickey}
PresharedKey = {peer_homerouter_presharedkey}
AllowedIPs   = 10.13.13.2/32, 192.168.1.0/24             # send traffic for 10.13.13.2 and 192.168.1.0/24 to this peer

[Peer]
# peer_laptop
PublicKey    = {peer_laptop_publickey}
PresharedKey = {peer_laptop_presharedkey}
AllowedIPs   = 10.13.13.3/32, fd12:3456:7890::3/128

Creating systemd service

sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service
sudo systemctl status wg-quick@wg0.service

Status

wg

Client config

homerouter

[Interface]
PrivateKey = {peer_homerouter_privatekey}
Address = 10.13.13.2/32

[Peer]
PublicKey    = {server_publickey}
PresharedKey = {peer_homerouter_presharedkey}
AllowedIPs   = 10.13.13.0/24                     # Send traffic destined for 10.13.13.x through the VPN tunnel 
Endpoint     = {serverhostname}:51820

laptop

[Interface]
PrivateKey = {peer_laptop_privatekey}
Address = 10.13.13.3
Address = fd12:3456:7890::3/128
DNS     = 8.8.8.8

[Peer]
PublicKey    = {server_publickey}
PresharedKey = {peer_laptop_presharedkey}
AllowedIPs   = 0.0.0.0/0, ::/0                        # Send all traffic through tunnel
AllowedIPs   = 10.13.13.0/24, fd12:3456:7890::1/128   # Send traffic destined for 10. + fd12 through tunnel
Endpoint     = {serverhostname}:51820

edge server with passthrough to local network

[Interface]
PrivateKey = {peer_edge_server_privatekey}
Address = 10.13.13.4
Address = fd12:3456:7890::4/128
DNS     = 8.8.8.8
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE


[Peer]
PublicKey    = {server_publickey}
PresharedKey = {peer_edge_server_presharedkey}
AllowedIPs   = 10.13.13.0/24                          # send only specific traffic through tunnel
Endpoint     = {serverhostname}:51820