Linux/wireguard: Difference between revisions

Installation

apt install wireguard

Enable IP forwarding

• /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

• reload sysctl

sudo sysctl -p

Generate keys

== Generate ipv6 prefix ==
<pre>
date +%s%N
cat /var/lib/dbus/machine-id
printf <timestamp><machine-id> | sha1sum
printf <sha1sum>| cut -c 31-
1a2b3c4d5e
fd1a:2b3c:4d5e::/64    <- subnet
fd1a:2b3c:4d5e::1/64   <- wireguard server ip

Server config

• /etc/wireguard/wg0.conf

[Interface]
Address = 10.13.13.1, fd12:3456:7890::1/64
ListenPort = 51820
PrivateKey = {PrivateKey}
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostUp   = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# peer_homerouter
PublicKey    = {peer_homerouter_publickey}
PresharedKey = {peer_homerouter_presharedkey}
AllowedIPs   = 10.13.13.2/32, 192.168.1.0/24

[Peer]
# peer_laptop
PublicKey    = {peer_laptop_publickey}
PresharedKey = {peer_laptop_presharedkey}
AllowedIPs   = 10.13.13.3/32, fd12:3456:7890::3/128

Creating systemd service

sudo systemctl enable wg-quick@wg0.service

sudo systemctl start wg-quick@wg0.service
sudo systemctl status wg-quick@wg0.service

Status

wg

Client config

[Interface]
PrivateKey = {peer_laptop_privatekey}
Address = 10.13.13.3
Address = fd12:3456:7890::3/128
DNS     = 8.8.8.8

[Peer]
PublicKey    = {}
PresharedKey = {}
AllowedIPs   = 10.13.13.1/32, fd12:3456:7890::1/128
EndPoint     = {serverhostname}:51820