Linux/wireguard: Difference between revisions
< Linux
m (→Client config) |
m (→Client config) |
||
Line 71: | Line 71: | ||
== Client config == | == Client config == | ||
* homerouter | * homerouter | ||
<pre> | |||
[Interface] | |||
PrivateKey = {peer_homerouter_privatekey} | |||
Address = 10.13.13.3 | |||
Address = fd12:3456:7890::3/128 | |||
DNS = 8.8.8.8 | |||
[Peer] | |||
PublicKey = {server_publickey} | |||
PresharedKey = {peer_laptop_presharedkey} | |||
AllowedIPs = 0.0.0.0/0, ::/0 # all traffic through tunnel | |||
AllowedIPs = 10.13.13.1/32, fd12:3456:7890::1/128 # only specific traffic through tunnel | |||
EndPoint = {serverhostname}:51820 | |||
</pre> | |||
* laptop | * laptop | ||
Line 81: | Line 96: | ||
[Peer] | [Peer] | ||
PublicKey = { | PublicKey = {server_publickey} | ||
PresharedKey = {peer_laptop_presharedkey} | PresharedKey = {peer_laptop_presharedkey} | ||
AllowedIPs = 0.0.0.0/0, ::/0 # all traffic through tunnel | AllowedIPs = 0.0.0.0/0, ::/0 # all traffic through tunnel |
Revision as of 22:13, 19 November 2023
Installation
apt install wireguard
Enable IP forwarding
- /etc/sysctl.conf
net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
- reload sysctl
sudo sysctl -p
Generate keys
== Generate ipv6 prefix == <pre> date +%s%N cat /var/lib/dbus/machine-id printf <timestamp><machine-id> | sha1sum printf <sha1sum>| cut -c 31- 1a2b3c4d5e fd1a:2b3c:4d5e::/64 <- subnet fd1a:2b3c:4d5e::1/64 <- wireguard server ip
Server config
- /etc/wireguard/wg0.conf
[Interface] Address = 10.13.13.1, fd12:3456:7890::1/64 ListenPort = 51820 PrivateKey = {PrivateKey} PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] # peer_homerouter PublicKey = {peer_homerouter_publickey} PresharedKey = {peer_homerouter_presharedkey} AllowedIPs = 10.13.13.2/32, 192.168.1.0/24 [Peer] # peer_laptop PublicKey = {peer_laptop_publickey} PresharedKey = {peer_laptop_presharedkey} AllowedIPs = 10.13.13.3/32, fd12:3456:7890::3/128
Creating systemd service
sudo systemctl enable wg-quick@wg0.service sudo systemctl start wg-quick@wg0.service sudo systemctl status wg-quick@wg0.service
Status
wg
Client config
- homerouter
[Interface] PrivateKey = {peer_homerouter_privatekey} Address = 10.13.13.3 Address = fd12:3456:7890::3/128 DNS = 8.8.8.8 [Peer] PublicKey = {server_publickey} PresharedKey = {peer_laptop_presharedkey} AllowedIPs = 0.0.0.0/0, ::/0 # all traffic through tunnel AllowedIPs = 10.13.13.1/32, fd12:3456:7890::1/128 # only specific traffic through tunnel EndPoint = {serverhostname}:51820
- laptop
[Interface] PrivateKey = {peer_laptop_privatekey} Address = 10.13.13.3 Address = fd12:3456:7890::3/128 DNS = 8.8.8.8 [Peer] PublicKey = {server_publickey} PresharedKey = {peer_laptop_presharedkey} AllowedIPs = 0.0.0.0/0, ::/0 # all traffic through tunnel AllowedIPs = 10.13.13.1/32, fd12:3456:7890::1/128 # only specific traffic through tunnel EndPoint = {serverhostname}:51820