Wireguard
wireguard
install
- module added with linux kernel 5.6
- use network manager for user in network group to add vpn w/o root
nmcli connection import type wireguard file ./wg0.confnmcli connection up wg0nmcli connection down wg0
- wg-quick for testing
wg-quick up wg0wg-quick down wg0
- systemd script
systemctl start wg-quick\@wg0- systemd override with
upnpc for nat plug n play behind router/firewalls
systemctl edit wg-quick\@wg0 creates
/etc/systemd/system/wg-quick\@wg0.service.d/override.conf with
[Service]
ExecStartPost=/usr/bin/upnpc -e WireGuard -r 42069 UDP
ExecStopPost=/usr/bin/upnpc -d 42069 UDP
- Config
- add forwarding rules in
/etc/sysctl.d/90-override.conf
net.ipv4.ip_forward=1net.ipv6.conf.all.forwarding=1
- server config with eno1 as interface for forwarding rules
- [Interface]
PrivateKey = PRIVATEKEY1
Address = 10.0.0.1/24
ListenPort = 42069
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
[Peer] # laptop
PublicKey = PUBKEY2
PresharedKey = PSK2
AllowedIPs = 10.0.0.2/32
[Peer] # phone
PublicKey = PUBKEY3
PresharedKey = PSK3
AllowedIPs = 10.0.0.3/32
- client config
- [Interface]
PrivateKey = PRIVATEKEY3
Address = 10.0.0.3/32
#DNS = 10.0.0.1
[Peer] # server
PublicKey = PUBKEY3
PresharedKey = PSK3
AllowedIPs = 0.0.0.0/0, ::/0 # all traffic
Endpoint = 127.0.0.1:42069
- runs udp
- ufw rule w/o nat
ufw route allow in on wg0 out on eno1
- reload without dropping client session
wg syncconf wg0 <(wg-quick strip wg0)
- Ipv6 starting with
fe80:: is link-local (instead of nat66 with pcp)
- store wg keys in pass using processes substitution
- PostUp = wg set %i private-key <(su user -c "export PASSWORDSTOREDIR=/path/to/your/store/; pass WireGuard/private-keys/%i")
- https://github.com/nitred/nr-wg-mtu-finder for best MTU setting