|
Size: 1788
Comment:
|
← Revision 13 as of 2023-04-06 23:12:46 ⇥
Size: 3474
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 2: | Line 2: |
'''!WireGuard''' is a tunnel protocol and the reference implementation (`wg(8)`) of the protocol. |
|
| Line 9: | Line 11: |
| == Linux Setup == | == Installation == |
| Line 11: | Line 13: |
| === Server === | Install the `wireguard` and `wireguard-tools` packages from your package manager of choice. |
| Line 13: | Line 15: |
| Open a shell on your remote machine and install `wireguard-tools`, which contains a set of CLI tools. | ---- == Setup == === FreeBSD Server === Generate a private/public pair of keys. {{{ wg genkey | tee privatekey | wg pubkey > publickey }}} Create an interface file at `/usr/local/etc/wireguard/wg0.conf`. {{{ [Interface] PrivateKey = <your remote private key here> Address = 10.0.0.1/24, fdc9:281f:04d7:9ee9::1/64 ListenPort = 51820 # Peer 1 [Peer] PublicKey = <your local public key here> AllowedIPs = 10.0.0.2/32, fdc9:281f:04d7:9ee9::2/128 }}} Test the configuration by running: {{{ sudo wg-quick up wg0 }}} Use `pf(4)` to tunnel network traffic from the `wg0` interface to the external interface. See `pf.conf(5)` for details on this basic configuration. {{{ ext_if="genet0" int_if="wg0" private_net="{ 10.0.0.0/8 }" nat on $ext_if from $private_net to any -> ($ext_if) }}} Finally, set !WireGuard to run on startup be adding the below to `/etc/rc.conf`: {{{ wireguard_enable="YES" wireguard_interfaces="wg0" gateway_enable="YES" pf_enable="YES" pf_rules="/usr/local/etc/pf.conf" }}} === Linux Server === |
| Line 43: | Line 101: |
| For `systemd`-capable systems, set WireGuard to run persistently by [[Systemd|starting and enabling]] `[email protected]`. | For `systemd`-capable systems, [[Linux/Systemd|start and enable]] `[email protected]`. |
| Line 47: | Line 105: |
| === Peer 1 === | === Linux or BSD Peer === |
| Line 49: | Line 107: |
| Install `wireguard-tools` and generate a pair of keys, as above. Create an interface file at `/etc/wireguard/wg0.conf`. |
Generate a pair of keys, as above. Create an interface file at `/etc/wireguard/wg0.conf`. |
| Line 66: | Line 122: |
| The WireGuard interface can be set live or killed using: | `wg0`, the !WireGuard interface, can be set live or killed using: |
| Line 73: | Line 129: |
| Set to run on startup as above. === Android Peer === Download the !WireGuard app from the Google Play Store. A keypair is automatically generated, and most settings have a sensible default. Enter the server's public key and endpoint. to use the server as a tunnel, set Allowed IPs to `0.0.0.0/0, ::/0`. Otherwise consider using something like `10.0.0.2/24, fd86:ea04:1115::2/64` which should cover all peers on the network. ---- == See also == [[https://man.archlinux.org/man/wg.8|wg(8)]] [[https://man.archlinux.org/man/wg-quick.8|wg-quick(8)]] |
WireGuard
!WireGuard is a tunnel protocol and the reference implementation (wg(8)) of the protocol.
Contents
Installation
Install the wireguard and wireguard-tools packages from your package manager of choice.
Setup
FreeBSD Server
Generate a private/public pair of keys.
wg genkey | tee privatekey | wg pubkey > publickey
Create an interface file at /usr/local/etc/wireguard/wg0.conf.
[Interface] PrivateKey = <your remote private key here> Address = 10.0.0.1/24, fdc9:281f:04d7:9ee9::1/64 ListenPort = 51820 # Peer 1 [Peer] PublicKey = <your local public key here> AllowedIPs = 10.0.0.2/32, fdc9:281f:04d7:9ee9::2/128
Test the configuration by running:
sudo wg-quick up wg0
Use pf(4) to tunnel network traffic from the wg0 interface to the external interface. See pf.conf(5) for details on this basic configuration.
ext_if="genet0"
int_if="wg0"
private_net="{ 10.0.0.0/8 }"
nat on $ext_if from $private_net to any -> ($ext_if)Finally, set !WireGuard to run on startup be adding the below to /etc/rc.conf:
wireguard_enable="YES" wireguard_interfaces="wg0" gateway_enable="YES" pf_enable="YES" pf_rules="/usr/local/etc/pf.conf"
Linux Server
Generate a private/public pair of keys.
wg genkey | tee privatekey | wg pubkey > publickey
Create an interface file at /etc/wireguard/wg0.conf.
[Interface] PrivateKey = <your remote private key here> Address = 10.0.0.1/24, fdc9:281f:04d7:9ee9::1/64 ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE # Peer 1 [Peer] PublicKey = <your local public key here> AllowedIPs = 10.0.0.2/32, fdc9:281f:04d7:9ee9::2/128
Test the configuration by running:
sudo wg-quick up wg0
For systemd-capable systems, start and enable [email protected].
Linux or BSD Peer
Generate a pair of keys, as above. Create an interface file at /etc/wireguard/wg0.conf.
[Interface] PrivateKey = <your local private key here> Address = 10.0.0.2/24, fd86:ea04:1115::2/64 ListenPort = <your local port number> [Peer] PublicKey = <your remote public key here> AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = <your remote host> PersistentKeepalive = 25
wg0, the !WireGuard interface, can be set live or killed using:
wg-quick up wg0 wg-quick down wg0
Set to run on startup as above.
Android Peer
Download the !WireGuard app from the Google Play Store. A keypair is automatically generated, and most settings have a sensible default.
Enter the server's public key and endpoint. to use the server as a tunnel, set Allowed IPs to 0.0.0.0/0, ::/0. Otherwise consider using something like 10.0.0.2/24, fd86:ea04:1115::2/64 which should cover all peers on the network.