WireGuard
Installation
Install the wireguard and wireguard-tools packages from your package manager of choice.
Setup
FreeBSD Server
Configure pf to tunnel network traffic from the wg0 interface to the external interface.
ext_if="genet0"
int_if="wg0"
private_net="{ 10.0.0.0/8 }"
nat on $ext_if from $private_net to any -> ($ext_if)wireguard_enable="YES" wireguard_interfaces="wg0" pf_enable="YES" pf_rules="/usr/local/etc/pf.conf"
Linux Server
Generate a private/public pair of keys.
wg genkey | tee privatekey | wg pubkey > publickey
Create an interface file at /etc/wireguard/wg0.conf.
[Interface] PrivateKey = <your remote private key here> Address = 10.0.0.1/24, fdc9:281f:04d7:9ee9::1/64 ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE # Peer 1 [Peer] PublicKey = <your local public key here> AllowedIPs = 10.0.0.2/32, fdc9:281f:04d7:9ee9::2/128
Test the configuration by running:
sudo wg-quick up wg0
For systemd-capable systems, set !WireGuard to run persistently by starting and enabling [email protected].
Linux Peer
Generate a pair of keys, as above. Create an interface file at /etc/wireguard/wg0.conf.
[Interface] PrivateKey = <your local private key here> Address = 10.0.0.2/24, fd86:ea04:1115::2/64 ListenPort = <your local port number> [Peer] PublicKey = <your remote public key here> AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = <your remote host> PersistentKeepalive = 25
wg0, the !WireGuard interface, can be set live or killed using:
wg-quick up wg0 wg-quick down wg0