WireGuard

!WireGuard is a tunnel protocol and the reference implementation (wg(8)) of the protocol.

Contents

  1. WireGuard
    1. Installation
    2. Setup
      1. FreeBSD Server
      2. Linux Server
      3. Linux or BSD Peer
      4. Android Peer
    3. See also

Installation

Install the wireguard and wireguard-tools packages from your package manager of choice.

Setup

FreeBSD Server

Generate a private/public pair of keys. 

wg genkey | tee privatekey | wg pubkey > publickey

Create an interface file at /usr/local/etc/wireguard/wg0.conf. 

[Interface]
PrivateKey = <your remote private key here>
Address = 10.0.0.1/24, fdc9:281f:04d7:9ee9::1/64
ListenPort = 51820

# Peer 1
[Peer]
PublicKey = <your local public key here>
AllowedIPs = 10.0.0.2/32, fdc9:281f:04d7:9ee9::2/128

Test the configuration by running: 

sudo wg-quick up wg0

Use pf(4) to tunnel network traffic from the wg0 interface to the external interface. See pf.conf(5) for details on this basic configuration. 

ext_if="genet0"
int_if="wg0"
private_net="{ 10.0.0.0/8 }"

nat on $ext_if from $private_net to any -> ($ext_if)

Finally, set !WireGuard to run on startup be adding the below to /etc/rc.conf: 

wireguard_enable="YES"
wireguard_interfaces="wg0"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/usr/local/etc/pf.conf"

Linux Server

Generate a private/public pair of keys. 

wg genkey | tee privatekey | wg pubkey > publickey

Create an interface file at /etc/wireguard/wg0.conf. 

[Interface]
PrivateKey = <your remote private key here>
Address = 10.0.0.1/24, fdc9:281f:04d7:9ee9::1/64
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Peer 1
[Peer]
PublicKey = <your local public key here>
AllowedIPs = 10.0.0.2/32, fdc9:281f:04d7:9ee9::2/128

Test the configuration by running: 

sudo wg-quick up wg0

For systemd-capable systems, start and enable [email protected].

Linux or BSD Peer

Generate a pair of keys, as above. Create an interface file at /etc/wireguard/wg0.conf. 

[Interface]
PrivateKey = <your local private key here>
Address = 10.0.0.2/24, fd86:ea04:1115::2/64
ListenPort = <your local port number>

[Peer]
PublicKey = <your remote public key here>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <your remote host>
PersistentKeepalive = 25

wg0, the !WireGuard interface, can be set live or killed using: 

wg-quick up wg0
wg-quick down wg0

Set to run on startup as above.

Android Peer

Download the !WireGuard app from the Google Play Store. A keypair is automatically generated, and most settings have a sensible default.

Enter the server's public key and endpoint. to use the server as a tunnel, set Allowed IPs to 0.0.0.0/0, ::/0. Otherwise consider using something like 10.0.0.2/24, fd86:ea04:1115::2/64 which should cover all peers on the network.

See also

wg(8)

wg-quick(8)

CategoryRicottone

Encryption/WireGuard (last edited 2023-04-06 23:12:46 by DominicRicottone)