====== Wireguard ====== * [[https://www.wireguard.com/netns/]] * [[https://www.procustodibus.com/blog/2021/10/ha-wireguard-site-to-site/|High Availability WireGuard Site to Site]] ''/24'' subnet routing: * Kernel: traffic to ''/24'' subnet will be directed to WG interface by Kernel * WG: if routed IP is in ''AllowedIPs'' in WG, WG will accept this traffic. * WG: if routed IP belongs to one of known peers, it will route it automatically Tested on ''star'' topology, where one peer with external IP accepts connection from others peers. All peers were in one ''/24'' subnet. NOTE: trying to ''MESH'' with ''/24'' doesn't work. When additional P2P connection between two "client" peers was added, connection to "server" peer stop working. ===== Setup ===== cd /etc/wireguard wg genkey | tee privatekey | wg pubkey > publickey chmod 400 publickey privatekey ===== Server setup ===== [Interface] ListenPort = 12345 PrivateKey = ... [Peer] PublicKey = ... AllowedIPs = 192.168.1.24/32 [Peer] PublicKey = ... AllowedIPs = 192.168.1.25/32 ===== Client setup ===== [Interface] PrivateKey = ... [Peer] PublicKey = ... Endpoint = ip1.example.com:12345 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 55 ===== Applying changes ===== wg syncconf wg0 /etc/wireguard/wg0.conf #wg setconf wg0 /etc/wireguard/wg0.conf Note: * ''setconf'' Sets the current configuration of interface to the contents of configuration file * ''syncconf'' Like setconf, but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient than setconf, but has the benefit of not disrupting current peer sessions. ===== Interface autostart ===== ==== using ifupdown ==== # activate on boot auto wg0 # interface configuration iface wg0 inet static address 192.168.1.24/24 pre-up ip link add wg0 type wireguard pre-up wg setconf wg0 /etc/wireguard/wg0.conf post-up ... post-down ... post-down ip link del wg0 ==== using wgquick service ==== ''PostUp'' and ''PostDown'' scripting are possible: [Interface] Address = 192.168.x.1/24 ListenPort = ... PrivateKey = ... SaveConfig = true PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT sudo systemctl enable --now wg-quick@wg0