====== Wireguard ======
* [[https://www.wireguard.com/netns/]]
* [[https://www.procustodibus.com/blog/2021/10/ha-wireguard-site-to-site/|High Availability WireGuard Site to Site]]
''/24'' subnet routing:
* Kernel: traffic to ''/24'' subnet will be directed to WG interface by Kernel
* WG: if routed IP is in ''AllowedIPs'' in WG, WG will accept this traffic.
* WG: if routed IP belongs to one of known peers, it will route it automatically
Tested on ''star'' topology, where one peer with external IP accepts connection from others peers.
All peers were in one ''/24'' subnet.
NOTE: trying to ''MESH'' with ''/24'' doesn't work. When additional P2P connection between two "client" peers was added, connection to "server" peer stop working.
===== Setup =====
cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey
chmod 400 publickey privatekey
===== Server setup =====
[Interface]
ListenPort = 12345
PrivateKey = ...
[Peer]
PublicKey = ...
AllowedIPs = 192.168.1.24/32
[Peer]
PublicKey = ...
AllowedIPs = 192.168.1.25/32
===== Client setup =====
[Interface]
PrivateKey = ...
[Peer]
PublicKey = ...
Endpoint = ip1.example.com:12345
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 55
===== Applying changes =====
wg syncconf wg0 /etc/wireguard/wg0.conf
#wg setconf wg0 /etc/wireguard/wg0.conf
Note:
* ''setconf'' Sets the current configuration of interface to the contents of configuration file
* ''syncconf'' Like setconf, but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient than setconf, but has the benefit of not disrupting current peer sessions.
===== Interface autostart =====
==== using ifupdown ====
# activate on boot
auto wg0
# interface configuration
iface wg0 inet static
address 192.168.1.24/24
pre-up ip link add wg0 type wireguard
pre-up wg setconf wg0 /etc/wireguard/wg0.conf
post-up ...
post-down ...
post-down ip link del wg0
==== using wgquick service ====
''PostUp'' and ''PostDown'' scripting are possible:
[Interface]
Address = 192.168.x.1/24
ListenPort = ...
PrivateKey = ...
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
sudo systemctl enable --now wg-quick@wg0