Table of Contents

Wireguard

/24 subnet routing:

Tested on star topology, where one peer with external IP accepts connection from others peers. All peers were in one /24 subnet.

NOTE: trying to MESH with /24 doesn't work. When additional P2P connection between two “client” peers was added, connection to “server” peer stop working.

Setup

cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey
chmod 400 publickey privatekey

Server setup

/etc/wireguard/wg0.conf
[Interface]
ListenPort = 12345
PrivateKey = ...
 
[Peer]
PublicKey = ...
AllowedIPs = 192.168.1.24/32
 
[Peer]
PublicKey = ...
AllowedIPs = 192.168.1.25/32

Client setup

/etc/wireguard/wg0.conf
[Interface]
PrivateKey = ...
 
[Peer]
PublicKey = ...
Endpoint = ip1.example.com:12345
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 55

Applying changes

wg syncconf wg0 /etc/wireguard/wg0.conf
#wg setconf wg0 /etc/wireguard/wg0.conf

Note:

Interface autostart

using ifupdown

# activate on boot
auto wg0
# interface configuration
iface wg0 inet static
    address 192.168.1.24/24
    pre-up ip link add wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
 
    post-up ...
 
    post-down ...
    post-down ip link del wg0

using wgquick service

PostUp and PostDown scripting are possible:

/etc/wireguard/wg0.conf
[Interface]
Address = 192.168.x.1/24
ListenPort = ...
PrivateKey = ...
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
sudo systemctl enable --now wg-quick@wg0