/24
subnet routing:
/24
subnet will be directed to WG interface by KernelAllowedIPs
in WG, WG will accept this traffic.
Tested on star
topology, where one peer with external IP accepts connection from others peers.
All peers were in one /24
subnet.
NOTE: trying to MESH
with /24
doesn't work. When additional P2P connection between two “client” peers was added, connection to “server” peer stop working.
cd /etc/wireguard wg genkey | tee privatekey | wg pubkey > publickey chmod 400 publickey privatekey
[Interface] ListenPort = 12345 PrivateKey = ... [Peer] PublicKey = ... AllowedIPs = 192.168.1.24/32 [Peer] PublicKey = ... AllowedIPs = 192.168.1.25/32
[Interface] PrivateKey = ... [Peer] PublicKey = ... Endpoint = ip1.example.com:12345 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 55
wg syncconf wg0 /etc/wireguard/wg0.conf #wg setconf wg0 /etc/wireguard/wg0.conf
Note:
setconf
Sets the current configuration of interface to the contents of configuration filesyncconf
Like setconf, but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient than setconf, but has the benefit of not disrupting current peer sessions.# activate on boot auto wg0 # interface configuration iface wg0 inet static address 192.168.1.24/24 pre-up ip link add wg0 type wireguard pre-up wg setconf wg0 /etc/wireguard/wg0.conf post-up ... post-down ... post-down ip link del wg0
PostUp
and PostDown
scripting are possible:
[Interface] Address = 192.168.x.1/24 ListenPort = ... PrivateKey = ... SaveConfig = true PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
sudo systemctl enable --now wg-quick@wg0