Wireguard

/24 subnet routing:

  • Kernel: traffic to /24 subnet will be directed to WG interface by Kernel
  • WG: if routed IP is in AllowedIPs in WG, WG will accept this traffic.
  • WG: if routed IP belongs to one of known peers, it will route it automatically

Tested on star topology, where one peer with external IP accepts connection from others peers. All peers were in one /24 subnet.

NOTE: trying to MESH with /24 doesn't work. When additional P2P connection between two “client” peers was added, connection to “server” peer stop working.

Setup

cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey
chmod 400 publickey privatekey

Server setup

/etc/wireguard/wg0.conf
[Interface]
ListenPort = 12345
PrivateKey = ...
 
[Peer]
PublicKey = ...
AllowedIPs = 192.168.1.24/32
 
[Peer]
PublicKey = ...
AllowedIPs = 192.168.1.25/32

Client setup

/etc/wireguard/wg0.conf
[Interface]
PrivateKey = ...
 
[Peer]
PublicKey = ...
Endpoint = ip1.example.com:12345
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 55

Applying changes

wg syncconf wg0 /etc/wireguard/wg0.conf
#wg setconf wg0 /etc/wireguard/wg0.conf

Note:

  • setconf Sets the current configuration of interface to the contents of configuration file
  • syncconf Like setconf, but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient than setconf, but has the benefit of not disrupting current peer sessions.

Interface autostart

using ifupdown

# activate on boot
auto wg0
# interface configuration
iface wg0 inet static
    address 192.168.1.24/24
    pre-up ip link add wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
 
    post-up ...
 
    post-down ...
    post-down ip link del wg0

using wgquick service

PostUp and PostDown scripting are possible:

/etc/wireguard/wg0.conf
[Interface]
Address = 192.168.x.1/24
ListenPort = ...
PrivateKey = ...
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
sudo systemctl enable --now wg-quick@wg0