meta data for this page
Wireguard
/24
subnet routing:
- Kernel: traffic to
/24
subnet will be directed to WG interface by Kernel - WG: if routed IP is in
AllowedIPs
in WG, WG will accept this traffic. - WG: if routed IP belongs to one of known peers, it will route it automatically
Tested on star
topology, where one peer with external IP accepts connection from others peers.
All peers were in one /24
subnet.
NOTE: trying to MESH
with /24
doesn't work. When additional P2P connection between two “client” peers was added, connection to “server” peer stop working.
Setup
cd /etc/wireguard wg genkey | tee privatekey | wg pubkey > publickey chmod 400 publickey privatekey
Server setup
- /etc/wireguard/wg0.conf
[Interface] ListenPort = 12345 PrivateKey = ... [Peer] PublicKey = ... AllowedIPs = 192.168.1.24/32 [Peer] PublicKey = ... AllowedIPs = 192.168.1.25/32
Client setup
- /etc/wireguard/wg0.conf
[Interface] PrivateKey = ... [Peer] PublicKey = ... Endpoint = ip1.example.com:12345 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 55
Applying changes
wg syncconf wg0 /etc/wireguard/wg0.conf #wg setconf wg0 /etc/wireguard/wg0.conf
Note:
setconf
Sets the current configuration of interface to the contents of configuration filesyncconf
Like setconf, but reads back the existing configuration first and only makes changes that are explicitly different between the configuration file and the interface. This is much less efficient than setconf, but has the benefit of not disrupting current peer sessions.
Interface autostart
using ifupdown
# activate on boot auto wg0 # interface configuration iface wg0 inet static address 192.168.1.24/24 pre-up ip link add wg0 type wireguard pre-up wg setconf wg0 /etc/wireguard/wg0.conf post-up ... post-down ... post-down ip link del wg0
using wgquick service
PostUp
and PostDown
scripting are possible:
- /etc/wireguard/wg0.conf
[Interface] Address = 192.168.x.1/24 ListenPort = ... PrivateKey = ... SaveConfig = true PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
sudo systemctl enable --now wg-quick@wg0