2022-04-19 11:52:12 +00:00
|
|
|
---
|
|
|
|
|
title: "wireguard"
|
2023-06-17 15:11:10 +00:00
|
|
|
tags: [ "Documentation", "Networking", "VPN" ]
|
2022-04-19 11:52:12 +00:00
|
|
|
---
|
|
|
|
|
<!--
|
|
|
|
|
from
|
|
|
|
|
https://engineerworkshop.com/blog/how-to-set-up-wireguard-on-a-raspberry-pi/
|
|
|
|
|
-->
|
|
|
|
|
|
|
|
|
|
## On Server
|
|
|
|
|
|
|
|
|
|
Install `wireguard-tools` on the server.
|
|
|
|
|
|
2023-06-17 19:28:20 +00:00
|
|
|
```bash
|
|
|
|
|
sudo -i
|
|
|
|
|
```
|
2022-04-19 11:52:12 +00:00
|
|
|
|
2023-06-17 19:28:20 +00:00
|
|
|
```bash
|
|
|
|
|
cd /etc/wireguard
|
|
|
|
|
```
|
2022-04-19 11:52:12 +00:00
|
|
|
|
|
|
|
|
umask 077
|
|
|
|
|
|
2023-06-17 19:28:20 +00:00
|
|
|
```bash
|
|
|
|
|
wg genkey | tee server_private_key | wg pubkey > server_public_key
|
|
|
|
|
```
|
2022-04-19 11:52:12 +00:00
|
|
|
|
2023-06-17 19:28:20 +00:00
|
|
|
```bash
|
|
|
|
|
wg genkey | tee client_private_key | wg pubkey > client_public_key
|
|
|
|
|
```
|
2022-04-19 11:52:12 +00:00
|
|
|
|
2023-06-17 19:28:20 +00:00
|
|
|
```bash
|
2022-04-19 11:52:12 +00:00
|
|
|
echo "
|
|
|
|
|
[Interface]
|
|
|
|
|
Address = 10.0.0.1/24
|
|
|
|
|
SaveConfig = true
|
|
|
|
|
PrivateKey = $(cat server_private_key)
|
|
|
|
|
ListenPort = 51900
|
|
|
|
|
|
|
|
|
|
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
|
|
|
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
|
|
|
|
|
|
|
|
|
[Peer]
|
|
|
|
|
PublicKey = $(cat client_public_key)
|
|
|
|
|
AllowedIPs = 10.0.0.2/32
|
|
|
|
|
" > /etc/wireguard/wg0.conf
|
2023-06-17 19:28:20 +00:00
|
|
|
```
|
2022-04-19 11:52:12 +00:00
|
|
|
|
2023-06-17 19:28:20 +00:00
|
|
|
```bash
|
|
|
|
|
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/wg.conf
|
|
|
|
|
```
|
2022-04-19 11:52:12 +00:00
|
|
|
|
2023-06-17 19:28:20 +00:00
|
|
|
```bash
|
|
|
|
|
systemctl enable --now wg-quiqck@wg0
|
|
|
|
|
```
|
2022-04-19 11:52:12 +00:00
|
|
|
|
2023-06-17 19:28:20 +00:00
|
|
|
```bash
|
|
|
|
|
chown -R root:root /etc/wireguard/
|
|
|
|
|
```
|
2022-04-19 11:52:12 +00:00
|
|
|
|
2023-06-17 19:28:20 +00:00
|
|
|
```bash
|
|
|
|
|
chmod -R og-rwx /etc/wireguard/\*
|
|
|
|
|
```
|
2022-04-19 11:52:12 +00:00
|
|
|
|
|
|
|
|
Forward traffic from port 51900 to the server.
|
|
|
|
|
|
|
|
|
|
## Client
|
|
|
|
|
|
|
|
|
|
Be root.
|
|
|
|
|
|
|
|
|
|
Install `wireguard-tools` on the client.
|
|
|
|
|
|
|
|
|
|
Copy the client private key and server public key to the server (or just fill in the variables).
|
|
|
|
|
|
|
|
|
|
> server_ip=*your server's public ip*
|
|
|
|
|
|
|
|
|
|
echo "
|
|
|
|
|
[Interface]
|
|
|
|
|
Address = 10.0.0.2/32
|
|
|
|
|
PrivateKey = $(cat client_private_key)
|
|
|
|
|
DNS = 9.9.9.9
|
|
|
|
|
|
|
|
|
|
[Peer]
|
|
|
|
|
PublicKey = $(cat server_public_key)
|
|
|
|
|
Endpoint = $(echo $server_ip:51900)
|
|
|
|
|
AllowedIPs = 0.0.0.0/0, ::/0
|
|
|
|
|
" > /etc/wireguard/wg0-client.conf
|
|
|
|
|
|
|
|
|
|
> wg-quick up wg0-client
|
|
|
|
|
|
|
|
|
|
## Extras
|
|
|
|
|
|
|
|
|
|
### Multiple Peers
|
|
|
|
|
|
|
|
|
|
Add multiple peers by copying the `[peer]` section (they each get called `peer`).
|
|
|
|
|
|
|
|
|
|
### Make a QR Code for Mobile Users
|
|
|
|
|
|
|
|
|
|
Make a standard client configuration, then:
|
|
|
|
|
|
2023-06-17 19:28:20 +00:00
|
|
|
```bash
|
|
|
|
|
qrencode -t ansiutf8 < /etc/wireguard/mobile_user.conf
|
|
|
|
|
```
|
