diff --git a/networking/wireguard.md b/networking/wireguard.md new file mode 100644 index 0000000..715394f --- /dev/null +++ b/networking/wireguard.md @@ -0,0 +1,83 @@ +--- +title: "wireguard" +tags: [ "Documentation", "Networking" ] +--- + + +## On Server + +Install `wireguard-tools` on the server. + +> sudo -i + +> cd /etc/wireguard + +umask 077 + +> wg genkey | tee server_private_key | wg pubkey > server_public_key + +> wg genkey | tee client_private_key | wg pubkey > client_public_key + + echo " + [Interface] + Address = 10.0.0.1/24 + SaveConfig = true + PrivateKey = $(cat server_private_key) + ListenPort = 51900 + + PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + + [Peer] + PublicKey = $(cat client_public_key) + AllowedIPs = 10.0.0.2/32 + " > /etc/wireguard/wg0.conf + +> echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/wg.conf + +> systemctl enable --now wg-quiqck@wg0 + +> chown -R root:root /etc/wireguard/ + +> chmod -R og-rwx /etc/wireguard/\* + +Forward traffic from port 51900 to the server. + +## Client + +Be root. + +Install `wireguard-tools` on the client. + +Copy the client private key and server public key to the server (or just fill in the variables). + +> server_ip=*your server's public ip* + + echo " + [Interface] + Address = 10.0.0.2/32 + PrivateKey = $(cat client_private_key) + DNS = 9.9.9.9 + + [Peer] + PublicKey = $(cat server_public_key) + Endpoint = $(echo $server_ip:51900) + AllowedIPs = 0.0.0.0/0, ::/0 + " > /etc/wireguard/wg0-client.conf + +> wg-quick up wg0-client + +## Extras + +### Multiple Peers + +Add multiple peers by copying the `[peer]` section (they each get called `peer`). + +### Make a QR Code for Mobile Users + +Make a standard client configuration, then: + +> qrencode -t ansiutf8 < /etc/wireguard/mobile_user.conf