ArchLinux:Wireguard: Difference between revisions
(10 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
{{Back|Arch Linux}} | {{Back|Arch Linux}} | ||
= {{Icon24|sitemap}} Introduction = | = {{Icon24|sitemap}} Introduction = | ||
As of Linux 5.6<ref name="wireguard1" /> wireguard is included in the Linux kernel. Due to the use of Systemd, installation of the tools package will only be required on a single machines in order to generate keys. | As of Linux 5.6<ref name="wireguard1" /> wireguard is included in the Linux kernel. Due to the use of Systemd, installation of the tools package will only be required on a single machines in order to generate keys. Because I generally use {{mono|linux-hardened}}, wireguard will need to be installed. | ||
= {{Icon24|sitemap}} Wireguard Installation = | = {{Icon24|sitemap}} Wireguard Installation = | ||
Install the | Install the wireguard. | ||
{{Console|1=pikaur -S wireguard-tools}} | {{Console|1=pikaur -S wireguard-dkms wireguard-tools}} | ||
= {{Icon24|sitemap}} Key Generation = | = {{Icon24|sitemap}} Key Generation = | ||
Each machine (server & client included) will need to have a private and public key generated for it. | Each machine (server & client included) will need to have a private and public key generated for it. | ||
Line 32: | Line 34: | ||
{{Console|prompt=false|1={{blackBold| # allow wireguard traffic}}<br/> udp dport 51820 accept}} | {{Console|prompt=false|1={{blackBold| # allow wireguard traffic}}<br/> udp dport 51820 accept}} | ||
Add the ports to forward to the {{mono|chain forward}} for your ipv4 filter, also allow connections to and from the wireguard interface to the regular ethernet interface. | Add the ports to forward to the {{mono|chain forward}} for your ipv4 filter, also allow connections to and from the wireguard interface to the regular ethernet interface. | ||
{{Console|prompt=false|1=chain forward {<br/> type filter hook forward priority | {{Console|prompt=false|1=chain forward {<br/> type filter hook forward priority filter;<br/> iifname "eth0" oifname "wg0" {{cyanBold|tcp}} dport { {{cyanBold|http}},{{cyanBold|https}} } tcp flags & (fin{{!}}syn{{!}}rst{{!}}ack) {{greenBold|\}}<br/> {{=}}{{=}} syn ct state new accept;<br/> iifname "eth0" oifname "wg0" ct state { established,related } accept;<br/> iifname "wg0" oifname "eth0" ct state { established,related } accept;<br/> drop;<br/>}}} | ||
Create a nat section to finish the routing, keep in mind to adjust the IPs accordingly. | Create a nat section to finish the routing, keep in mind to adjust the IPs accordingly. | ||
{{Console|prompt=false|1=table ip nat {<br/> chain prerouting {<br/> type nat hook preroutring priority dstnat; policy accept;<br/> iifname "eth0" {{cyanBold|tcp}} dport { {{cyanBold| | {{Console|prompt=false|1=table ip nat {<br/> chain prerouting {<br/> type nat hook preroutring priority dstnat; policy accept;<br/> iifname "eth0" ip daddr {{cyanBold|1.2.3.4}}/32 {{cyanBold|tcp}} dport { {{cyanBold|http}},{{cyanBold|https}} } dnat to 10.2.0.2;<br/> }<br/> chain postrouting {<br/> type nat hook postrouting priority srcnat; policy accept;<br/> oifname "wg0" ip daddr 10.2.0.2 {{cyanBold|tcp}} dport { {{cyanBold|http}},{{cyanBold|https}} } snat to 10.2.0.1;<br/> oifname "eth0" masquerade<br/> }<br/>}}} | ||
Restart {{mono|nftables}} when finished to load the new ruleset. | Restart {{mono|nftables}} when finished to load the new ruleset. | ||
{{Console|1=sudo systemctl restart nftables}} | {{Console|1=sudo systemctl restart nftables}} | ||
= {{Icon24|sitemap}} Client Setup = | |||
Setting up a client is very similar to setting up a server except that all that is needed is the systemd-networkd portion. | |||
{{Console|title=/etc/systemd/network/wg0.netdev|prompt=false|1=[NetDev]<br/>Name{{=}}wg0<br/>Kind{{=}}wireguard<br/><br/>[WireGuard]<br/>PrivateKey{{=}}{{cyanBold|<PRIVATE_KEY_CLIENT1>}}<br/><br/>[WireGuardPeer]<br/>PublicKey{{=}}{{cyanBold|<PUBLIC_KEY_SERVER>}}<br/>PresharedKey{{=}}{{cyanBold|<PRESHARED_KEY_SERVER_CLIENT1>}}<br/>AllowedIPs{{=}}10.2.0.0/24<br/>Endpoint{{=}}{{cyanBold|server.hostname.com}}:51820<br/>PersistentKeepalive{{=}}25}} | |||
{{margin}} | |||
{{Console|title=/etc/systemd/networkd/wg0.network|prompt=false|1=[Match]<br/>Name{{=}}wg0<br/><br/>[Network]<br/>Address{{=}}10.2.0.2/32<br/><br/>[Route]<br/>Gateway{{=}}10.2.0.1<br/>Destination{{=}}10.2.0.0/24<br/>GatewayOnlink{{=}}true}} | |||
Since these files contain keys, you will not want other users viewing them. | |||
{{Console|1=sudo chown root:systemd-network /etc/systemd/network/*|2=sudo chmod 640 /etc/systemd/network/*}} | |||
Restart {{mono|systemd-networkd}} in order to create the interface. | |||
{{Console|1=sudo systemctl restart systemd-networkd}} | |||
Provided everything went well, the client should now be connected to the server over wireguard. | |||
= {{Icon24|sitemap}} References = | = {{Icon24|sitemap}} References = |
Latest revision as of 16:14, 17 May 2021
Introduction
As of Linux 5.6[1] wireguard is included in the Linux kernel. Due to the use of Systemd, installation of the tools package will only be required on a single machines in order to generate keys. Because I generally use linux-hardened, wireguard will need to be installed.
Wireguard Installation
Install the wireguard.
# pikaur -S wireguard-dkms wireguard-tools |
Key Generation
Each machine (server & client included) will need to have a private and public key generated for it.
# wg genkey | tee privatekey | wg pubkey > publickey |
A preshared key is needed for each connection.
# wg genpsk > preshared-server-client |
Server Setup
On the server (or internet facing machine) enable IP forwarding on boot.
# echo "net.ipv4.ip_forward=1" | sudo tee --append /etc/sysctl.d/50-security.conf |
Enable IP forwarding currently as well.
# sudo sysctl -w net.ipv4.ip_forward=1 |
Systemd-Networkd
Create the wireguard interface for systemd-networkd. The example uses a single server and a single client, specific external ports on the server are being forwarded (via the wireguard network) to the client. Your IPs may vary, for this setup the 10.2.0.0/24 network is being used.
[NetDev] Name=wg0 Kind=wireguard [WireGuard] ListenPort=51820 PrivateKey=<PRIVATE_KEY_SERVER> [WireGuardPeer] PublicKey=<PUBLIC_KEY_CLIENT1> PresharedKey=<PRESHARED_KEY_SERVER_CLIENT1> AllowedIPs=10.2.0.2/32 |
[Match] Name=wg0 [Network] Address=10.2.0.1/32 [Route] Gateway=10.2.0.1 Destination=10.2.0.0/24 |
Since these files contain keys, you will not want other users viewing them.
# sudo chown root:systemd-network /etc/systemd/network/* # sudo chmod 640 /etc/systemd/network/* |
Restart systemd-networkd in order to create the interface.
# sudo systemctl restart systemd-networkd |
Nftables
With the WireGuard interface online and accepting connections the firewall needs to be addressed. Open up the configuration for editing.
# sudoedit /etc/nftables.conf |
Add a line to the chain input for your ipv4 filter to accept udp connections.
# allow wireguard traffic udp dport 51820 accept |
Add the ports to forward to the chain forward for your ipv4 filter, also allow connections to and from the wireguard interface to the regular ethernet interface.
chain forward { type filter hook forward priority filter; iifname "eth0" oifname "wg0" tcp dport { http,https } tcp flags & (fin|syn|rst|ack) \ == syn ct state new accept; iifname "eth0" oifname "wg0" ct state { established,related } accept; iifname "wg0" oifname "eth0" ct state { established,related } accept; drop; } |
Create a nat section to finish the routing, keep in mind to adjust the IPs accordingly.
table ip nat { chain prerouting { type nat hook preroutring priority dstnat; policy accept; iifname "eth0" ip daddr 1.2.3.4/32 tcp dport { http,https } dnat to 10.2.0.2; } chain postrouting { type nat hook postrouting priority srcnat; policy accept; oifname "wg0" ip daddr 10.2.0.2 tcp dport { http,https } snat to 10.2.0.1; oifname "eth0" masquerade } } |
Restart nftables when finished to load the new ruleset.
# sudo systemctl restart nftables |
Client Setup
Setting up a client is very similar to setting up a server except that all that is needed is the systemd-networkd portion.
[NetDev] Name=wg0 Kind=wireguard [WireGuard] PrivateKey=<PRIVATE_KEY_CLIENT1> [WireGuardPeer] PublicKey=<PUBLIC_KEY_SERVER> PresharedKey=<PRESHARED_KEY_SERVER_CLIENT1> AllowedIPs=10.2.0.0/24 Endpoint=server.hostname.com:51820 PersistentKeepalive=25 |
[Match] Name=wg0 [Network] Address=10.2.0.2/32 [Route] Gateway=10.2.0.1 Destination=10.2.0.0/24 GatewayOnlink=true |
Since these files contain keys, you will not want other users viewing them.
# sudo chown root:systemd-network /etc/systemd/network/* # sudo chmod 640 /etc/systemd/network/* |
Restart systemd-networkd in order to create the interface.
# sudo systemctl restart systemd-networkd |
Provided everything went well, the client should now be connected to the server over wireguard.
References
- ^ Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
Github: torvalds/linux@bd2463a