ArchLinux:Wireguard: Difference between revisions

From Wiki³
 
(12 intermediate revisions by the same user not shown)
Line 3: Line 3:
{{Back|Arch Linux}}
{{Back|Arch Linux}}
= {{Icon24|sitemap}} Introduction =
= {{Icon24|sitemap}} Introduction =
As of Linux 5.6<ref name="wireguard1" /> wireguard is included in the Linux kernel. Due to the use of Systemd, installation of the tools package will only be required on a single machines in order to generate keys.
As of Linux 5.6<ref name="wireguard1" /> wireguard is included in the Linux kernel. Due to the use of Systemd, installation of the tools package will only be required on a single machines in order to generate keys. Because I generally use {{mono|linux-hardened}}, wireguard will need to be installed.
 
= {{Icon24|sitemap}} Wireguard Installation =
= {{Icon24|sitemap}} Wireguard Installation =
Install the {{mono|wireguard-tools}} package on the machine that will manage the entire VPN.
Install the wireguard.
{{Console|1=pikaur -S wireguard-tools}}
{{Console|1=pikaur -S wireguard-dkms wireguard-tools}}
 
= {{Icon24|sitemap}} Key Generation =
= {{Icon24|sitemap}} Key Generation =
Each machine (server & client included) will need to have a private and public key generated for it.
Each machine (server & client included) will need to have a private and public key generated for it.
Line 26: Line 28:
Restart {{mono|systemd-networkd}} in order to create the interface.
Restart {{mono|systemd-networkd}} in order to create the interface.
{{Console|1=sudo systemctl restart systemd-networkd}}
{{Console|1=sudo systemctl restart systemd-networkd}}
== {{Icon|notebook}} Nftables ==
With the WireGuard interface online and accepting connections the firewall needs to be addressed. Open up the configuration for editing.
{{Console|1=sudoedit /etc/nftables.conf}}
Add a line to the {{mono|chain input}} for your ipv4 filter to accept udp connections.
{{Console|prompt=false|1={{blackBold| # allow wireguard traffic}}<br/> udp dport 51820 accept}}
Add the ports to forward to the {{mono|chain forward}} for your ipv4 filter, also allow connections to and from  the wireguard interface to the regular ethernet interface.
{{Console|prompt=false|1=chain forward &#123;<br/> type filter hook forward priority filter;<br/> iifname "eth0" oifname "wg0" {{cyanBold|tcp}} dport &#123; {{cyanBold|http}},{{cyanBold|https}} &#125; tcp flags &amp; (fin{{!}}syn{{!}}rst{{!}}ack) {{greenBold|\}}<br/> {{=}}{{=}} syn ct state new accept;<br/> iifname "eth0" oifname "wg0" ct state { established,related } accept;<br/> iifname "wg0" oifname "eth0" ct state { established,related } accept;<br/> drop;<br/>&#125;}}
Create a nat section to finish the routing, keep in mind to adjust the IPs accordingly.
{{Console|prompt=false|1=table ip nat &#123;<br/> chain prerouting &#123;<br/> type nat hook preroutring priority dstnat; policy accept;<br/> iifname "eth0" ip daddr {{cyanBold|1.2.3.4}}/32 {{cyanBold|tcp}} dport &#123; {{cyanBold|http}},{{cyanBold|https}} &#125; dnat to 10.2.0.2;<br/> &#125;<br/> chain postrouting &#123;<br/> type nat hook postrouting priority srcnat; policy accept;<br/> oifname "wg0" ip daddr 10.2.0.2 {{cyanBold|tcp}} dport &#123; {{cyanBold|http}},{{cyanBold|https}} &#125; snat to 10.2.0.1;<br/> oifname "eth0" masquerade<br/> &#125;<br/>&#125;}}
Restart {{mono|nftables}} when finished to load the new ruleset.
{{Console|1=sudo systemctl restart nftables}}
= {{Icon24|sitemap}} Client Setup =
Setting up a client is very similar to setting up a server except that all that is needed is the systemd-networkd portion.
{{Console|title=/etc/systemd/network/wg0.netdev|prompt=false|1=[NetDev]<br/>Name{{=}}wg0<br/>Kind{{=}}wireguard<br/><br/>[WireGuard]<br/>PrivateKey{{=}}{{cyanBold|&lt;PRIVATE_KEY_CLIENT1&gt;}}<br/><br/>[WireGuardPeer]<br/>PublicKey{{=}}{{cyanBold|&lt;PUBLIC_KEY_SERVER&gt;}}<br/>PresharedKey{{=}}{{cyanBold|&lt;PRESHARED_KEY_SERVER_CLIENT1&gt;}}<br/>AllowedIPs{{=}}10.2.0.0/24<br/>Endpoint{{=}}{{cyanBold|server.hostname.com}}:51820<br/>PersistentKeepalive{{=}}25}}
{{margin}}
{{Console|title=/etc/systemd/networkd/wg0.network|prompt=false|1=[Match]<br/>Name{{=}}wg0<br/><br/>[Network]<br/>Address{{=}}10.2.0.2/32<br/><br/>[Route]<br/>Gateway{{=}}10.2.0.1<br/>Destination{{=}}10.2.0.0/24<br/>GatewayOnlink{{=}}true}}
Since these files contain keys, you will not want other users viewing them.
{{Console|1=sudo chown root:systemd-network /etc/systemd/network/*|2=sudo chmod 640 /etc/systemd/network/*}}
Restart {{mono|systemd-networkd}} in order to create the interface.
{{Console|1=sudo systemctl restart systemd-networkd}}
Provided everything went well, the client should now be connected to the server over wireguard.


= {{Icon24|sitemap}} References =
= {{Icon24|sitemap}} References =

Latest revision as of 16:14, 17 May 2021

Icon Introduction

As of Linux 5.6[1] wireguard is included in the Linux kernel. Due to the use of Systemd, installation of the tools package will only be required on a single machines in order to generate keys. Because I generally use linux-hardened, wireguard will need to be installed.

Icon Wireguard Installation

Install the wireguard.

# pikaur -S wireguard-dkms wireguard-tools

Icon Key Generation

Each machine (server & client included) will need to have a private and public key generated for it.

# wg genkey | tee privatekey | wg pubkey > publickey

A preshared key is needed for each connection.

# wg genpsk > preshared-server-client

Icon Server Setup

On the server (or internet facing machine) enable IP forwarding on boot.

# echo "net.ipv4.ip_forward=1" | sudo tee --append /etc/sysctl.d/50-security.conf

Enable IP forwarding currently as well.

# sudo sysctl -w net.ipv4.ip_forward=1

Icon Systemd-Networkd

Create the wireguard interface for systemd-networkd. The example uses a single server and a single client, specific external ports on the server are being forwarded (via the wireguard network) to the client. Your IPs may vary, for this setup the 10.2.0.0/24 network is being used.

filename: /etc/systemd/network/wg0.netdev
[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
ListenPort=51820
PrivateKey=<PRIVATE_KEY_SERVER>

[WireGuardPeer]
PublicKey=<PUBLIC_KEY_CLIENT1>
PresharedKey=<PRESHARED_KEY_SERVER_CLIENT1>
AllowedIPs=10.2.0.2/32
 
filename: /etc/systemd/networkd/wg0.network
[Match]
Name=wg0

[Network]
Address=10.2.0.1/32

[Route]
Gateway=10.2.0.1
Destination=10.2.0.0/24

Since these files contain keys, you will not want other users viewing them.

# sudo chown root:systemd-network /etc/systemd/network/*
# sudo chmod 640 /etc/systemd/network/*

Restart systemd-networkd in order to create the interface.

# sudo systemctl restart systemd-networkd

Icon Nftables

With the WireGuard interface online and accepting connections the firewall needs to be addressed. Open up the configuration for editing.

# sudoedit /etc/nftables.conf

Add a line to the chain input for your ipv4 filter to accept udp connections.

# allow wireguard traffic
udp dport 51820 accept

Add the ports to forward to the chain forward for your ipv4 filter, also allow connections to and from the wireguard interface to the regular ethernet interface.

chain forward {
type filter hook forward priority filter;
iifname "eth0" oifname "wg0" tcp dport { http,https } tcp flags & (fin|syn|rst|ack) \
== syn ct state new accept;
iifname "eth0" oifname "wg0" ct state { established,related } accept;
iifname "wg0" oifname "eth0" ct state { established,related } accept;
drop;
}

Create a nat section to finish the routing, keep in mind to adjust the IPs accordingly.

table ip nat {
chain prerouting {
type nat hook preroutring priority dstnat; policy accept;
iifname "eth0" ip daddr 1.2.3.4/32 tcp dport { http,https } dnat to 10.2.0.2;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "wg0" ip daddr 10.2.0.2 tcp dport { http,https } snat to 10.2.0.1;
oifname "eth0" masquerade
}
}

Restart nftables when finished to load the new ruleset.

# sudo systemctl restart nftables

Icon Client Setup

Setting up a client is very similar to setting up a server except that all that is needed is the systemd-networkd portion.

filename: /etc/systemd/network/wg0.netdev
[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
PrivateKey=<PRIVATE_KEY_CLIENT1>

[WireGuardPeer]
PublicKey=<PUBLIC_KEY_SERVER>
PresharedKey=<PRESHARED_KEY_SERVER_CLIENT1>
AllowedIPs=10.2.0.0/24
Endpoint=server.hostname.com:51820
PersistentKeepalive=25
 
filename: /etc/systemd/networkd/wg0.network
[Match]
Name=wg0

[Network]
Address=10.2.0.2/32

[Route]
Gateway=10.2.0.1
Destination=10.2.0.0/24
GatewayOnlink=true

Since these files contain keys, you will not want other users viewing them.

# sudo chown root:systemd-network /etc/systemd/network/*
# sudo chmod 640 /etc/systemd/network/*

Restart systemd-networkd in order to create the interface.

# sudo systemctl restart systemd-networkd

Provided everything went well, the client should now be connected to the server over wireguard.

Icon References

  1. ^ Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
    Github: torvalds/linux@bd2463a