ArchLinux:Wireguard: Difference between revisions

From Wiki³
Line 7: Line 7:
Install the {{mono|wireguard-tools}} package on the machine that will manage the entire VPN.
Install the {{mono|wireguard-tools}} package on the machine that will manage the entire VPN.
{{Console|1=pikaur -S wireguard-tools}}
{{Console|1=pikaur -S wireguard-tools}}
On the server (or internet facing machine) enable forwarding.
= {{Icon24|sitemap}} Key Generation =
Each machine (server & client included) will need to have a private and public key generated for it.
{{Console|1=wg genkey {{!}} tee privatekey {{!}} wg pubkey > publickey}}
A preshared key is needed for each connection.
{{Console|1=wg genpsk > preshared-''server''-''client''}}
= {{Icon24|sitemap}} Server Setup =
On the server (or internet facing machine) enable IP forwarding on boot.
{{Console|1=echo "net.ipv4.ip_forward{{=}}1" {{!}} sudo tee --append /etc/sysctl.d/50-security.conf}}
{{Console|1=echo "net.ipv4.ip_forward{{=}}1" {{!}} sudo tee --append /etc/sysctl.d/50-security.conf}}
Activate forwarding as well.
Enable IP forwarding currently as well.
{{Console|1=sudo sysctl -w net.ipv4.ip_forward{{=}}1}}
{{Console|1=sudo sysctl -w net.ipv4.ip_forward{{=}}1}}
== {{Icon|notebook}} Systemd-Networkd ==
Create the wireguard interface for systemd-networkd. The example uses a single server and a single client, specific external ports on the server are being forwarded (via the wireguard network) to the client. Your IPs may vary, for this setup the 10.2.0.0/24 network is being used.
{{Console|title=/etc/systemd/network/wg0.netdev|prompt=false|1=[NetDev]<br/>Name{{=}}wg0<br/>Kind{{=}}wireguard<br/><br/>[WireGuard]<br/>ListenPort{{=}}51820<br/>PrivateKey{{=}}{{cyanBold|&lt;PRIVATE_KEY_SERVER&gt;}}<br/><br/>[WireGuardPeer]<br/>PublicKey{{=}}{{cyanBold|&lt;PUBLIC_KEY_CLIENT1&gt;}}<br/>PresharedKey{{=}}{{cyanBold|&lt;PRESHARED_KEY_SERVER_CLIENT1&gt;}}<br/>AllowedIPs{{=}}10.2.0.2/32}}
{{margin}}
{{Console|title=/etc/systemd/networkd/wg0.network|prompt=false|1=[Match]<br/>Name{{=}}wg0<br/><br/>[Network]<br/>Address{{=}}10.2.0.1/32<br/><br/>[Route]<br/>Gateway{{=}}10.2.0.1<br/>Destination{{=}}10.2.0.0/24}}
Since these files contain keys, you will not want other users viewing them.
{{Console|1=sudo chown root:systemd-network /etc/systemd/network/*|2=sudo chmod 640 /etc/systemd/network/*}}
Restart {{mono|systemd-networkd}} in order to create the interface.
{{Console|1=sudo systemctl restart systemd-networkd}}


= {{Icon24|sitemap}} References =
= {{Icon24|sitemap}} References =

Revision as of 00:57, 14 May 2021

Icon Introduction

As of Linux 5.6[1] wireguard is included in the Linux kernel. Due to the use of Systemd, installation of the tools package will only be required on a single machines in order to generate keys.

Icon Wireguard Installation

Install the wireguard-tools package on the machine that will manage the entire VPN.

# pikaur -S wireguard-tools

Icon Key Generation

Each machine (server & client included) will need to have a private and public key generated for it.

# wg genkey | tee privatekey | wg pubkey > publickey

A preshared key is needed for each connection.

# wg genpsk > preshared-server-client

Icon Server Setup

On the server (or internet facing machine) enable IP forwarding on boot.

# echo "net.ipv4.ip_forward=1" | sudo tee --append /etc/sysctl.d/50-security.conf

Enable IP forwarding currently as well.

# sudo sysctl -w net.ipv4.ip_forward=1

Icon Systemd-Networkd

Create the wireguard interface for systemd-networkd. The example uses a single server and a single client, specific external ports on the server are being forwarded (via the wireguard network) to the client. Your IPs may vary, for this setup the 10.2.0.0/24 network is being used.

filename: /etc/systemd/network/wg0.netdev
[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
ListenPort=51820
PrivateKey=<PRIVATE_KEY_SERVER>

[WireGuardPeer]
PublicKey=<PUBLIC_KEY_CLIENT1>
PresharedKey=<PRESHARED_KEY_SERVER_CLIENT1>
AllowedIPs=10.2.0.2/32
 
filename: /etc/systemd/networkd/wg0.network
[Match]
Name=wg0

[Network]
Address=10.2.0.1/32

[Route]
Gateway=10.2.0.1
Destination=10.2.0.0/24

Since these files contain keys, you will not want other users viewing them.

# sudo chown root:systemd-network /etc/systemd/network/*
# sudo chmod 640 /etc/systemd/network/*

Restart systemd-networkd in order to create the interface.

# sudo systemctl restart systemd-networkd

Icon References

  1. ^ Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
    Github: torvalds/linux@bd2463a