ArchLinux:Wireguard: Difference between revisions
Line 26: | Line 26: | ||
Restart {{mono|systemd-networkd}} in order to create the interface. | Restart {{mono|systemd-networkd}} in order to create the interface. | ||
{{Console|1=sudo systemctl restart systemd-networkd}} | {{Console|1=sudo systemctl restart systemd-networkd}} | ||
== {{Icon|notebook}} Nftables == | |||
With the WireGuard interface online and accepting connections the firewall needs to be addressed. Open up the configuration for editing. | |||
{{Console|1=sudoedit /etc/nftables.conf}} | |||
Add a line to the {{mono|chain input}} for your ipv4 filter to accept udp connections. | |||
{{Console|prompt=false|# allow wireguard traffic<br/>udp dport 51820 accept}} | |||
= {{Icon24|sitemap}} References = | = {{Icon24|sitemap}} References = |
Revision as of 02:03, 14 May 2021
Introduction
As of Linux 5.6[1] wireguard is included in the Linux kernel. Due to the use of Systemd, installation of the tools package will only be required on a single machines in order to generate keys.
Wireguard Installation
Install the wireguard-tools package on the machine that will manage the entire VPN.
# pikaur -S wireguard-tools |
Key Generation
Each machine (server & client included) will need to have a private and public key generated for it.
# wg genkey | tee privatekey | wg pubkey > publickey |
A preshared key is needed for each connection.
# wg genpsk > preshared-server-client |
Server Setup
On the server (or internet facing machine) enable IP forwarding on boot.
# echo "net.ipv4.ip_forward=1" | sudo tee --append /etc/sysctl.d/50-security.conf |
Enable IP forwarding currently as well.
# sudo sysctl -w net.ipv4.ip_forward=1 |
Systemd-Networkd
Create the wireguard interface for systemd-networkd. The example uses a single server and a single client, specific external ports on the server are being forwarded (via the wireguard network) to the client. Your IPs may vary, for this setup the 10.2.0.0/24 network is being used.
[NetDev] Name=wg0 Kind=wireguard [WireGuard] ListenPort=51820 PrivateKey=<PRIVATE_KEY_SERVER> [WireGuardPeer] PublicKey=<PUBLIC_KEY_CLIENT1> PresharedKey=<PRESHARED_KEY_SERVER_CLIENT1> AllowedIPs=10.2.0.2/32 |
[Match] Name=wg0 [Network] Address=10.2.0.1/32 [Route] Gateway=10.2.0.1 Destination=10.2.0.0/24 |
Since these files contain keys, you will not want other users viewing them.
# sudo chown root:systemd-network /etc/systemd/network/* # sudo chmod 640 /etc/systemd/network/* |
Restart systemd-networkd in order to create the interface.
# sudo systemctl restart systemd-networkd |
Nftables
With the WireGuard interface online and accepting connections the firewall needs to be addressed. Open up the configuration for editing.
# sudoedit /etc/nftables.conf |
Add a line to the chain input for your ipv4 filter to accept udp connections.
# allow wireguard traffic udp dport 51820 accept |
References
- ^ Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
Github: torvalds/linux@bd2463a