ArchLinux:Wireguard: Difference between revisions

From Wiki³
Line 26: Line 26:
Restart {{mono|systemd-networkd}} in order to create the interface.
Restart {{mono|systemd-networkd}} in order to create the interface.
{{Console|1=sudo systemctl restart systemd-networkd}}
{{Console|1=sudo systemctl restart systemd-networkd}}
== {{Icon|notebook}} Nftables ==
With the WireGuard interface online and accepting connections the firewall needs to be addressed. Open up the configuration for editing.
{{Console|1=sudoedit /etc/nftables.conf}}
Add a line to the {{mono|chain input}} for your ipv4 filter to accept udp connections.
{{Console|prompt=false|# allow wireguard traffic<br/>udp dport 51820 accept}}


= {{Icon24|sitemap}} References =
= {{Icon24|sitemap}} References =

Revision as of 02:03, 14 May 2021

Icon Introduction

As of Linux 5.6[1] wireguard is included in the Linux kernel. Due to the use of Systemd, installation of the tools package will only be required on a single machines in order to generate keys.

Icon Wireguard Installation

Install the wireguard-tools package on the machine that will manage the entire VPN.

# pikaur -S wireguard-tools

Icon Key Generation

Each machine (server & client included) will need to have a private and public key generated for it.

# wg genkey | tee privatekey | wg pubkey > publickey

A preshared key is needed for each connection.

# wg genpsk > preshared-server-client

Icon Server Setup

On the server (or internet facing machine) enable IP forwarding on boot.

# echo "net.ipv4.ip_forward=1" | sudo tee --append /etc/sysctl.d/50-security.conf

Enable IP forwarding currently as well.

# sudo sysctl -w net.ipv4.ip_forward=1

Icon Systemd-Networkd

Create the wireguard interface for systemd-networkd. The example uses a single server and a single client, specific external ports on the server are being forwarded (via the wireguard network) to the client. Your IPs may vary, for this setup the 10.2.0.0/24 network is being used.

filename: /etc/systemd/network/wg0.netdev
[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
ListenPort=51820
PrivateKey=<PRIVATE_KEY_SERVER>

[WireGuardPeer]
PublicKey=<PUBLIC_KEY_CLIENT1>
PresharedKey=<PRESHARED_KEY_SERVER_CLIENT1>
AllowedIPs=10.2.0.2/32
 
filename: /etc/systemd/networkd/wg0.network
[Match]
Name=wg0

[Network]
Address=10.2.0.1/32

[Route]
Gateway=10.2.0.1
Destination=10.2.0.0/24

Since these files contain keys, you will not want other users viewing them.

# sudo chown root:systemd-network /etc/systemd/network/*
# sudo chmod 640 /etc/systemd/network/*

Restart systemd-networkd in order to create the interface.

# sudo systemctl restart systemd-networkd

Icon Nftables

With the WireGuard interface online and accepting connections the firewall needs to be addressed. Open up the configuration for editing.

# sudoedit /etc/nftables.conf

Add a line to the chain input for your ipv4 filter to accept udp connections.

# allow wireguard traffic
udp dport 51820 accept

Icon References

  1. ^ Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
    Github: torvalds/linux@bd2463a