Wireguard

From Wiki³

Icon Introduction

As of Linux 5.6[1] wireguard is included in the Linux kernel. Due to the use of Systemd, installation of the tools package will only be required on a single machines in order to generate keys.

Icon Wireguard Installation

Install the wireguard-tools package on the machine that will manage the entire VPN.

# pikaur -S wireguard-tools

Icon Key Generation

Each machine (server & client included) will need to have a private and public key generated for it.

# wg genkey | tee privatekey | wg pubkey > publickey

A preshared key is needed for each connection.

# wg genpsk > preshared-server-client

Icon Server Setup

On the server (or internet facing machine) enable IP forwarding on boot.

# echo "net.ipv4.ip_forward=1" | sudo tee --append /etc/sysctl.d/50-security.conf

Enable IP forwarding currently as well.

# sudo sysctl -w net.ipv4.ip_forward=1

Icon Systemd-Networkd

Create the wireguard interface for systemd-networkd. The example uses a single server and a single client, specific external ports on the server are being forwarded (via the wireguard network) to the client. Your IPs may vary, for this setup the 10.2.0.0/24 network is being used.

filename: /etc/systemd/network/wg0.netdev
[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
ListenPort=51820
PrivateKey=<PRIVATE_KEY_SERVER>

[WireGuardPeer]
PublicKey=<PUBLIC_KEY_CLIENT1>
PresharedKey=<PRESHARED_KEY_SERVER_CLIENT1>
AllowedIPs=10.2.0.2/32
 
filename: /etc/systemd/networkd/wg0.network
[Match]
Name=wg0

[Network]
Address=10.2.0.1/32

[Route]
Gateway=10.2.0.1
Destination=10.2.0.0/24

Since these files contain keys, you will not want other users viewing them.

# sudo chown root:systemd-network /etc/systemd/network/*
# sudo chmod 640 /etc/systemd/network/*

Restart systemd-networkd in order to create the interface.

# sudo systemctl restart systemd-networkd

Icon Nftables

With the WireGuard interface online and accepting connections the firewall needs to be addressed. Open up the configuration for editing.

# sudoedit /etc/nftables.conf

Add a line to the chain input for your ipv4 filter to accept udp connections.

# allow wireguard traffic
udp dport 51820 accept

Add the ports to forward to the chain forward for your ipv4 filter, also allow connections to and from the wireguard interface to the regular ethernet interface.

chain forward {
type filter hook forward priority 0;
iifname "eth0" oifname "wg0" tcp dport { 80,443 } tcp flags & (fin|syn|rst|ack) \
== syn ct state new accept;
iifname "eth0" oifname "wg0" ct state { established,related } accept;
iifname "wg0" oifname "eth0" ct state { established,related } accept;
drop;
}

Create a nat section to finish the routing, keep in mind to adjust the IPs accordingly.

table ip nat {
chain prerouting {
type nat hook preroutring priority dstnat; policy accept;
iifname "eth0" tcp dport { 80,443 } dnat to 10.2.0.2;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "wg0" ip daddr 10.2.0.2 tcp dport { 80,443 } snat to 10.2.0.1;
oifname "eth0" masquerade
}
}

Restart nftables when finished to load the new ruleset.

# sudo systemctl restart nftables

Icon References

  1. ^ Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
    Github: torvalds/linux@bd2463a