Wireguard
Back to Category:Arch Linux
Introduction
IntroductionAs of Linux 5.6[1] wireguard is included in the Linux kernel. Due to the use of Systemd, installation of the tools package will only be required on a single machines in order to generate keys. Because I generally use linux-hardened, wireguard will need to be installed.
Wireguard Installation
Install the wireguard kernel module if needed (do this on all servers and clients).
| # pikaur -S wireguard-dkms |
Install the wireguard-tools package on the machine that will manage the entire VPN.
| # pikaur -S wireguard-tools |
Key Generation
Each machine (server & client included) will need to have a private and public key generated for it.
| # wg genkey | tee privatekey | wg pubkey > publickey |
A preshared key is needed for each connection.
| # wg genpsk > preshared-server-client |
Server Setup
On the server (or internet facing machine) enable IP forwarding on boot.
| # echo "net.ipv4.ip_forward=1" | sudo tee --append /etc/sysctl.d/50-security.conf |
Enable IP forwarding currently as well.
| # sudo sysctl -w net.ipv4.ip_forward=1 |
Systemd-Networkd
Systemd-NetworkdCreate the wireguard interface for systemd-networkd. The example uses a single server and a single client, specific external ports on the server are being forwarded (via the wireguard network) to the client. Your IPs may vary, for this setup the 10.2.0.0/24 network is being used.
| [NetDev] Name=wg0 Kind=wireguard [WireGuard] ListenPort=51820 PrivateKey=<PRIVATE_KEY_SERVER> [WireGuardPeer] PublicKey=<PUBLIC_KEY_CLIENT1> PresharedKey=<PRESHARED_KEY_SERVER_CLIENT1> AllowedIPs=10.2.0.2/32 |
| [Match] Name=wg0 [Network] Address=10.2.0.1/32 [Route] Gateway=10.2.0.1 Destination=10.2.0.0/24 |
Since these files contain keys, you will not want other users viewing them.
| # sudo chown root:systemd-network /etc/systemd/network/* # sudo chmod 640 /etc/systemd/network/* |
Restart systemd-networkd in order to create the interface.
| # sudo systemctl restart systemd-networkd |
Nftables
With the WireGuard interface online and accepting connections the firewall needs to be addressed. Open up the configuration for editing.
| # sudoedit /etc/nftables.conf |
Add a line to the chain input for your ipv4 filter to accept udp connections.
| # allow wireguard traffic udp dport 51820 accept |
Add the ports to forward to the chain forward for your ipv4 filter, also allow connections to and from the wireguard interface to the regular ethernet interface.
| chain forward { type filter hook forward priority filter; iifname "eth0" oifname "wg0" tcp dport { 80,443 } tcp flags & (fin|syn|rst|ack) \ == syn ct state new accept; iifname "eth0" oifname "wg0" ct state { established,related } accept; iifname "wg0" oifname "eth0" ct state { established,related } accept; drop; } |
Create a nat section to finish the routing, keep in mind to adjust the IPs accordingly.
| table ip nat { chain prerouting { type nat hook preroutring priority dstnat; policy accept; iifname "eth0" tcp dport { 80,443 } dnat to 10.2.0.2; } chain postrouting { type nat hook postrouting priority srcnat; policy accept; oifname "wg0" ip daddr 10.2.0.2 tcp dport { 80,443 } snat to 10.2.0.1; oifname "eth0" masquerade } } |
Restart nftables when finished to load the new ruleset.
| # sudo systemctl restart nftables |
Client Setup
Setting up a client is very similar to setting up a server except that all that is needed is the systemd-networkd portion.
| [NetDev] Name=wg0 Kind=wireguard [WireGuard] PrivateKey=<PRIVATE_KEY_CLIENT1> [WireGuardPeer] PublicKey=<PUBLIC_KEY_SERVER> PresharedKey=<PRESHARED_KEY_SERVER_CLIENT1> AllowedIPs=10.2.0.0/24 Endpoint=server.hostname.com:51820 PersistentKeepalive=25 |
| [Match] Name=wg0 [Network] Address=10.2.0.2/32 [Route] Gateway=10.2.0.1 Destination=10.2.0.0/24 GatewayOnlink=true |
Since these files contain keys, you will not want other users viewing them.
| # sudo chown root:systemd-network /etc/systemd/network/* # sudo chmod 640 /etc/systemd/network/* |
Restart systemd-networkd in order to create the interface.
| # sudo systemctl restart systemd-networkd |
Provided everything went well, the client should now be connected to the server over wireguard.
References
- ^ Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
Github: torvalds/linux@bd2463a
