wireguard

Contents

wireguard

About

https://www.wireguard.com/

Mainlined with Linux 5.6. No DKMS needed anymore.

Installation

   1 aptitude install wireguard

With linux version < 5.6, this will also install wireguard-dkms as a dependency, an out-of-tree module, yet. With DKMS you will be forced to disable Secure Boot in BIOS to load this module, because it's not signed by Microsoft, because it's built locally. I got the following error:

   1 modprobe wireguard
   2 modprobe: ERROR: could not insert 'wireguard': Operation not permitted

Configure

Create keys

   1 ### SUBSHELL TO LIMIT UMASK
   2 sh
   3 NAME="${HOSTNAME%.*}"
   4 #NAME="test"
   5 PREFIX="/etc/wireguard/$NAME";
   6 umask 077;
   7 [ -d "$PREFIX" ] || mkdir -p "$PREFIX";
   8 cd "$PREFIX";
   9 wg genkey > "$PREFIX/wg_$NAME.key";
  10 wg pubkey < "$PREFIX/wg_$NAME.key" > "$PREFIX/wg_$NAME.pub";
  11 wg genpsk > "$PREFIX/wg_$NAME.psk";
  12 exit

Please remember:
Always generate a new PSK for any new connection, to not put the secrecy of other connections at risk.

Client

Create wg-quick config
/etc/wireguard/wg_libertas.conf

   1 ###WIREGUARD CONFIG
   2 #HOST:  "libertas"
   3 #PEER:  "hostname.dyna.rockstable.it"
   4 #DATE:  "2020-12-25"
   5 
   6 [Interface]
   7 DNS             = 10.255.255.1/24
   8 DNS             = search.domain.example.com
   9 #MTU            =
  10 #Table          =
  11 #PreUp          =
  12 #PostUp         =
  13 #PreDown        =
  14 #PostDown       =
  15 #SaveConfig     = false
  16 PrivateKey      = eOPGzM9Sa8LR3Q/zD17q6zPOLYSx3D/d0Jb2QeskjHQ=
  17 #FwMark =
  18 ListenPort = 51820
  19 
  20 [Peer]
  21 PublicKey = e3ZITGXKIUXrtjg0/0LAt2/lSuJtASX3/25itWLwBRA=
  22 Endpoint = hostname.dyna.rockstable.it:51820
  23 AllowedIPs = 10.255.255.0/24
  24 AllowedIPs = 0.0.0.0/0
  25 #AllowedIPs = 0.0.0.0/0, ::/0
  26 PresharedKey = JNVOOUGtSJv9iqaoX63da3Xx1dzTWdk13+hXyoyfM0w=
  27 #PersistentKeepalive =

When the server is configured, start the tunnel.

   1 wg
   2 wg-quick up wg_libertas
   3 wg

Server

Create wg-quick config
/etc/wireguard/wg_hostname.conf

   1 [Interface]
   2 ListenPort = 51820
   3 PrivateKey = CLr3+ATltMgdABUc7bBJXZC9vly60QIBNA+k0oF3+3g=
   4 
   5 [Peer]
   6 PublicKey = uELE8TT4eCR/kxwh+AlBvSF3MmrOhzvsHPKfTs5vKUY=
   7 PresharedKey = JNVOOUGtSJv9iqaoX63da3Xx1dzTWdk13+hXyoyfM0w=
   8 AllowedIPs = 10.255.255.5/32
   9 Endpoint = libertas

Start listening

   1 wg
   2 wg-quick up wg_hostname
   3 wg

Start on boot

There is a parameterized service in SystemD

   1 systemctl enable wg-quick@wg_hostname.service

To identify such services

   1 find /etc -name '*wg-quick*'
   2 /etc/systemd/system/multi-user.target.wants/wg-quick@wg_hostname.service

/etc/systemd/system/multi-user.target.wants/wg-quick@wg_hostname.service

   1 [Unit]
   2 Description=WireGuard via wg-quick(8) for %I
   3 After=network-online.target nss-lookup.target
   4 Wants=network-online.target nss-lookup.target
   5 PartOf=wg-quick.target
   6 Documentation=man:wg-quick(8)
   7 Documentation=man:wg(8)
   8 Documentation=https://www.wireguard.com/
   9 Documentation=https://www.wireguard.com/quickstart/
  10 Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
  11 Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  12 
  13 [Service]
  14 Type=oneshot
  15 RemainAfterExit=yes
  16 ExecStart=/usr/bin/wg-quick up %i
  17 ExecStop=/usr/bin/wg-quick down %i
  18 ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
  19 Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
  20 
  21 [Install]
  22 WantedBy=multi-user.target

Configurations

Services

Misc

Navigation