Wireguard
Jump to navigation
Jump to search
Simple Example of setting up Wireguard on two hosts (expand for many hosts)
host1 and host2
apt install wireguard wireguard-tools cd /etc/wireguard/ wg genkey | tee key.sec | wg pubkey > key.pub cat key.sec cat key.pub
Use key.sec and key.pub in your configs on each host. wg genpsk only on one host
host1 /etc/wireguard/wg0.conf # wg0 will be interface name via "ip a" command
[Interface] Address = 10.254.1.1/24 ListenPort = 123 # Please change PrivateKey = <base64 encoded key.sec> # wg genkey [Peer] PublicKey = <base64 encoded key> # wg genpub PresharedKey = <base64 encoded key> # wg genpsk AllowedIPs = 10.254.1.0/24 Endpoint = <reachable_ip>:333 PersistentKeepalive = 25
host2 /etc/wireguard/wg0.conf # wg0 will be interface name via "ip a" command
[Interface] Address = 10.254.1.2/24 ListenPort = 123 # Please change PrivateKey = <base64 encoded key> # wg genkey [Peer] PublicKey = <base64 encoded key> # wg genpub PresharedKey = <base64 encoded key> # wg genpsk AllowedIPs = 10.254.1.0/24 Endpoint = <reachable_ip>:333 PersistentKeepalive = 25
Don both host1 and host2
wg-quick up wg0 wg show
Test on both host1 and host2
ping -c4 10.254.1.1 ping -c4 10.254.1.2 tcpdump -npi wg0 tcpdump -npi <endpoint interface> port 123
10.254.1.0 should be going through wg0 and you can see port 123 passing udp encapsulated packets (encrypted)
Down/remove interface
wg-quick down wg0
Routing/Firewall
udp port 123 most be opened through firewall. You can force/route traffic into your tunnel as wanted by adjusting AllowedIps. Modify firewall rules as needed.
Notes
# echo <base64 private key> | wg pubkey # wg genkey | tee key.sec | wg pubkey > key.pub
wg0.conf possible useful options
SaveConfig = true