Howto wireguard: Difference between revisions
Mandulete1 (talk | contribs) m (Protected "Howto wireguard" ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))) |
|||
(43 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
= server configuration = | = server configuration = | ||
install repos: | install repos centos7: | ||
yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm | yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm | ||
yum install -y yum-plugin-elrepo | yum install -y yum-plugin-elrepo | ||
yum install -y kmod-wireguard wireguard-tools | yum install -y kmod-wireguard wireguard-tools | ||
install repos centos8: | |||
yum install -y epel-release https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm | |||
yum install -y kmod-wireguard wireguard-tools | |||
install repos debian10: | |||
sudo apt-get install -y linux-headers-4.19.0-17-cloud-amd64 | |||
sudo sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list" | |||
sudo apt update | |||
sudo apt install -y wireguard | |||
checking dkms states it the wireguard module is active | |||
dkms status | |||
if you need to build the module again: | |||
dkms build wireguard/1.0.20210219 | |||
create wireguard config directory on etc: | create wireguard config directory on etc: | ||
mkdir /etc/wireguard | mkdir /etc/wireguard | ||
create a public/private key pair: | create a public/private key pair: | ||
cd /etc/wireguard/ | |||
wg genkey > server_private.key | |||
wg genkey | tee server_private.key | wg pubkey > server_public.key | |||
create a wireguard configuration file /etc/wireguard/wg0.conf: | create a wireguard configuration file /etc/wireguard/wg0.conf: | ||
cat > /etc/wireguard/wg0.conf << EOF | |||
[Interface] | [Interface] | ||
Address = 10.10.10.1/24 | Address = 10.10.10.1/24 | ||
SaveConfig = | SaveConfig = false | ||
PrivateKey = | PrivateKey = $(cat /etc/wireguard/server_private.key) | ||
ListenPort = 51820 | ListenPort = 51820 | ||
PostUp = iptables -I FORWARD -i %i -j ACCEPT; iptables -I FORWARD -o %i -j ACCEPT; iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE | |||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE | |||
[Peer] | [Peer] | ||
PublicKey = 75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA= | PublicKey = 75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA= | ||
AllowedIPs = 10.10.10.2/32 | AllowedIPs = 10.10.10.2/32 | ||
EOF | |||
fix wireguard config directory permissions: | fix wireguard config directory permissions: | ||
chmod 600 /etc/wireguard/ -R | chmod 600 /etc/wireguard/ -R | ||
Line 34: | Line 52: | ||
= client configuration = | = client configuration = | ||
install repos: | install repos centos7: | ||
yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm | yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm | ||
yum install -y yum-plugin-elrepo | yum install -y yum-plugin-elrepo | ||
yum install -y kmod-wireguard wireguard-tools | yum install -y kmod-wireguard wireguard-tools | ||
install repos centos8: | |||
yum install -y epel-release https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm | |||
yum install -y kmod-wireguard wireguard-tools | |||
create wireguard config directory on etc: | create wireguard config directory on etc: | ||
mkdir /etc/wireguard | mkdir /etc/wireguard | ||
create a public/private key pair: | create a public/private key pair: | ||
cd /etc/wireguard/ | |||
wg genkey > client_private.key | |||
wg genkey | tee client_private.key | wg pubkey > client_public.key | |||
create a wireguard configuration file /etc/wireguard/wg0.conf: | create a wireguard configuration file /etc/wireguard/wg0.conf: | ||
cat > /etc/wireguard/wg0.conf << EOF | cat > /etc/wireguard/wg0.conf << EOF | ||
[Interface] | [Interface] | ||
Address = 10.10.10.2/24 | Address = 10.10.10.2/24 | ||
DNS = 10.10.10.1 | DNS = 10.10.10.1 | ||
PrivateKey = $(cat /etc/wireguard/client_private.key) | PrivateKey = $(cat /etc/wireguard/client_private.key) | ||
PostUp = iptables -I FORWARD -i %i -j ACCEPT; iptables -I FORWARD -o %i -j ACCEPT; iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE | |||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE | |||
[Peer] | [Peer] | ||
Line 54: | Line 79: | ||
Endpoint = 12.34.56.78:51820 | Endpoint = 12.34.56.78:51820 | ||
PersistentKeepalive = 25 | PersistentKeepalive = 25 | ||
EOF | |||
fix wireguard config directory permissions: | fix wireguard config directory permissions: | ||
chmod 600 /etc/wireguard/ -R | chmod 600 /etc/wireguard/ -R | ||
Line 61: | Line 87: | ||
show information about the vpn connection: | show information about the vpn connection: | ||
wg show | wg show | ||
= mikrotik = | |||
for wireguard support we need to switch to development channel: | |||
/system package update set channel=development | |||
then download the latest update: | |||
/system package update download | |||
reboot the router: | |||
/system reboot | |||
add wireguard interface: | |||
/interface/wireguard add name=wg0 mtu=1420 | |||
add wireguard peer using server information: | |||
/interface/wireguard/peers add endpoint-address=12.34.56.78 endpoint-port=51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0 | |||
add ip address to interface: | |||
/ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0 | |||
add access to ssh from wireguard: | |||
/ip/firewall/nat add action=accept chain=forward dst-port=22 in-interface=wg0 protocol=tcp | |||
/ip/firewall/nat add action=accept chain=input dst-port=22 in-interface=wg0 protocol=tcp | |||
add the following on the server configuration: | |||
[Peer] | |||
PublicKey=pEU+xV6YeWOKT34iECYDPRW99oLZKYodkUtjdIV8CwI= | |||
AllowedIPs=10.10.10.3/32 | |||
restart wireguard on server: | |||
systemctl restart wg-quick@wg0.service | |||
= windows = | |||
if you have issues with windows client verify and enable DNS Client service via regedit: | |||
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache | |||
edit start registry key: | |||
2 | |||
reboot the machine. | |||
= error compiling on rhel8 = | |||
So I did the hard-core way: I edited line 418 in /usr/src/wireguard-1.0.20220627/compat/compat.h and renamed ktime_get_coarse_boottime_ns to _ktime_get_coarse_boottime_ns (mind the underscore at the beginning). Now it's building and dkms status returns: wireguard/1.0.20220627, 4.18.0-408.el8.x86_64, x86_64: installed | |||
= references = | = references = | ||
* https://r-pufky.github.io/docs/services/wireguard/windows-setup.html | |||
* https://blog.stigok.com/2018/10/08/wireguard-vpn-server-on-centos-7.html | * https://blog.stigok.com/2018/10/08/wireguard-vpn-server-on-centos-7.html | ||
* https://www.linuxbabe.com/centos/wireguard-vpn-server-centos | * https://www.linuxbabe.com/centos/wireguard-vpn-server-centos | ||
Line 68: | Line 127: | ||
* https://medium.com/opsops/starting-with-wireguard-d17518869a60 | * https://medium.com/opsops/starting-with-wireguard-d17518869a60 | ||
* https://linuxhint.com/enable_ip_forwarding_ipv4_debian_linux/ | * https://linuxhint.com/enable_ip_forwarding_ipv4_debian_linux/ | ||
* https://iliasa.eu/wireguard-how-to-access-a-peers-local-network/ |
Latest revision as of 22:02, 3 October 2024
server configuration
install repos centos7:
yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm yum install -y yum-plugin-elrepo yum install -y kmod-wireguard wireguard-tools
install repos centos8:
yum install -y epel-release https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm yum install -y kmod-wireguard wireguard-tools
install repos debian10:
sudo apt-get install -y linux-headers-4.19.0-17-cloud-amd64 sudo sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list" sudo apt update sudo apt install -y wireguard
checking dkms states it the wireguard module is active
dkms status
if you need to build the module again:
dkms build wireguard/1.0.20210219
create wireguard config directory on etc:
mkdir /etc/wireguard
create a public/private key pair:
cd /etc/wireguard/ wg genkey > server_private.key wg genkey | tee server_private.key | wg pubkey > server_public.key
create a wireguard configuration file /etc/wireguard/wg0.conf:
cat > /etc/wireguard/wg0.conf << EOF [Interface] Address = 10.10.10.1/24 SaveConfig = false PrivateKey = $(cat /etc/wireguard/server_private.key) ListenPort = 51820 PostUp = iptables -I FORWARD -i %i -j ACCEPT; iptables -I FORWARD -o %i -j ACCEPT; iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = 75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA= AllowedIPs = 10.10.10.2/32 EOF
fix wireguard config directory permissions:
chmod 600 /etc/wireguard/ -R
enable ip forwarding:
nano /etc/sysctl.d/99-sysctl.conf
add the following line at the end of this file:
net.ipv4.ip_forward = 1
apply changes:
sysctl -p /etc/sysctl.d/99-sysctl.conf
start and enable wireguard service:
systemctl start wg-quick@wg0.service systemctl enable wg-quick@wg0.service
an alternative way to start or stop wireguard:
wg-quick up wg0 wg-quick down wg0
client configuration
install repos centos7:
yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm yum install -y yum-plugin-elrepo yum install -y kmod-wireguard wireguard-tools
install repos centos8:
yum install -y epel-release https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm yum install -y kmod-wireguard wireguard-tools
create wireguard config directory on etc:
mkdir /etc/wireguard
create a public/private key pair:
cd /etc/wireguard/ wg genkey > client_private.key wg genkey | tee client_private.key | wg pubkey > client_public.key
create a wireguard configuration file /etc/wireguard/wg0.conf:
cat > /etc/wireguard/wg0.conf << EOF [Interface] Address = 10.10.10.2/24 DNS = 10.10.10.1 PrivateKey = $(cat /etc/wireguard/client_private.key) PostUp = iptables -I FORWARD -i %i -j ACCEPT; iptables -I FORWARD -o %i -j ACCEPT; iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = vxyo4l4I3jWK+KZquNIDJF/hzQq29DOIxSUOrfNZZCs= AllowedIPs = 0.0.0.0/0 Endpoint = 12.34.56.78:51820 PersistentKeepalive = 25 EOF
fix wireguard config directory permissions:
chmod 600 /etc/wireguard/ -R
start and enable wireguard service:
systemctl start wg-quick@wg0.service systemctl enable wg-quick@wg0.service
show information about the vpn connection:
wg show
mikrotik
for wireguard support we need to switch to development channel:
/system package update set channel=development
then download the latest update:
/system package update download
reboot the router:
/system reboot
add wireguard interface:
/interface/wireguard add name=wg0 mtu=1420
add wireguard peer using server information:
/interface/wireguard/peers add endpoint-address=12.34.56.78 endpoint-port=51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0
add ip address to interface:
/ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0
add access to ssh from wireguard:
/ip/firewall/nat add action=accept chain=forward dst-port=22 in-interface=wg0 protocol=tcp /ip/firewall/nat add action=accept chain=input dst-port=22 in-interface=wg0 protocol=tcp
add the following on the server configuration:
[Peer] PublicKey=pEU+xV6YeWOKT34iECYDPRW99oLZKYodkUtjdIV8CwI= AllowedIPs=10.10.10.3/32
restart wireguard on server:
systemctl restart wg-quick@wg0.service
windows
if you have issues with windows client verify and enable DNS Client service via regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache
edit start registry key:
2
reboot the machine.
error compiling on rhel8
So I did the hard-core way: I edited line 418 in /usr/src/wireguard-1.0.20220627/compat/compat.h and renamed ktime_get_coarse_boottime_ns to _ktime_get_coarse_boottime_ns (mind the underscore at the beginning). Now it's building and dkms status returns: wireguard/1.0.20220627, 4.18.0-408.el8.x86_64, x86_64: installed
references
- https://r-pufky.github.io/docs/services/wireguard/windows-setup.html
- https://blog.stigok.com/2018/10/08/wireguard-vpn-server-on-centos-7.html
- https://www.linuxbabe.com/centos/wireguard-vpn-server-centos
- https://www.cyberciti.biz/faq/centos-8-set-up-wireguard-vpn-server/
- https://medium.com/opsops/starting-with-wireguard-d17518869a60
- https://linuxhint.com/enable_ip_forwarding_ipv4_debian_linux/
- https://iliasa.eu/wireguard-how-to-access-a-peers-local-network/