Howto wireguard: Difference between revisions

From Vidalinux Wiki
Jump to navigation Jump to search
m (Protected "Howto wireguard" ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite)))
 
(43 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= server configuration =
= server configuration =
install repos:
install repos centos7:
  yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
  yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
  yum install -y yum-plugin-elrepo
  yum install -y yum-plugin-elrepo
  yum install -y kmod-wireguard wireguard-tools
  yum install -y kmod-wireguard wireguard-tools
install repos centos8:
yum install -y epel-release https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
yum install -y kmod-wireguard wireguard-tools
install repos debian10:
sudo apt-get install -y linux-headers-4.19.0-17-cloud-amd64
sudo sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list"
sudo apt update
sudo apt install -y wireguard
checking dkms states it the wireguard module is active
dkms status
if you need to build the module again:
dkms build wireguard/1.0.20210219
create wireguard config directory on etc:
create wireguard config directory on etc:
  mkdir /etc/wireguard
  mkdir /etc/wireguard
create a public/private key pair:
create a public/private key pair:
  wg genkey | tee /etc/wireguard/server_private.key | wg pubkey | tee /etc/wireguard/server_public.key
  cd /etc/wireguard/
wg genkey > server_private.key
wg genkey | tee server_private.key | wg pubkey > server_public.key
create a wireguard configuration file /etc/wireguard/wg0.conf:
create a wireguard configuration file /etc/wireguard/wg0.conf:
cat > /etc/wireguard/wg0.conf << EOF
  [Interface]
  [Interface]
  Address = 10.10.10.1/24
  Address = 10.10.10.1/24
  SaveConfig = true
  SaveConfig = false
  PrivateKey = kLmHUf4LNmxtz1uA3riC7MMXzwBFjJrSWE/Lb4p+4Ec=
  PrivateKey = $(cat /etc/wireguard/server_private.key)
  ListenPort = 51820
  ListenPort = 51820
PostUp = iptables -I FORWARD -i %i -j ACCEPT; iptables -I FORWARD -o %i -j ACCEPT; iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
   
   
  [Peer]
  [Peer]
  PublicKey = 75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=
  PublicKey = 75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=
  AllowedIPs = 10.10.10.2/32
  AllowedIPs = 10.10.10.2/32
EOF
fix wireguard config directory permissions:
fix wireguard config directory permissions:
  chmod 600 /etc/wireguard/ -R
  chmod 600 /etc/wireguard/ -R
Line 34: Line 52:


= client configuration =
= client configuration =
install repos:
install repos centos7:
  yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
  yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
  yum install -y yum-plugin-elrepo
  yum install -y yum-plugin-elrepo
  yum install -y kmod-wireguard wireguard-tools  
  yum install -y kmod-wireguard wireguard-tools  
install repos centos8:
yum install -y epel-release https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
yum install -y kmod-wireguard wireguard-tools
create wireguard config directory on etc:
create wireguard config directory on etc:
  mkdir /etc/wireguard
  mkdir /etc/wireguard
create a public/private key pair:
create a public/private key pair:
  wg genkey | tee /etc/wireguard/client_private.key | wg pubkey | tee /etc/wireguard/client_public.key
  cd /etc/wireguard/
wg genkey > client_private.key
wg genkey | tee client_private.key | wg pubkey > client_public.key
create a wireguard configuration file /etc/wireguard/wg0.conf:
create a wireguard configuration file /etc/wireguard/wg0.conf:
cat > /etc/wireguard/wg0.conf << EOF
cat > /etc/wireguard/wg0.conf << EOF
  [Interface]
  [Interface]
  Address = 10.10.10.2/24
  Address = 10.10.10.2/24
  DNS = 10.10.10.1
  DNS = 10.10.10.1
  PrivateKey = $(cat /etc/wireguard/client_private.key)
  PrivateKey = $(cat /etc/wireguard/client_private.key)
PostUp = iptables -I FORWARD -i %i -j ACCEPT; iptables -I FORWARD -o %i -j ACCEPT; iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
   
   
  [Peer]
  [Peer]
Line 54: Line 79:
  Endpoint = 12.34.56.78:51820
  Endpoint = 12.34.56.78:51820
  PersistentKeepalive = 25
  PersistentKeepalive = 25
EOF
fix wireguard config directory permissions:
fix wireguard config directory permissions:
  chmod 600 /etc/wireguard/ -R
  chmod 600 /etc/wireguard/ -R
Line 61: Line 87:
show information about the vpn connection:
show information about the vpn connection:
  wg show
  wg show
= mikrotik =
for wireguard support we need to switch to development channel:
/system package update set channel=development
then download the latest update:
/system package update download
reboot the router:
/system reboot
add wireguard interface:
/interface/wireguard add name=wg0 mtu=1420
add wireguard peer using server information:
/interface/wireguard/peers add endpoint-address=12.34.56.78 endpoint-port=51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0
add ip address to interface:
/ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0
add access to ssh from wireguard:
/ip/firewall/nat add action=accept chain=forward dst-port=22 in-interface=wg0 protocol=tcp
/ip/firewall/nat add action=accept chain=input dst-port=22 in-interface=wg0 protocol=tcp
add the following on the server configuration:
[Peer]
PublicKey=pEU+xV6YeWOKT34iECYDPRW99oLZKYodkUtjdIV8CwI=
AllowedIPs=10.10.10.3/32
restart wireguard on server:
systemctl restart wg-quick@wg0.service
= windows =
if you have issues with windows client verify and enable DNS Client service via regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache
edit start registry key:
2
reboot the machine.
= error compiling on rhel8 =
So I did the hard-core way: I edited line 418 in /usr/src/wireguard-1.0.20220627/compat/compat.h and renamed ktime_get_coarse_boottime_ns to _ktime_get_coarse_boottime_ns (mind the underscore at the beginning). Now it's building and dkms status returns: wireguard/1.0.20220627, 4.18.0-408.el8.x86_64, x86_64: installed


= references =
= references =
* https://r-pufky.github.io/docs/services/wireguard/windows-setup.html
* https://blog.stigok.com/2018/10/08/wireguard-vpn-server-on-centos-7.html
* https://blog.stigok.com/2018/10/08/wireguard-vpn-server-on-centos-7.html
* https://www.linuxbabe.com/centos/wireguard-vpn-server-centos
* https://www.linuxbabe.com/centos/wireguard-vpn-server-centos
Line 68: Line 127:
* https://medium.com/opsops/starting-with-wireguard-d17518869a60
* https://medium.com/opsops/starting-with-wireguard-d17518869a60
* https://linuxhint.com/enable_ip_forwarding_ipv4_debian_linux/
* https://linuxhint.com/enable_ip_forwarding_ipv4_debian_linux/
* https://iliasa.eu/wireguard-how-to-access-a-peers-local-network/

Latest revision as of 22:02, 3 October 2024

server configuration

install repos centos7:

yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum install -y yum-plugin-elrepo
yum install -y kmod-wireguard wireguard-tools

install repos centos8:

yum install -y epel-release https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
yum install -y kmod-wireguard wireguard-tools

install repos debian10:

sudo apt-get install -y linux-headers-4.19.0-17-cloud-amd64
sudo sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list"
sudo apt update
sudo apt install -y wireguard 

checking dkms states it the wireguard module is active

dkms status

if you need to build the module again:

dkms build wireguard/1.0.20210219

create wireguard config directory on etc:

mkdir /etc/wireguard

create a public/private key pair:

cd /etc/wireguard/
wg genkey > server_private.key
wg genkey | tee server_private.key | wg pubkey > server_public.key

create a wireguard configuration file /etc/wireguard/wg0.conf:

cat > /etc/wireguard/wg0.conf << EOF
[Interface]
Address = 10.10.10.1/24
SaveConfig = false
PrivateKey = $(cat /etc/wireguard/server_private.key)
ListenPort = 51820
PostUp = iptables -I FORWARD -i %i -j ACCEPT; iptables -I FORWARD -o %i -j ACCEPT; iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = 75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=
AllowedIPs = 10.10.10.2/32
EOF

fix wireguard config directory permissions:

chmod 600 /etc/wireguard/ -R

enable ip forwarding:

nano /etc/sysctl.d/99-sysctl.conf

add the following line at the end of this file:

net.ipv4.ip_forward = 1

apply changes:

sysctl -p /etc/sysctl.d/99-sysctl.conf

start and enable wireguard service:

systemctl start wg-quick@wg0.service
systemctl enable wg-quick@wg0.service

an alternative way to start or stop wireguard:

wg-quick up wg0
wg-quick down wg0

client configuration

install repos centos7:

yum install -y epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum install -y yum-plugin-elrepo
yum install -y kmod-wireguard wireguard-tools 

install repos centos8:

yum install -y epel-release https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
yum install -y kmod-wireguard wireguard-tools

create wireguard config directory on etc:

mkdir /etc/wireguard

create a public/private key pair:

cd /etc/wireguard/
wg genkey > client_private.key
wg genkey | tee client_private.key | wg pubkey > client_public.key

create a wireguard configuration file /etc/wireguard/wg0.conf:

cat > /etc/wireguard/wg0.conf << EOF
[Interface]
Address = 10.10.10.2/24
DNS = 10.10.10.1
PrivateKey = $(cat /etc/wireguard/client_private.key)
PostUp = iptables -I FORWARD -i %i -j ACCEPT; iptables -I FORWARD -o %i -j ACCEPT; iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = vxyo4l4I3jWK+KZquNIDJF/hzQq29DOIxSUOrfNZZCs=
AllowedIPs = 0.0.0.0/0
Endpoint = 12.34.56.78:51820
PersistentKeepalive = 25
EOF

fix wireguard config directory permissions:

chmod 600 /etc/wireguard/ -R

start and enable wireguard service:

systemctl start wg-quick@wg0.service
systemctl enable wg-quick@wg0.service

show information about the vpn connection:

wg show

mikrotik

for wireguard support we need to switch to development channel:

/system package update set channel=development

then download the latest update:

/system package update download

reboot the router:

/system reboot

add wireguard interface:

/interface/wireguard add name=wg0 mtu=1420

add wireguard peer using server information:

/interface/wireguard/peers add endpoint-address=12.34.56.78 endpoint-port=51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0

add ip address to interface:

/ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0

add access to ssh from wireguard:

/ip/firewall/nat add action=accept chain=forward dst-port=22 in-interface=wg0 protocol=tcp
/ip/firewall/nat add action=accept chain=input dst-port=22 in-interface=wg0 protocol=tcp

add the following on the server configuration:

[Peer]
PublicKey=pEU+xV6YeWOKT34iECYDPRW99oLZKYodkUtjdIV8CwI=
AllowedIPs=10.10.10.3/32

restart wireguard on server:

systemctl restart wg-quick@wg0.service

windows

if you have issues with windows client verify and enable DNS Client service via regedit:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache 

edit start registry key:

2

reboot the machine.

error compiling on rhel8

So I did the hard-core way: I edited line 418 in /usr/src/wireguard-1.0.20220627/compat/compat.h and renamed ktime_get_coarse_boottime_ns to _ktime_get_coarse_boottime_ns (mind the underscore at the beginning). Now it's building and dkms status returns: wireguard/1.0.20220627, 4.18.0-408.el8.x86_64, x86_64: installed

references