Archives/selfhosted-apps-docker
2
0
Fork 0
mirror of https://github.com/DoTheEvo/selfhosted-apps-docker synced 2024-11-18 21:28:13 +00:00
Code Issues Projects Releases Wiki Activity
0a11c4a1de
selfhosted-apps-docker/wireguard/readme.md
DoTheEvolution 0a11c4a1de update
2020-06-02 02:19:50 +02:00

6.4 KiB
Raw Blame History

WireGuard

Work in progress

guide-by-example

logo

Purpose & Overview

VPN.
When you need to connect to a machine/network over the internet, securely.

WireGuard is an opensource simple, fast and modern VPN.
Written in C, with userspace implementation written in Go.
WireGuard is included in linux kernel version 5.6 and newer.

WireGuard works at layer 3 and uses UDP protocol.
While with WireGuard there is no server-clients model, there are just peers connecting to each other, this gudie will setup peer_A as a server listening at a port, and clients will be connecting to it.

This setup runs directly on the host machine, not in a container.
Most of the stuff here is based on Arch wiki and this tutorial.

Files and directory structure

/etc/
└── wireguard/
    └── wg0.conf

Installation

on linux server

Install wireguard-tools or whatever is the equivalent in your distro.
The package should provide two command line utilities

  • wg - utility for configuration and management of WireGuard tunnel interfaces
  • wg-quick - script for bringing up or down a WireGuard interface and provide some extra configuration functions

on linux clients

Same as server

on Windows or macOS clients

Install the official application.

extra info:
Might be of interest server setup on Windows

on Android or iOS devices

Install the official app from the stores.

Configuration on linux server

  • switch to root and go in to in /etc/wireguard
    su
    cd /etc/wireguard
  • generate a private key
    wg genkey > peer_A.key
  • create a public key from the private key
    wg pubkey < peer_A.key > peer_A.pub

Use the generated keys in the wg0.conf, in the [Interface] section.

wg0.conf

[Interface]
PrivateKey = AA9q7CkUG3MuKP1eyyJFGgKzACIJ1rRIkkWYAi3p3WM=
# PublicKey = fuCKVQU+x/jukZq3WH5yorJ4mE665dkv2HKN/0mH5hQ=
Address = 10.200.200.1/24
ListenPort = 51820
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s25 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s25 -j MASQUERADE

[Peer]
# TESTER-1
# PrivateKey = kGqwq/+xy8CISBLfOZVOa8Za02MRzg5bN3Ddcf5KV2M=
PublicKey = eVolUbiYj1kY8neKiDnA+NPB2hhCcsGs7LNIhMvUYj0=
AllowedIPs = 10.200.200.2/32

[Peer]
# TESTER-2
# PrivateKey = QNc0dunuRQAjuKpFmRPqvPAysqpklctcdblqrazUT0o=
PublicKey = CAt7g42pPxgU5Lcc3uyNh5BmkITJS1K6XAoFbkhN6Qk=
AllowedIPs = 10.200.200.3/32

This configuration when run creates a new wg0 network interface on the machine.

[Interface] - section defining wg0 wireguard interface

  • PrivateKey - the key that was generated, identifies the server, will be used to encrypt packets
  • # PublicKey - just a note, what is the public key of the private key
  • Address - IP address on the created wg0 network interface, /24 defines its mask as 255.255.255.0
  • ListenPort - port on which wireguard connects to the internet, using UDP protocol
  • PostUp/PostDown - section where one can define what should be done after the interface is turned on or off.
    In this case forwarding traffic across the tunnel and enabling NAT for interface enp0s25 which you want to replace with your own
    This setup ipv4 only

[Peer] - section defining a peers

  • PublicKey - public key of the peer
  • AllowedIPs - IP addresses that you want to reach at the other end of the tunnel.
    When wg-quick is run with these defined, a route is added in to the network stack that makes sure that if something wants IP address defined here, it is send to wg0.
    Two peers can not have same IP set in there.
    In this case we want to define only single IP of the client as being accessible, allowed through.

Start and enable the service

sudo systemctl enable --now wg-quick@wg0

Configuration on clients

TESTER-1.conf

[Interface]
PrivateKey = kGqwq/+xy8CISBLfOZVOa8Za02MRzg5bN3Ddcf5KV2M=
# PublicKey = eVolUbiYj1kY8neKiDnA+NPB2hhCcsGs7LNIhMvUYj0=
Address = 10.200.200.2/32

[Peer]
PublicKey = fuCKVQU+x/jukZq3WH5yorJ4mE665dkv2HKN/0mH5hQ=
AllowedIPs = 10.200.200.1/32, 192.168.5.0/24
Endpoint = 63.123.113.495:51820

[Interface] - section defining wg0 wireguard interface

  • PrivateKey - private key of the peer
  • # PublicKey - just a note, what is the public key of the private key
  • Address - IP address on the created wireguard network interface, /32 defines its mask as 255.255.255.255 - a single host

[Peer] - section defining a peer, in this case server peer_A

  • PublicKey - public key of the server
  • AllowedIPs - IP addresses that you want to reach at the other end of the tunnel.
    When wg-quick is run with these defined, a route is added in to the network stack that makes sure that if something wants IP address defined here, it is send to wg0.
    Two peers can not have same IP set in there.
    In this client case, we want to be able to communicate with the wireguard server, so its IP is added, but also the entire local network at the end of the tunnel, so its entire range is added.
  • Endpoint - public IP at which to find the WireGuard server across the internet

windows-client

Troubleshooting

  • can connct to the server, but not the LAN machines
    make sure you set your network interface in PostUp/PostDown section on the server

Update

During host linux packages update.

Backup and restore

Backup

Using borg that makes daily snapshot of the /etc directory which contains the config file.

restore

Replace the content of the config file with the one from the backup.