This shows you the differences between two versions of the page.
Next revision | Previous revision Last revision Both sides next revision | ||
cs:wireguard [2020/12/14 11:17] paolo_bolzoni Created Wireguard page |
cs:wireguard [2020/12/14 21:00] paolo_bolzoni [Configuration] |
||
---|---|---|---|
Line 32: | Line 32: | ||
=== IP Addresses === | === IP Addresses === | ||
- | Virtual Private Networks, as the name suggest, use IPs in the private space. There are multiple spaces and Wireguard supports both IP6 and IP4, but for most purposes to use the IP addresses in the''10.0.0.0/8'' block are sufficient. | + | Virtual Private Networks, as the name suggest, use IPs in the private space. There are multiple spaces and Wireguard supports both IP6 and IP4, but for most purposes to use the IP addresses in the ''10.0.0.0/8'' block is sufficient. |
Line 62: | Line 62: | ||
PersistentKeepalive = 25 | PersistentKeepalive = 25 | ||
- | For Peers the ''AllowedIPs'' section is just for routing. The ''Endpoint'' value is used to reach the machine running the wireguard interface. | + | For Peers the ''AllowedIPs'' section is just for routing. The ''Endpoint'' value is used to reach the machine running the wireguard interface; it can omitted if it is expected that the machine will be reached from outside first (i.e., functions as a server). |
Line 87: | Line 87: | ||
-A INPUT -p tcp -j REJECT --reject-with tcp-reset | -A INPUT -p tcp -j REJECT --reject-with tcp-reset | ||
-A INPUT -j REJECT --reject-with icmp-proto-unreachable | -A INPUT -j REJECT --reject-with icmp-proto-unreachable | ||
- | -A FORWARD -i wg0 -o wg0 -j ACCEPT COMMIT | + | -A FORWARD -i wg0 -o wg0 -j ACCEPT |
+ | COMMIT | ||
+ | |||
+ | Forwarding needs to be enabled at kernel level. | ||
+ | |||
+ | # sysctl -w net.ipv4.ip_forward=1 | ||
+ | |||
+ | If IPv6 is used: | ||
+ | |||
+ | # sysctl -w net.ipv6.conf.all.forwarding=1 | ||