cs:wireguard
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
cs:wireguard [2020/12/14 11:17] paolo_bolzoni Created Wireguard page |
cs:wireguard [2021/07/27 07:43] (current) paolo_bolzoni small fixes |
||
|---|---|---|---|
| Line 12: | Line 12: | ||
| ==== Configuration ==== | ==== Configuration ==== | ||
| - | Wireguard interfaces are set up with configuration files that uses a ini syntax. In the ini file is a section called ''[Interface]'' that describes the interface itself and one or more ''[Peer]'' sections that describe who can be reached and how. | + | Wireguard interfaces are set up with configuration files that uses a ini syntax. In the ini file is a section called ''[Interface]'' that describes the interface itself and one or more ''[Peer]'' sections that describe from who can be reached and how. |
| Each interface comprises a asymmetrical key, the private key never leaves the computer hosting the interface, the public key is the main identification of each peer. | Each interface comprises a asymmetrical key, the private key never leaves the computer hosting the interface, the public key is the main identification of each peer. | ||
| Line 32: | Line 32: | ||
| === IP Addresses === | === IP Addresses === | ||
| - | Virtual Private Networks, as the name suggest, use IPs in the private space. There are multiple spaces and Wireguard supports both IP6 and IP4, but for most purposes to use the IP addresses in the''10.0.0.0/8'' block are sufficient. | + | Virtual Private Networks, as the name suggest, use IPs in the private space. There are multiple spaces and Wireguard supports both IP6 and IP4, but for most purposes to use the IP addresses in the ''10.0.0.0/8'' block is sufficient. |
| Line 62: | Line 62: | ||
| PersistentKeepalive = 25 | PersistentKeepalive = 25 | ||
| - | For Peers the ''AllowedIPs'' section is just for routing. The ''Endpoint'' value is used to reach the machine running the wireguard interface. | + | For Peers the ''AllowedIPs'' section is just for routing. The ''Endpoint'' value is used to reach the machine running the wireguard interface; it can omitted if it is expected that the machine will be reached from outside first (i.e., functions as a server). |
| === IPtables === | === IPtables === | ||
| - | For firewalling a machine running Wireguard needs to be able to receive UDP datagrams in the ''51820'' port (or wherever the physical interface is listening) and allow traffic to the Wireguard interface. | + | For firewalling a machine running Wireguard needs to be able to receive UDP datagrams in the ''51820'' port (or whence the physical interface is listening) and allow traffic to the Wireguard interface. |
| Besides, if routing is necessary (i.e., the ''[Interface] Address'' section is not a single IP) forward traffic should be allowed. | Besides, if routing is necessary (i.e., the ''[Interface] Address'' section is not a single IP) forward traffic should be allowed. | ||
| Line 87: | Line 87: | ||
| -A INPUT -p tcp -j REJECT --reject-with tcp-reset | -A INPUT -p tcp -j REJECT --reject-with tcp-reset | ||
| -A INPUT -j REJECT --reject-with icmp-proto-unreachable | -A INPUT -j REJECT --reject-with icmp-proto-unreachable | ||
| - | -A FORWARD -i wg0 -o wg0 -j ACCEPT COMMIT | + | -A FORWARD -i wg0 -o wg0 -j ACCEPT |
| + | COMMIT | ||
| + | |||
| + | Forwarding needs to be enabled at kernel level. | ||
| + | |||
| + | # sysctl -w net.ipv4.ip_forward=1 | ||
| + | |||
| + | If IPv6 is used: | ||
| + | |||
| + | # sysctl -w net.ipv6.conf.all.forwarding=1 | ||
cs/wireguard.1607944654.txt.gz · Last modified: 2020/12/14 11:17 by paolo_bolzoni
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
