cs:wireguard
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
cs:wireguard [2020/12/14 11:20] paolo_bolzoni |
cs:wireguard [2021/07/27 07:43] (current) paolo_bolzoni small fixes |
||
|---|---|---|---|
| Line 12: | Line 12: | ||
| ==== Configuration ==== | ==== Configuration ==== | ||
| - | Wireguard interfaces are set up with configuration files that uses a ini syntax. In the ini file is a section called ''[Interface]'' that describes the interface itself and one or more ''[Peer]'' sections that describe who can be reached and how. | + | Wireguard interfaces are set up with configuration files that uses a ini syntax. In the ini file is a section called ''[Interface]'' that describes the interface itself and one or more ''[Peer]'' sections that describe from who can be reached and how. |
| Each interface comprises a asymmetrical key, the private key never leaves the computer hosting the interface, the public key is the main identification of each peer. | Each interface comprises a asymmetrical key, the private key never leaves the computer hosting the interface, the public key is the main identification of each peer. | ||
| Line 67: | Line 67: | ||
| === IPtables === | === IPtables === | ||
| - | For firewalling a machine running Wireguard needs to be able to receive UDP datagrams in the ''51820'' port (or wherever the physical interface is listening) and allow traffic to the Wireguard interface. | + | For firewalling a machine running Wireguard needs to be able to receive UDP datagrams in the ''51820'' port (or whence the physical interface is listening) and allow traffic to the Wireguard interface. |
| Besides, if routing is necessary (i.e., the ''[Interface] Address'' section is not a single IP) forward traffic should be allowed. | Besides, if routing is necessary (i.e., the ''[Interface] Address'' section is not a single IP) forward traffic should be allowed. | ||
| Line 87: | Line 87: | ||
| -A INPUT -p tcp -j REJECT --reject-with tcp-reset | -A INPUT -p tcp -j REJECT --reject-with tcp-reset | ||
| -A INPUT -j REJECT --reject-with icmp-proto-unreachable | -A INPUT -j REJECT --reject-with icmp-proto-unreachable | ||
| - | -A FORWARD -i wg0 -o wg0 -j ACCEPT COMMIT | + | -A FORWARD -i wg0 -o wg0 -j ACCEPT |
| + | COMMIT | ||
| + | |||
| + | Forwarding needs to be enabled at kernel level. | ||
| + | |||
| + | # sysctl -w net.ipv4.ip_forward=1 | ||
| + | |||
| + | If IPv6 is used: | ||
| + | |||
| + | # sysctl -w net.ipv6.conf.all.forwarding=1 | ||
cs/wireguard.1607944804.txt.gz · Last modified: 2020/12/14 11:20 by paolo_bolzoni
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
