Wireguard

https://www.wireguard.com

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks, and was designed with the goals of ease of use, high speed performance, and low attack surface.

In exploring Wireguard might help you Arch Linnux Documentation https://wiki.archlinux.org/title/WireGuard

Also, you can speed up deployment with https://github.com/k4yt3x/wg-meshconf

Preparation

Subnets and public or private ip addresses:

  • LAN - 10.0.0.0/26
  • Wireguard mesh - 10.255.0.0/28
  • OpenVPN - 192.168.255.0/24
  • Wireguard endpoint A: 111.0.111.222:51820; 10.255.0.6
  • Wireguard endpoint B: 111.0.111.223:51820; 10.255.0.7
  • Wireguard endpoint C: 111.0.111.224:51820; 10.255.0.8
  • Wireguard endpoint D: 111.0.111.225:51820; 10.255.0.9

Installation

Rocky Linux 8.4

sudo find /lib/modules/$(uname -r) -type f -name wire*
modprobe -c
modprobe -c | grep wire
modprobe wireguard
uname -r
sudo dnf install https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
dnf list available --disablerepo='*' --enablerepo=elrepo-kernel
sudo dnf --enablerepo=elrepo-kernel install kernel-ml
sudo awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
df -hT
ls /boot/grub2/
ls -la /boot/grub2/
cat /etc/grub.d/00_header
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
uname -r
netstat -tulpn
sudo dnf install elrepo-release epel-release
lsmod
sudo dnf install kmod-wireguard wireguard-tools

Configuration

# Configuration
iptables -S
iptables -L --line-numbers
sudo dnf install iptables iptables-services
iptables -L --line-numbers
sudo iptables -I INPUT 1 -p udp --dport 51820 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.255.0.0/28 -o wg0 -j MASQUERADE
sudo iptables-save > /etc/sysconfig/iptables
sudo systemctl enable --now iptables.service
sudo systemctl status iptables.service
netstat
cat /etc/sysconfig/iptables
sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/99-sysctl.conf
sudo echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/99-sysctl.conf
sudo sysctl -p /etc/sysctl.d/99-sysctl.conf
sudo mkdir -p /etc/wireguard/helper/
sudo chmod go+rx /etc/wireguard/
ls -la
ls -la /etc/wireguard/
ls -la /etc/wireguard/helper/
sudo chmod go+rx /etc/wireguard/
sudo chmod go+rx /etc/wireguard/helper/
ls -la /etc/wireguard/helper/
sudo wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
sudo wg genpsk > /etc/wireguard/zumpa-lichnakcz.psk
lsmod | grep wireguard
modprobe wireguard
ls -la /etc/wireguard/
ln -s /lib/modules/5.15.12-1.el8.elrepo.x86_64/ /lib/modules/$(uname -r)
ls -la /lib/modules
modprobe wireguard
ip link add dev wg0 type wireguard
ip addr add 10.255.0.6/28 dev wg0
wg set wg0 address 10.255.0.6/28 listen-port 51820 private-key /etc/wireguard/server_private.key
wg set wg0 listen-port 51820 private-key /etc/wireguard/server_private.key
wg
cat /etc/wireguard/server_private.key
cat /etc/wireguard/server_public.key
wg set wg0 peer 0000000000000000000000000000000000000000000= preshared-key /etc/wireguard/zumpa-lichnakcz.psk endpoint 111.0.111.222:51820 allowed-ips 10.0.0.0/26, 10.255.0.0/28, 192.168.255.0/24
cat /etc/wireguard/wg0.conf
cat > /etc/wireguard/wg0.conf <<"EOF"
[Interface]
Address = 10.255.0.6/28
SaveConfig = true
ListenPort = 51820
PrivateKey = 0000000000000000000000000000000000000000000=

[Peer]
PublicKey = 0000000000000000000000000000000000000000000=
PresharedKey = 0000000000000000000000000000000000000000000=
AllowedIPs = 10.0.0.0/26, 10.255.0.0/28, 192.168.255.0/24
Endpoint = 111.0.111.222:51820
[Peer]
PublicKey = 0000000000000000000000000000000000000000000=
PresharedKey = 0000000000000000000000000000000000000000000=
AllowedIPs = 10.0.0.0/26, 10.255.0.0/28, 192.168.255.0/24
Endpoint = 111.0.111.224:51820
[Peer]
PublicKey = 0000000000000000000000000000000000000000000=
PresharedKey = 0000000000000000000000000000000000000000000=
AllowedIPs = 10.0.0.0/26, 10.255.0.0/28, 192.168.255.0/24
Endpoint = 111.0.111.224:51820
EOF

ip route add 10.0.0.0/26 dev wg0
ip route add 10.255.0.0/28 dev wg0
ip route add 192.168.255.0/24 dev wg0
ip route add fd7b:d0bd:7a6e::/64 dev wg0

wg
ip route
wg showconf wg0
wg showconf wg0 > /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/{server_public.key,wg0.conf}
ip link set wg0 up
ip a s
ip route
vi /etc/wireguard/wg0.conf
iptables -S
sudo dnf install net-tools -y
netstat -tulpn
cat /etc/wireguard/zumpa-lichnakcz.psk
cat /etc/wireguard/server_public.key
cat /etc/wireguard/wg0.conf
wg-quick down wg0
wg-quick up wg0
ping 10.255.0.1
ip a s
wg-quick down wg0
wg-quick up wg0
cat /etc/sysconfig/iptables
iptables -S FORWARD
iptables -L --line-numbers FORWARD
iptables -L --line-numbers

sudo iptables -I 1 FORWARD -i wg0 -j ACCEPT
sudo iptables -I FORWARD 1 -i wg0 -j ACCEPT
iptables -L --line-numbers FORWARD
iptables -L --line-numbers
sudo iptables -D FORWARD 7
iptables -L --line-numbers
netstat -tulp
netstat -tulpn
ip a s
wg-quick down wg0
sudo wg-quick up wg0
sudo systemctl enable --now wg-quick@wg0
systemctl status wg-quick@wg0.service
sudo wg-quick down wg0
systemctl status wg-quick@wg0.service
ip route
ping 10.0.0.20
ip a s
systemctl status wg-quick@wg0.service
systemctl stop wg-quick@wg0.service
systemctl status wg-quick@wg0.service
ip a s
systemctl start wg-quick@wg0.service
ip a s
systemctl status wg-quick@wg0.service
ping 10.255.0.1
iptables -S


wg-quick down wg0
vi /etc/wireguard/wg0.conf
wg-quick up wg0
ip a s
ping 10.255.0.5
cat /etc/wireguard/wg0.conf
cat /etc/wireguard/zumpa-lichnakcz.psk
ping 10.255.0.5
wg-quick down wg0
vi /etc/wireguard/wg0.conf

sudo iptables-save > /etc/sysconfig/iptables
ip a s
cat /etc/wireguard/wg0.conf
wg-quick down wg0
vi /etc/wireguard/wg0.conf
wg-quick up wg0

Backup and restore

# Backups


# Restore

From Zero to Hero

me

My name is Adam Lichonvsky and I'm proud father and researcher.

         

Recent Posts