Skip to content

Wireguard

Wireguard

Intro to wireguard
The missing wireguard documentation

https://www.procustodibus.com/blog/2020/10/wireguard-topologies/ Wireguard Topologies
https://sloonz.github.io/posts/wireguard-beyond-basic-configuration/

Management:
- User and Device Management
- Wireguard User Management
- https://www.wirehub.org/
- https://github.com/IAmStoxe/wirehole
- https://serverfault.com/questions/1101002/wireguard-client-addition-without-restart add client without restarting service
- https://github.com/NHAS/wag

Setup

Generate Keys:

# generate server keys
wg genkey | tee server-private.key | wg pubkey > server-public.key
# generate client keys
wg genkey | tee client-private.key | wg pubkey > client-public.key

Example Configs

Route to self and others on the internal network::

AllowedIPs = 10.0.0.1/24

Route to self only::

AllowedIPs = 10.0.0.1/32

Route to the whole internet::

AllowedIPs = 0.0.0.0/0,::/0

Route to self and specific peer:

AllowedIPs = 10.0.0.3/32,10.0.0.4/32

Direct Connect

Client Config:

[Interface]
Name = "Client 1"
Address = 10.200.100.5/32, fd43:6666:9dc1:70b7::5/128
DNS = 10.200.100.1, fd43:6666:9dc1:70b7::3
PrivateKey = [from key]


[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = example.com:51820 #public-server2.example-vpn.dev:51820
PersistentKeepalive = 25
PublicKey = zBFeSr+t+Rw3n9Dh7io+XkDWoBnzDPrWiEwDEl1poxU=

Server Config:

[Interface]
Address = 10.200.100.1/24, fd43:6666:9dc1:70b7::1/64
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; PostUp = iptables -A FORWARD -o %i -j ACCEPT;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = [from key]

#bk201
[Peer]
Name = bk201
PublicKey = XIfHCt6PgYJbcL7coxVlBTkmP8BGDm4MVhZJOEU/Tzo=
AllowedIPs = 10.200.100.2/32, fd43:6666:9dc1:70b7::2/128  # This denotes the clients IP.

#Android
[Peer]
Name = Android
PublicKey = s/eJ5huy5FjbCcMQ5+zz+Lw9nSsbcpwpCJ5DiIvC6g4=
AllowedIPs = 10.200.100.3/32, fd43:6666:9dc1:70b7::3/128  # This denotes the clients IP.

#Docker
[Peer]
Name = Android
PublicKey = LQOFb+BpnPFotBDGZcDrFtnruBjmZmrDZZLrRI67O0c=
AllowedIPs = 10.200.100.4/32, fd43:6666:9dc1:70b7::4/128  # This denotes the clients IP.

#Windows
[Peer]

PublicKey = 6IQ/3J8hNe2zl74UaLTUZNUcNNh64R7d3m4CS+ncqRo=
AllowedIPs = 10.200.100.5/32, fd43:6666:9dc1:70b7::5/128  # This denotes the clients IP.

Direct Connect with local IP access

[Interface]
PrivateKey = [from key]
Address = 10.200.100.5/32, fd43:6666:9dc1:70b7::5/128
DNS = 10.200.100.1, fd43:6666:9dc1:70b7::1

[Peer]
PublicKey = zBFeSr+t+Rw3n9Dh7io+XkDWoBnzDPrWiEwDEl1poxU=
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
Endpoint = [SERVER_IP]:51820
PersistentKeepalive = 25

As a Proxy

A wireguard client that exposes itself as a socks5 proxy or tunnels.

Debugging connection issues