fachinformatiker-wiki

it's easy when it's here

User Tools

Site Tools


linux:vpn:wireguard

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
linux:vpn:wireguard [2023/04/01 17:02] adminlinux:vpn:wireguard [2024/02/25 14:28] (current) gsys
Line 3: Line 3:
 ===== Installation ===== ===== Installation =====
  
-<code bash>+<code>
 sudo apt update sudo apt update
 sudo apt install wireguard wireguard-tools sudo apt install wireguard wireguard-tools
Line 12: Line 12:
 ==== Server ==== ==== Server ====
 create private key and remove permissions for any one other than root create private key and remove permissions for any one other than root
-<code bash>+<code>
 wg genkey | sudo tee /etc/wireguard/private.key wg genkey | sudo tee /etc/wireguard/private.key
 sudo chmod go= /etc/wireguard/private.key sudo chmod go= /etc/wireguard/private.key
Line 18: Line 18:
  
 create public key create public key
-<code bash>+<code>
 sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
 </code> </code>
  
-<code bash>+<code>
 sudo nano /etc/wireguard/wg0.conf sudo nano /etc/wireguard/wg0.conf
 </code> </code>
  
-FIXME 
 <code bash> <code bash>
 [Interface] [Interface]
Line 33: Line 32:
 ListenPort = 51820 ListenPort = 51820
 SaveConfig = false SaveConfig = false
-PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
-PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE 
  
 [Peer] [Peer]
Line 64: Line 61:
 ==== Inter-Client Communication ==== ==== Inter-Client Communication ====
  
-FIXME+IPv4 Packet Forwarding aktivieren 
 +<code> 
 +sudo sysctl -w net.ipv4.ip_forward=1                       # IPv4 Packet Forwarding aktivieren 
 +sudo sysctl -p                                             # Änderung anwenden 
 +</code> 
 + 
 +Kommunikation wg0 <-> wg0 erlauben 
 +<code> 
 +sudo iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT           # ans Ende der chain (append) 
 +sudo iptables -I FORWARD -i wg0 -o wg0 -j ACCEPT           # an den Anfand der Chain 
 +</code> 
 + 
 +==== Internetzugriff ==== 
 + 
 +Server 
 +IPv4/IPv6 Packet Forwarding aktivieren 
 +<code> 
 +sudo sysctl -w net.ipv4.ip_forward=1                       # IPv4 Packet Forwarding aktivieren 
 +sudo sysctl -w net.ipv6.ip_forward=1                       # IPv4 Packet Forwarding aktivieren 
 +sudo sysctl -p                                             # Änderung anwenden 
 +</code> 
 + 
 +Server 
 +<code bash> 
 +[Interface] 
 +PrivateKey = <private key server> 
 +Address = 10.1.2.254/32 
 +ListenPort = 51820 
 +SaveConfig = false 
 +PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
 +PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE 
 + 
 +[Peer] 
 +PublicKey = <public key client> 
 +AllowedIPs = 10.1.2.1/32 
 +</code> 
 + 
 +Client 
 +<code bash> 
 +[Interface] 
 +PrivateKey = <private key client> 
 +Address = 10.1.2.1/32 
 +DNS = 10.1.2.254 #, 1.1.1.1 
 + 
 +[Peer] 
 +PublicKey = <public key server> 
 +AllowedIPs = 0.0.0.0/0, ::/0 
 +Endpoint = vpn.example.com:51820 
 +PersistentKeepalive = 25 
 +</code> 
 + 
 +==== DNS-Suffix und Suchliste ==== 
 + 
 +Client interface Anpassen 
 +<code bash> 
 +[Interface] 
 +PrivateKey = <private key client> 
 +Address = 10.1.2.1/32 
 +DNS = 10.1.2.254, lab.local, wg0.lab.local 
 + 
 +[Peer] 
 +PublicKey = <public key server> 
 +AllowedIPs = 0.0.0.0/0, ::/0 
 +Endpoint = vpn.example.com:51820 
 +PersistentKeepalive = 25 
 +</code> 
 + 
 +==== Windows Client ====
  
 <code> <code>
-sudo sysctl -w net.ipv4.ip_forward=1 +wireguard /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\config.conf" 
-sudo sysctl -p +wireguard /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\config.conf.dpapi" 
-sudo iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT           #ans Ende der chain (append) +wireguard /installmanagerservice 
-sudo iptables -I FORWARD -i wg0 -o wg0 -j ACCEPT           #an den Anfand der Chain+wireguard /uninstallmanagerservice 
 +wireguard /update 2> C:\path\to\update\log.txt
 </code> </code>
linux/vpn/wireguard.1680361353.txt.gz · Last modified: 2024/02/17 19:03 (external edit)