Julian Lemmerich's Homenetwork wiki

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen:
knowledge_base:useful_software:s2svpn_wg

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

Link zu der Vergleichsansicht

Beide Seiten, vorherige ÜberarbeitungVorherige Überarbeitung
Nächste Überarbeitung		Vorherige Überarbeitung
knowledge_base:useful_software:s2svpn_wg [2021/09/11 20:25] – [server config] - corrected error julian.lemmerichknowledge_base:useful_software:s2svpn_wg [2024/11/21 17:40] (aktuell) – add PSK julian.lemmerich
Zeile 18: Zeile 18:
  
 <code bash> <code bash>
-apt install wireguard+apt install wireguard-tools
 </code> </code>
  
-https://github.com/mjtechguy/wireguard-site-to-site+Benötigt Linux Kernel 5.6 oder höher.
  
-==== enable ip forwarding ====+===== Generating Keys =====
  
-((https://linuxhint.com/enable_ip_forwarding_ipv4_debian_linux/))+Beide seiten benötigen unabhängige Keys.
  
-this has to be done on both server and client.+<code> 
 +wg genkey | tee >(wg pubkey) 
 +</code>
  
-<file bash /etc/sysctl.conf> +Für Post-Quanten-Sicheres stuff kann man auch einen PSK generierenDieser muss auf beiden Seiten dann identisch sein.
-# Uncomment the next line to enable packet forwarding for IPv4 +
-net.ipv4.ip_forward=1+
  
-# Uncomment the next line to enable packet forwarding for IPv6 +<code> 
-#  Enabling this option disables Stateless Address Autoconfiguration +wg genpsk 
-#  based on Router Advertisements for this host +</code>
-net.ipv6.conf.all.forwarding=1 +
-</file>+
  
-==== server config ====+===== Configuration =====
  
-<file bash /etc/wireguard/wgx.conf>+==== "Server" config ==== 
 + 
 +<file /etc/wireguard/wgx.conf>
 [Interface] [Interface]
 Address = 10.99.x.1/30               # this address is the tunnel address Address = 10.99.x.1/30               # this address is the tunnel address
-ListenPort = 31037                   # this port is the physical port that should be listened on.+ListenPort = 31037                   # this port is the port that should be listened on.
 PrivateKey = 6GcJf56i5dY30t7tyuGExlJFl/vkiYcyfvDrTJoevWg= PrivateKey = 6GcJf56i5dY30t7tyuGExlJFl/vkiYcyfvDrTJoevWg=
-SaveConfig false+# PresharedKey <psk>               # optional
  
-PostUp = iptables -A FORWARD -i %i -j ACCEPT+PostUp = iptables -A FORWARD -i %i -j ACCEPT       # commands here get executed on tunnel up, useful for firewall config for example
 PostDown = iptables -D FORWARD -i %i -j ACCEPT PostDown = iptables -D FORWARD -i %i -j ACCEPT
    
Zeile 54: Zeile 54:
 #Name = XY #Name = XY
 PublicKey = KSODnmNkJG+ASAirrpmZJhEHwnCNoa7fIhvBS/txJQY= PublicKey = KSODnmNkJG+ASAirrpmZJhEHwnCNoa7fIhvBS/txJQY=
-AllowedIPs = 192.168.10.0/24,192.168.11.0/24,192.168.12.0/24,192.168.13.0/24,192.168.14.0/24,192.168.15.0/24,10.98.3.0/30,10.99.3.2/32 this is an example list of allowed ips taken from n02+AllowedIPs = 192.168.11.0/24         IP-Space of the Client that is allowed to be routed through.
 </file> </file>
  
-==== client conf ====+==== "Client" conf ====
  
-<file bash /etc/wireguard/wgx.conf>+<file /etc/wireguard/wgx.conf>
 [Interface] [Interface]
 Address = 10.99.x.2/30 Address = 10.99.x.2/30
 +#ListenPort = 51820                  # If ListenPort is not set, a random port is chosen. For example for a Client behind NAT this is not needed
 PrivateKey = qEX8Ag5QmckFHRGX8Cg308N1XXzfp3VXE2MKYPlA2Eo= PrivateKey = qEX8Ag5QmckFHRGX8Cg308N1XXzfp3VXE2MKYPlA2Eo=
 +#PresharedKey = <psk>                # optional
  
 PostUp = iptables -A FORWARD -i %i -j ACCEPT PostUp = iptables -A FORWARD -i %i -j ACCEPT
Zeile 69: Zeile 71:
 [Peer] [Peer]
 PublicKey = 28b1ickTXZiU5XtZbsj6YJuzhkcJXrNP145C3MGBQS0= PublicKey = 28b1ickTXZiU5XtZbsj6YJuzhkcJXrNP145C3MGBQS0=
-AllowedIPs = 192.168.8.0/21,192.168.16.0/21,192.168.24.0/22,10.98.2.0/30,10.99.3.1/30,10.99.7.1/32   # this is a bit of a collapsed view of my home networks +AllowedIPs = 0.0.0.0/              # this means everything is routed. For split tunnel, only route certain subnets. 
-Endpoint = 130.83.6.100:31037 +Endpoint = 130.83.6.100:31037        # This Client will reach out to the hardcoded Endpoint. It can be specified on both sides. 
-PersistentKeepalive = 2+PersistentKeepalive = 25             # Send a keepalive packet every 25s
 </file> </file>
  
Zeile 81: Zeile 83:
  
 ==== always start wg ==== ==== always start wg ====
- 
-on both server and client 
  
 <code> <code>
/app/www/public/data/attic/knowledge_base/useful_software/s2svpn_wg.1631384756.txt.gz · Zuletzt geändert: 2021/09/24 19:10 (Externe Bearbeitung)

Seiten-Werkzeuge

Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki