====== Setting up Standalone S2S-VPN Wireguard ======
===== Gettings WG staus =====
wg show
==== Starting/Stopping WG ====
wg-quick up wgx
wg-quick down wgx
===== Installing WG =====
apt install wireguard-tools
Benötigt Linux Kernel 5.6 oder höher.
===== Generating Keys =====
Beide seiten benötigen unabhängige Keys.
wg genkey | tee >(wg pubkey)
Für Post-Quanten-Sicheres stuff kann man auch einen PSK generieren. Dieser muss auf beiden Seiten dann identisch sein.
wg genpsk
===== Configuration =====
==== "Server" config ====
[Interface]
Address = 10.99.x.1/30 # this address is the tunnel address
ListenPort = 31037 # this port is the port that should be listened on.
PrivateKey = 6GcJf56i5dY30t7tyuGExlJFl/vkiYcyfvDrTJoevWg=
# PresharedKey = # optional
PostUp = iptables -A FORWARD -i %i -j ACCEPT # commands here get executed on tunnel up, useful for firewall config for example
PostDown = iptables -D FORWARD -i %i -j ACCEPT
[Peer]
#Name = XY
PublicKey = KSODnmNkJG+ASAirrpmZJhEHwnCNoa7fIhvBS/txJQY=
AllowedIPs = 192.168.11.0/24 # IP-Space of the Client that is allowed to be routed through.
==== "Client" conf ====
[Interface]
Address = 10.99.x.2/30
#ListenPort = 51820 # If ListenPort is not set, a random port is chosen. For example for a Client behind NAT this is not needed
PrivateKey = qEX8Ag5QmckFHRGX8Cg308N1XXzfp3VXE2MKYPlA2Eo=
#PresharedKey = # optional
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT
[Peer]
PublicKey = 28b1ickTXZiU5XtZbsj6YJuzhkcJXrNP145C3MGBQS0=
AllowedIPs = 0.0.0.0/0 # this means everything is routed. For a split tunnel, only route certain subnets.
Endpoint = 130.83.6.100:31037 # This Client will reach out to the hardcoded Endpoint. It can be specified on both sides.
PersistentKeepalive = 25 # Send a keepalive packet every 25s
==== starting wg ====
wg-quick up wgx
==== always start wg ====
systemctl enable wg-quick@wgx
==== Routing ====
:!: Dont forget to add the firewall rules!