Setting up Standalone S2S-VPN Wireguard

Gettings WG staus

wg show

Starting/Stopping WG

wg-quick up wgx

wg-quick down wgx

Installing WG

apt install wireguard-tools

Benötigt Linux Kernel 5.6 oder höher.

Generating Keys

Beide seiten benötigen unabhängige Keys.

wg genkey | tee >(wg pubkey)

Für Post-Quanten-Sicheres stuff kann man auch einen PSK generieren. Dieser muss auf beiden Seiten dann identisch sein.

wg genpsk

enable ip forwarding

this has to be done on both server and client.

/etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

server config

/etc/wireguard/wgx.conf

[Interface]
Address = 10.99.x.1/30               # this address is the tunnel address
ListenPort = 31037                   # this port is the physical port that should be listened on.
PrivateKey = 6GcJf56i5dY30t7tyuGExlJFl/vkiYcyfvDrTJoevWg=
SaveConfig = false
 
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT
 
[Peer]
#Name = XY
PublicKey = KSODnmNkJG+ASAirrpmZJhEHwnCNoa7fIhvBS/txJQY=
AllowedIPs = 192.168.10.0/24,192.168.11.0/24,192.168.12.0/24,192.168.13.0/24,192.168.14.0/24,192.168.15.0/24,10.98.3.0/30,10.99.3.2/32 # this is an example list of allowed ips taken from n02

client conf

/etc/wireguard/wgx.conf

[Interface]
Address = 10.99.x.2/30
PrivateKey = qEX8Ag5QmckFHRGX8Cg308N1XXzfp3VXE2MKYPlA2Eo=
 
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT
 
[Peer]
PublicKey = 28b1ickTXZiU5XtZbsj6YJuzhkcJXrNP145C3MGBQS0=
AllowedIPs = 192.168.8.0/21,192.168.16.0/21,192.168.24.0/22,10.98.2.0/30,10.99.3.1/30,10.99.7.1/32   # this is a bit of a collapsed view of my home networks
Endpoint = 130.83.6.100:31037
PersistentKeepalive = 2

starting wg

wg-quick up wgx

always start wg

on both server and client

systemctl enable wg-quick@wgx

Routing

Dont forget to add the firewall rules!

Julian Lemmerich's Homenetwork wiki

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Inhaltsverzeichnis