Topic: tech myref prev next
tech myref > Wireguard
Wireguard is likely not installed by default:
apt install wireguard
Create a template /etc/wireguard/wg0.conf:
umask 077 && printf "[Interface]\nPrivateKey = " | tee /etc/wireguard/wg0.conf > /dev/null
Generate the private key, then generate the public key associated with the private key:
wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey | tee /etc/wireguard/publickey
Add IP addresses and endpoint information. In the [Interface] section of the
wg0.conf file, add an RFC1918 address for the internal wg0 interface, and
an external port on which to listen for peers:
Address = 10.x.x.x/28
ListenPort = xxxxx
Add a section for each peer, with their public key. Limit the source IP address to accept from the peer.
[Peer]
PublicKey = xxxxx
AllowedIPs = 10.x.x.x/32
Enable Wireguard as a systemd unit:
systemctl enable wg-quick@wg0
This configuration works if one end of the tunnel is behind NAT. Enable persistent keepalive on the device which is behind NAT. It is not required on the device with the public IP.