update wireguard documentation, fix install, add example for server

2021-05-16 21:45:43 +02:00 · 2021-05-16 21:45:43 +02:00 · 6395c26baa
parent f73a2145b0
commit 6395c26baa
5 changed files with 44 additions and 24 deletions
--- a/scripts/install.sh
+++ b/scripts/install.sh
@ -93,6 +93,8 @@ base_applications() {
        vpnc \
        vpnc-scripts \
        wireguard \
+        wireguard-dkms \
+        wireguard-tools \
        zip \
        --no-install-recommends

--- a/wireguard/README.org
+++ b/wireguard/README.org
@ -10,33 +10,28 @@

   Cheat Sheet: https://gist.github.com/chrisswanda/88ade75fc463dcf964c6411d1e9b20f4

-*** Setup the Interface
+   Replace ~wg0~ with an interface name for the VPN connection, e.g. ~homeoffice~ or ~mycloud~

-   #+begin_src bash
-     # ip link add dev wg0 type wireguard
-     # ip address add dev wg0 10.1.0.2/24
-     # ip address add dev wg0 10.1.0.2 peer 10.1.0.1
-   #+end_src
+   Tutorial with best Explaination: https://medium.com/tangram-visions/what-they-dont-tell-you-about-setting-up-a-wireguard-vpn-46f7bd168478

 *** Create Keys

    #+begin_src bash
      $ umask 077
-      $ wg genkey > privatekey
-      $ wg pubkey < privatekey > publickey
-    #+end_src
-
-    or just
-
-    #+begin_src bash
      $ wg genkey | tee privatekey | wg pubkey > publickey
    #+end_src

-*** Add Peer To Server
+*** Setup the Interface
+
+   #+begin_src bash
+     # sudo wg-quick up wg.conf.example
+   #+end_src
+
+*** Add Peer 

    #+begin_src bash
      # add peer
-      wg set wg0 peer <client_pubkey> allowed-ips 10.0.0.x/32
+      wg set wg0 peer <client_pubkey> allowed-ips 10.0.0.x/32 persistent-keepalive 25

      # verify connection
      wg
--- a/wireguard/wg-client.conf.example
+++ b/wireguard/wg-client.conf.example
@ -0,0 +1,15 @@
+[Interface]
+Address = 10.x.x.x/32
+PostUp = wg set %i private-key /etc/wireguard/private-key-for-this-vpn
+
+# immediately test connection to the public (bounce) host
+PostUp = ping -c1 10.0.0.1
+
+[Peer]
+PublicKey = 
+Endpoint = 
+AllowedIPs = 10.0.0.0/24
+
+# if this client is behind a NAT and
+# other clients should be able to connect
+PersistentKeepalive = 25
--- a/wireguard/wg-server.conf.example
+++ b/wireguard/wg-server.conf.example
@ -0,0 +1,17 @@
+[Interface]
+Address = 10.0.0.1/24
+SaveConfig = true
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
+ListenPort = <some-high port>
+PrivateKey = <here-comes-your-server-private-key>
+
+[Peer]
+# client 1
+PublicKey = <client1-public-key>
+AllowedIPs = 10.0.0.2/32
+
+[Peer]
+# client 2
+PublicKey = <client2-public-key>
+AllowedIPs = 10.0.0.3/32
--- a/wireguard/wg.conf.example
+++ b/wireguard/wg.conf.example
@ -1,9 +0,0 @@
-[Interface]
-PrivateKey = 
-Address = 10.x.x.x/24
-
-[Peer]
-PublicKey = 
-Endpoint = 
-AllowedIPs = 10.x.x.x/32
-PersistentKeepalive = 25