User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
gentoo:wireguard [2025/02/05 15:22] – [Port Forwarding] willygentoo:wireguard [2026/03/19 08:21] (current) – [Watchdog] willy
Line 1: Line 1:
-====== WireGuard ======+====== J) WireGuard ======
  
-[[https://en.wikipedia.org/wiki/WireGuard|WireGuard]] is a modern VPN tunnel solution...+[[https://en.wikipedia.org/wiki/WireGuard|WireGuard]] is a modern VPN tunnel solution which is quickly taking the place of OpenVPNSome of the strong key points of WireGuard are, beside a supposedly more secure implementation, the ease of setup and how it simply merge with the overall linux network management. 
 + 
 +WireGuard will create an encrypted and protected tunnel between hosts, where each host act as a peer. You need to have at least one host reachable from all the others, of course, but then WireGuard will create a common subnetwork on which all the hosts will see each other
  
 ===== Concepts ===== ===== Concepts =====
  
-network+You should be fmailiar with basic networking concepts like routing, subnets, addresses.  
 + 
 +A **subnet** is a portion of a network where all the hosts can ping each other without the need of a //gateway//. **Routing** is the act of sending out network packets from a specific network interface toward the destination of the packet. On a subnet, routing is always direct for hosts on the same subnet, otherwise routing happens trough a gateway. 
 + 
 +All VPNs work by creating an encrypted **tunnel** between it's peers. This tunnel needs to be initiated from one host to the other (or viceversa) and whatever traffic flows inside the tunnes is not intellegible to anyone else because it's, guess what, encrypted.
  
-tunnel+To perform the encryption at both ends, some encryption **keys** needs to be shared. The approach used by WireGuard is to use the private/public key pairs: each host has one private key (which is by definition, not shared) and public key (which is shared with all the other hosts). The private/public technology ensures that the identity of the host is verified because only the private key can encrypt what the public key can decrypt.
  
-keys 
  
 ===== Installation ===== ===== Installation =====
  
-You will also need **nftables** if you plan to do port-forwarding+These steps need to be followed on every host that participate in the WireGuard tunnel. 
 + 
 +Installing WireGuard on Gentoo is pretty easy since the latest release is always in portage, but you will also need [[gentoo:nft|nftables]] if you plan to do port-forwarding or any advanced networking:
 <code bash> <code bash>
 emerge -v net-vpn/wireguard-tools net-firewall/nftables emerge -v net-vpn/wireguard-tools net-firewall/nftables
 </code> </code>
 +
  
 Create local host private and public keys: Create local host private and public keys:
Line 22: Line 30:
 wg genkey > /etc/wireguard/privatekey wg genkey > /etc/wireguard/privatekey
 wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey
 +chmod 500 /etc/wireguard/privatekey /etc/wireguard/publickey
 </code> </code>
 +
 +You will need these two keys for the configuration below.
  
 ===== Configuration ===== ===== Configuration =====
  
-Each WireGuard tunnel requires it's own configuration, usually called //wg0//, //wg1//...+WireGuard tunnel can connect two or more hosts. A tunnel is usually called **wg0** or **wg1** and so on. Each tunnel has it's own config file located at **/etc/wireguard/wg0.conf**Please note that the following instructions need to be applied to each host in the tunnel.
  
-So, create one file for each tunnel at **/etc/wireguard/wg0.conf**:+So, create the tunnel config at **/etc/wireguard/wg0.conf**:
 <file - wg0.conf> <file - wg0.conf>
 [Interface] [Interface]
-PrivateKey = << local private key >>+PrivateKey = << local host private key >>
 Address = 10.100.0.1/24 Address = 10.100.0.1/24
-ListenPort = << my port >> +ListenPort = << local host port >> 
  
 [Peer] [Peer]
-PublicKey = << remote end public key >> +PublicKey = << remote host public key >> 
-Endpoint = << peer public IP >>:<< peer port >> +Endpoint = << remote host public IP >>:<< remote host port >> 
-AllowedIPs = 10.100.0.2/24 # +AllowedIPs = 10.100.0.2/24 #
 PersistentKeepAlive = 25 PersistentKeepAlive = 25
 </file> </file>
  
 Where: Where:
-  * You can have as many peers as you need to connect to the local host+  * You can have as many peers as you need to connect to the local host, just create one [Peer] block for each one.
   * The //PrivateKey// is the __local host__ private key   * The //PrivateKey// is the __local host__ private key
-  * The //Address// is the __local host__ address on the tunnel subnetwork +  * The //Address// is the __local host__ address on the __tunnel subnetwork__ (usually, a new subnet you are not using already) 
-  * The //ListenPort// is the port on which the local host can be reached from the peers. This can be omitted if the local host is not reacheable from the peers, in this case the local hosts will connect to the peers.+  * The //ListenPort// is the port on which the local host can be reached from the remote hosts. This can be omitted if the local host is not reacheable from the remote hosts
   * The //PublicKey// is the __remote host__ public key   * The //PublicKey// is the __remote host__ public key
-  * The //Endpoint// is the peer __public__ IP, omit if the peer cannot be reached from the local host, in this case the peers will connect to the localhost. +  * The //Endpoint// is the remote host __public__ IP and __open port__, omit if the remote host cannot be reached from the local host 
-  * The //peer port// is the //ListenPort// of the peer +  * The //AllowedIPs// limits which hosts can send data to the **local** host, in case you have more than one machine connecting trough the remote host, for example
-  * The //AllowedIPs// limits which hosts can send data to the local host, in case you have more than one machine connecting trough the peer+
   * The //PersistentKeepAlive// is usefull to help keep the tunnel connected by sending a keekalive e forcing a reconnection.   * The //PersistentKeepAlive// is usefull to help keep the tunnel connected by sending a keekalive e forcing a reconnection.
  
-Each peer (hostconnecting to the WireGuard tunnel will need one of these files. If you have two hosts (tipycal setup), assume that you need two //wgX.conf// files, one located on each host. These pair of configuration files will need to symmetrical to each other.+Each host connecting to the WireGuard tunnel will need one of these files. These configuration files should usually be symmetrical to each other.
  
 Link the startup scripts and set it to start on boot: Link the startup scripts and set it to start on boot:
Line 61: Line 71:
 </code> </code>
  
-===== Port Forwarding =====+===== Watchdog =====
  
-For more details in NFTablessee [[[[gentoo:nft|here]].+In my experiencewhen the main router reboots or the internet connection is switched, the wireguard tunnel might hang up for a very long time. I am not sure why this happen, it shouldn't, specially with the //PersistentKeepAlive = 25// setting, but it does anyway
  
-I will assume that you have one **internal** host and one **external** host connected trough WireGuard tunnel, already setup like described above.+To ensure this doesn't happen, i have written a small OpenRC script that pings the Wireguard remote server and restart the wg-quick interface when the ping fails. Drop the following script as **/etc/init.d/tunnel-watchdog**
 +<file - tunnel-watchdog> 
 +#!/sbin/openrc-run
  
-The goal is having port **2022** of the external server redirect to port **22** of the internal server torugh the WireGuard tunnel so that you can SSH inside your internal server from outsideseamlessly.+description="Dead‑man switch: ping a hostrestart a service if ping fails"
  
-I assume your external server has an interface called **enp1s0**, it's WireGuard interface is **wg0** and the WireGuard subnet mask is 10.100.0.0/24, with 10.100.0.2 being the external server and 10.100.0.1 the internal server.+# The services you want to restart 
 +SERVICES="wg-quick.wg0 wg-quick.wg1" 
 +PING_HOST="10.70.0.2
 +LOG="/var/log/tunnel-watchdog.log" 
 +FAIL_COUNT_LIMIT=5 
 +PING_TIMEOUT=1 
 +PING_COUNT=1
  
-What we need: +restart_service() { 
-  * A dedicated table called **wg** +    for i in ${SERVICES} 
-  * A **prerouting** chain to apply DNAT to incoming packes on port 2022 to the wg tunnel port 22 +    do 
-  * A **postrouting** chain to ensure that all reply packets are properly SNAT back to outside+        einfo "Restarting $i" 
 +        /etc/init.d/$i restart 
 +    done 
 +}
  
-Create the wg table: +depend() { 
-<code bash> +    need net 
-nft add table ip wg +}
-</code>+
  
-Create the base chains:+start() { 
 +    ebegin "Starting tunnel-watchdog daemon" 
 +    echo $(date)" Starting tunnel watchdog on IP $PING_HOST"  >> ${LOG} 
 +    while : ; do 
 +        # Perform a quick ping.  -q quiet, -c N packets, -W T timeout 
 +        if ! ping -q -c ${PING_COUNT} -W ${PING_TIMEOUT} ${PING_HOST} >/dev/null 2>&1; then 
 +            fail_count=$((fail_count + 1)) 
 +            echo $(date)" Ping to ${PING_HOST} failed (attempt ${fail_count})" >> ${LOG} 
 +        else 
 +            fail_count=0 
 +        fi 
 + 
 +        # If we hit the threshold, restart 
 +        if [ "${fail_count}" -ge "${FAIL_COUNT_LIMIT}" ]; then 
 +            echo $(date)" Consecutive failures reached ${FAIL_COUNT_LIMIT}: restarting ${SERVICES}" >> ${LOG} 
 +            restart_service 
 +            fail_count=0 
 +        fi 
 + 
 +        # Wait a bit before the next check 
 +        sleep 5 
 +    done & 
 +    PID=$! 
 +    echo ${PID} > /var/run/tunnel-watchdog.pid 
 +    eend 0 
 +
 + 
 +stop() { 
 +    ebegin "Stopping ping‑restart daemon" 
 +    if [ -f /var/run/tunnel-watchdog.pid ]; then 
 +        PID=$(cat /var/run/tunnel-watchdog.pid) 
 +        kill -9 "${PID}" 2>/dev/null 
 +        rm /var/run/tunnel-watchdog.pid 
 +    else 
 +        eend 255 
 +    fi 
 +    eend 0 
 +
 +</file> 
 + 
 +Now make it executable add to the runlevel default and start it:
 <code bash> <code bash>
-nft 'add chain ip wg ssh-in { type nat hook prerouting priority -100 ; }' +chmod +x /etc/init.d/tunnel-whatchdog 
-nft 'add chain ip wg ssh-out { type nat hook postrouting priority 100 ; }'+rc-update add tunnel-whatchdog default 
 +/etc/init.d/tunnel-whatchdog start
 </code> </code>
  
-Create the SNAT return rule: +As a final note, don't forget to put log file **/var/log/tunnel-watchdog.log** in your logrotate facility. 
-<code bash>+ 
 + 
 +===== Remote access =====
  
-nft add rule ip wg prerouting tcp dport 2022 dnat to 10.70.0.1 dport 22 +There are tons of WireGuard tutorials online on how to use WireGuard to connect your mobile device securely to your home network, i do not plan to cover this topic here.
-nft add rule ip wg prerouting tcp dport 22 dnat to 10.70.0.+
  
-nft add rule ip wg postrouting ip daddr 10.70.0.1 masquerade 
  
-nft add ip wg prerouting 'dnat to tcp dport map { 2022 : 10.70.0.1 . 22 }'