User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
gentoo:wireguard [2025/02/05 15:49] – [Port Forwarding] willygentoo:wireguard [2025/03/13 13:26] (current) – [WireGuard] willy
Line 1: Line 1:
-====== WireGuard ======+====== J) WireGuard ======
  
-[[https://en.wikipedia.org/wiki/WireGuard|WireGuard]] is a modern VPN tunnel solution...+[[https://en.wikipedia.org/wiki/WireGuard|WireGuard]] is a modern VPN tunnel solution which is quickly taking the place of OpenVPNSome of the strong key points of WireGuard are, beside a supposedly more secure implementation, the ease of setup and how it simply merge with the overall linux network management. 
 + 
 +WireGuard will create an encrypted and protected tunnel between hosts, where each host act as a peer. You need to have at least one host reachable from all the others, of course, but then WireGuard will create a common subnetwork on which all the hosts will see each other
  
 ===== Concepts ===== ===== Concepts =====
  
-network+You should be fmailiar with basic networking concepts like routing, subnets, addresses. 
  
-tunnel+A **subnet** is a portion of a network where all the hosts can ping each other without the need of a //gateway//. **Routing** is the act of sending out network packets from a specific network interface toward the destination of the packet. On a subnet, routing is always direct for hosts on the same subnet, otherwise routing happens trough a gateway. 
 + 
 +All VPNs work by creating an encrypted **tunnel** between it's peers. This tunnel needs to be initiated from one host to the other (or viceversa) and whatever traffic flows inside the tunnes is not intellegible to anyone else because it's, guess what, encrypted. 
 + 
 +To perform the encryption at both ends, some encryption **keys** needs to be shared. The approach used by WireGuard is to use the private/public key pairs: each host has one private key (which is by definition, not shared) and public key (which is shared with all the other hosts). The private/public technology ensures that the identity of the host is verified because only the private key can encrypt what the public key can decrypt.
  
-keys 
  
 ===== Installation ===== ===== Installation =====
  
-You will also need **nftables** if you plan to do port-forwarding+These steps need to be followed on every host that participate in the WireGuard tunnel. 
 + 
 +Installing WireGuard on Gentoo is pretty easy since the latest release is always in portage, but you will also need [[gentoo:nft|nftables]] if you plan to do port-forwarding or any advanced networking:
 <code bash> <code bash>
 emerge -v net-vpn/wireguard-tools net-firewall/nftables emerge -v net-vpn/wireguard-tools net-firewall/nftables
 </code> </code>
 +
  
 Create local host private and public keys: Create local host private and public keys:
Line 22: Line 30:
 wg genkey > /etc/wireguard/privatekey wg genkey > /etc/wireguard/privatekey
 wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey
 +chmod 500 /etc/wireguard/privatekey /etc/wireguard/publickey
 </code> </code>
 +
 +You will need these two keys for the configuration below.
  
 ===== Configuration ===== ===== Configuration =====
  
-Each WireGuard tunnel requires it's own configuration, usually called //wg0//, //wg1//...+WireGuard tunnel can connect two or more hosts. A tunnel is usually called **wg0** or **wg1** and so on. Each tunnel has it's own config file located at **/etc/wireguard/wg0.conf**Please note that the following instructions need to be applied to each host in the tunnel.
  
-So, create one file for each tunnel at **/etc/wireguard/wg0.conf**:+So, create the tunnel config at **/etc/wireguard/wg0.conf**:
 <file - wg0.conf> <file - wg0.conf>
 [Interface] [Interface]
-PrivateKey = << local private key >>+PrivateKey = << local host private key >>
 Address = 10.100.0.1/24 Address = 10.100.0.1/24
-ListenPort = << my port >> +ListenPort = << local host port >> 
  
 [Peer] [Peer]
-PublicKey = << remote end public key >> +PublicKey = << remote host public key >> 
-Endpoint = << peer public IP >>:<< peer port >> +Endpoint = << remote host public IP >>:<< remote host port >> 
-AllowedIPs = 10.100.0.2/24 # +AllowedIPs = 10.100.0.2/24 #
 PersistentKeepAlive = 25 PersistentKeepAlive = 25
 </file> </file>
  
 Where: Where:
-  * You can have as many peers as you need to connect to the local host+  * You can have as many peers as you need to connect to the local host, just create one [Peer] block for each one.
   * The //PrivateKey// is the __local host__ private key   * The //PrivateKey// is the __local host__ private key
-  * The //Address// is the __local host__ address on the tunnel subnetwork +  * The //Address// is the __local host__ address on the __tunnel subnetwork__ (usually, a new subnet you are not using already) 
-  * The //ListenPort// is the port on which the local host can be reached from the peers. This can be omitted if the local host is not reacheable from the peers, in this case the local hosts will connect to the peers.+  * The //ListenPort// is the port on which the local host can be reached from the remote hosts. This can be omitted if the local host is not reacheable from the remote hosts
   * The //PublicKey// is the __remote host__ public key   * The //PublicKey// is the __remote host__ public key
-  * The //Endpoint// is the peer __public__ IP, omit if the peer cannot be reached from the local host, in this case the peers will connect to the localhost. +  * The //Endpoint// is the remote host __public__ IP and __open port__, omit if the remote host cannot be reached from the local host 
-  * The //peer port// is the //ListenPort// of the peer +  * The //AllowedIPs// limits which hosts can send data to the **local** host, in case you have more than one machine connecting trough the remote host, for example
-  * The //AllowedIPs// limits which hosts can send data to the local host, in case you have more than one machine connecting trough the peer+
   * The //PersistentKeepAlive// is usefull to help keep the tunnel connected by sending a keekalive e forcing a reconnection.   * The //PersistentKeepAlive// is usefull to help keep the tunnel connected by sending a keekalive e forcing a reconnection.
  
-Each peer (hostconnecting to the WireGuard tunnel will need one of these files. If you have two hosts (tipycal setup), assume that you need two //wgX.conf// files, one located on each host. These pair of configuration files will need to symmetrical to each other.+Each host connecting to the WireGuard tunnel will need one of these files. These configuration files should usually be symmetrical to each other.
  
 Link the startup scripts and set it to start on boot: Link the startup scripts and set it to start on boot:
Line 61: Line 71:
 </code> </code>
  
-===== Port Forwarding ===== +===== Remote access =====
- +
-For more details in NFTables, see [[[[gentoo:nft|here]]. +
- +
-I will assume that you have one **internal** host and one **external** host connected trough WireGuard tunnel, already setup like described above. +
- +
-The goal is having port **2022** of the external server redirect to port **22** of the internal server torugh the WireGuard tunnel so that you can SSH inside your internal server from outside, seamlessly. +
- +
-I assume your external server has an interface called **enp1s0**, it's WireGuard interface is **wg0** and the WireGuard subnet mask is 10.100.0.0/24, with 10.100.0.2 being the external server and 10.100.0.1 the internal server. +
- +
-What we need: +
-  * A dedicated table called **wg** +
-  * A **prerouting** chain to apply DNAT to incoming packes on port 2022 to the wg tunnel port 22 +
-  * A **postrouting** chain to ensure that all reply packets are properly SNAT back to outside +
- +
-Create the wg table: +
-<code bash> +
-nft add table ip wg +
-</code> +
- +
-Create the base chains: +
-<code bash> +
-nft 'add chain ip wg ssh-in { type nat hook prerouting priority -100 ; }' +
-nft 'add chain ip wg ssh-out { type nat hook postrouting priority 100 ; }' +
-</code> +
- +
-Create the in-bound rule (the counter rule is only for debugging, you can omit that rule): +
-<code bash> +
-nft 'add rule ip wg ssh-in iifname enp1s0 tcp dport 22 counter' +
-nft 'add rule ip wg ssh-in iifname enp1s0 tmp dport 22 dnat to 10.100.0.1' +
-</code> +
- +
-Create the SNAT return rule (the counter rule is only for debugging, you can omit that rule): +
-<code bash> +
-nft 'add rule ip wg ssh-out ip daddr 10.100.0.1 counter' +
-nft 'add rule ip wg ssh-out ip daddr 10.100.0.1 masquerade' +
-</code> +
- +
-This is the resulting NFTables setup: +
-<code bash> +
-nft list table wg +
-table ip wg { +
-        chain ssh-in { +
-                type nat hook prerouting priority dstnat; policy accept; +
-                iifname "enp1s0" tcp dport 22 counter packets 5 bytes 300 +
-                iifname "enp1s0" tcp dport 22 dnat to 10.70.0.1 +
-        } +
- +
-        chain ssh-out { +
-                type nat hook postrouting priority srcnat; policy accept; +
-                ip daddr 10.70.0.1 counter packets 4 bytes 240 +
-                ip daddr 10.70.0.1 masquerade +
-        } +
-+
-</code> +
- +
-nft add ip wg prerouting 'dnat to tcp dport map { 2022 : 10.70.0.1 . 22 }' +
- +
  
 +There are tons of WireGuard tutorials online on how to use WireGuard to connect your mobile device securely to your home network, i do not plan to cover this topic here.
  
  
  

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information