====== WireGuard ======

[[https://en.wikipedia.org/wiki/WireGuard|WireGuard]] is a modern VPN tunnel solution which is quickly taking the place of OpenVPN. Some of the strong key points of WireGuard are, beside a supposedly more secure implementation, the ease of setup and how it simply merge with the overall linux network management.

WireGuard will create an encrypted and protected tunnel between hosts, where each host act as a peer. You need to have at least one host reachable from all the others, of course, but then WireGuard will create a common subnetwork on which all the hosts will see each other. 

===== Concepts =====

You should be fmailiar with basic networking concepts like routing, subnets, addresses. 

A **subnet** is a portion of a network where all the hosts can ping each other without the need of a //gateway//. **Routing** is the act of sending out network packets from a specific network interface toward the destination of the packet. On a subnet, routing is always direct for hosts on the same subnet, otherwise routing happens trough a gateway.

All VPNs work by creating an encrypted **tunnel** between it's peers. This tunnel needs to be initiated from one host to the other (or viceversa) and whatever traffic flows inside the tunnes is not intellegible to anyone else because it's, guess what, encrypted.

To perform the encryption at both ends, some encryption **keys** needs to be shared. The approach used by WireGuard is to use the private/public key pairs: each host has one private key (which is by definition, not shared) and public key (which is shared with all the other hosts). The private/public technology ensures that the identity of the host is verified because only the private key can encrypt what the public key can decrypt.


===== Installation =====

These steps need to be followed on every host that participate in the WireGuard tunnel.

Installing WireGuard on Gentoo is pretty easy since the latest release is always in portage, but you will also need [[gentoo:nft|nftables]] if you plan to do port-forwarding or any advanced networking:
<code bash>
emerge -v net-vpn/wireguard-tools net-firewall/nftables
</code>


Create local host private and public keys:
<code bash>
wg genkey > /etc/wireguard/privatekey
wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey
chmod 500 /etc/wireguard/privatekey /etc/wireguard/publickey
</code>

You will need these two keys for the configuration below.

===== Configuration =====

A WireGuard tunnel can connect two or more hosts. A tunnel is usually called **wg0** or **wg1** and so on. Each tunnel has it's own config file located at **/etc/wireguard/wg0.conf**. Please note that the following instructions need to be applied to each host in the tunnel.

So, create the tunnel config at **/etc/wireguard/wg0.conf**:
<file - wg0.conf>
[Interface]
PrivateKey = << local host private key >>
Address = 10.100.0.1/24
ListenPort = << local host port >> 

[Peer]
PublicKey = << remote host public key >>
Endpoint = << remote host public IP >>:<< remote host port >>
AllowedIPs = 10.100.0.2/24 #
PersistentKeepAlive = 25
</file>

Where:
  * You can have as many peers as you need to connect to the local host, just create one [Peer] block for each one.
  * The //PrivateKey// is the __local host__ private key
  * The //Address// is the __local host__ address on the __tunnel subnetwork__ (usually, a new subnet you are not using already)
  * The //ListenPort// is the port on which the local host can be reached from the remote hosts. This can be omitted if the local host is not reacheable from the remote hosts
  * The //PublicKey// is the __remote host__ public key
  * The //Endpoint// is the remote host __public__ IP and __open port__, omit if the remote host cannot be reached from the local host
  * The //AllowedIPs// limits which hosts can send data to the **local** host, in case you have more than one machine connecting trough the remote host, for example
  * The //PersistentKeepAlive// is usefull to help keep the tunnel connected by sending a keekalive e forcing a reconnection.

Each host connecting to the WireGuard tunnel will need one of these files. These configuration files should usually be symmetrical to each other.

Link the startup scripts and set it to start on boot:
<code bash>
ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.wg0
rc-update add wg-quick.wg0 default
</code>

===== Remote access =====

There are tons of WireGuard tutorials online on how to use WireGuard to connect your mobile device securely to your home network, i do not plan to cover this topic here.