WireGuard

WireGuard is a modern VPN tunnel solution…

network

tunnel

keys

emerge -v net-vpn/wireguard-tools

Create local host private and public keys:

wg genkey > /etc/wireguard/privatekey
wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey

Each WireGuard tunnel requires it's own configuration, usually called wg0, wg1…

So, create one file for each tunnel at /etc/wireguard/wg0.conf:

wg0.conf

[Interface]
PrivateKey = << local private key >>
Address = 10.100.0.1/24
ListenPort = << my port >> 

[Peer]
PublicKey = << remote end public key >>
Endpoint = << peer public IP >>:<< peer port >>
AllowedIPs = 10.100.0.2/24 # 
PersistentKeepAlive = 25

Where:

• You can have as many peers as you need to connect to the local host
• The PrivateKey is the local host private key
• The Address is the local host address on the tunnel subnetwork
• The ListenPort is the port on which the local host can be reached from the peers. This can be omitted if the local host is not reacheable from the peers, in this case the local hosts will connect to the peers.
• The PublicKey is the remote host public key
• The Endpoint is the peer public IP, omit if the peer cannot be reached from the local host, in this case the peers will connect to the localhost.
• The peer port is the ListenPort of the peer
• The AllowedIPs limits which hosts can send data to the local host, in case you have more than one machine connecting trough the peer
• The PersistentKeepAlive is usefull to help keep the tunnel connected by sending a keekalive e forcing a reconnection.

Each peer (host) connecting to the WireGuard tunnel will need one of these files. If you have two hosts (tipycal setup), assume that you need two wgX.conf files, one located on each host. These pair of configuration files will need to symmetrical to each other.

Link the startup scripts and set it to start on boot:

ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.wg0
rc-update add wg-quick.wg0 default