Bering-uClibc 7.x - User Guide - Advanced Topics - Wireguard
| Advanced Topics - Configuring Wireguard | ||
|---|---|---|
| Prev | Bering-uClibc 7.x - User Guide | Next |
Contents
Configuring Wireguard
Objectives
This is a short introduction on how to configure the wireguard VPN on your LEAF system.
Prerequisites
The software used build a VPN tunnel using wireguard is packaged in the wireguard.lrp LEAF package. You should be familiar on how to obtain LEAF packages from either a tarball in the LEAF file area or to download it using your internet connection. You should also be familiar on how to set up LEAF to automatically install packages.
Dependencies
As of LEAF 7.x wireguard.lrp depends on the following packages:
- bash.lrp
Configuration
The wireguard VPN software is configured using a text file /etc/wireguard/wg<tunnel ID>.conf, typically /etc/wireguard/wg0.conf. It is also controlled by the file /etc/default/wireguard where a few start parameters are defined. The wireguard.lrp package includes a copy of these two files for your reference.
/etc/wireguard/wg0.conf
The /etc/wireguard/wg0.conf file is used to tell hold the wireguard keys and information about the wireguard peer. The wireguard VPN is a peer network, however slight differences in the configurations exist, especially the initiator side uses the parameter Endpoint to address its peer. The example below shows the client or initiator side of the wireguard VPN.
# This is a dummy configuration file for the wireguard VPN server. # It should reside in /etc/wireguard and is designed to be used # by the wg-quick script viz: # 'wg-quick up wg0' to start the VPN server and # 'wg-quick down wg0' to stop it. # # Generate the private & public keys required thus: # umask 077 # wg genkey | tee private_key | wg pubkey > public_key # # Dummy config: # [Interface] Address = 192.168.17.2/24 ListenPort = 11194 PrivateKey = EKufmuT959jTCnFlK+jjhJvzPQWdEaEzNWsHIYnzTV8= # # # Peer1 [Peer] PublicKey = DJDe260WVX8Cm2gjf/0nmklHkO8N8XgSTpvB34zJzz0= AllowedIPs = 192.168.17.1 Endpoint = the_other_side.example.net:11194 # # Peer2 #[Peer] #PublicKey = <Peer 2 public key base64 string> #AllowedIPs = <comma-separated address/cidr ranges allowed access from Peer 2> #
To configure wireguard you need to edit the wg0.conf file and generate a private and public key pair for each of the tunnel endpoints.
For detailed information on how to set the up wireguard please refer to wireguard.
/etc/default/wireguard
This file controls the wireguard daemon. It just defines if the daemon is started at all and the name of the wireguard interface used.
# Configuration for Wireguard init script
#
# Set to "yes" to start the VPN server at boot time
START="yes"
#
# Interface name. It must have a matching ${INTERFACE}.conf file in /etc/wireguard
INTERFACE="wg0"
Firewall settings
If you have to pass a firewall then you need to provide a way, possibly on both sides, for the tunnel and the tunneled packages to reach their respective destination. Shorewall provides a configuration file /etc/shorewall/tunnels which can be used to provide this access.
