Bering-uClibc 7.x - User Guide - Advanced Topics - Wireguard

From bering-uClibc
Jump to: navigation, search
Advanced Topics - Configuring Wireguard
Prev Bering-uClibc 7.x - User Guide Next

Configuring Wireguard


This is a short introduction on how to configure the wireguard VPN on your LEAF system.


The software used build a VPN tunnel using wireguard is packaged in the wireguard.lrp LEAF package. You should be familiar on how to obtain LEAF packages from either a tarball in the LEAF file area or to download it using your internet connection. You should also be familiar on how to set up LEAF to automatically install packages.


As of LEAF 7.x wireguard.lrp depends on the following packages:

  • bash.lrp


The wireguard VPN software is configured using a text file /etc/wireguard/wg<tunnel ID>.conf, typically /etc/wireguard/wg0.conf. It is also controlled by the file /etc/default/wireguard where a few start parameters are defined. The wireguard.lrp package includes a copy of these two files for your reference.


The /etc/wireguard/wg0.conf file is used to tell hold the wireguard keys and information about the wireguard peer. The wireguard VPN is a peer network, however slight differences in the configurations exist, especially the initiator side uses the parameter Endpoint to address its peer. The example below shows the client or initiator side of the wireguard VPN.

# This is a dummy configuration file for the wireguard VPN server.
# It should reside in /etc/wireguard and is designed to be used
# by the wg-quick script viz:
# 'wg-quick up wg0' to start the VPN server and
# 'wg-quick down wg0' to stop it.
# Generate the private & public keys required thus:
# umask 077
# wg genkey | tee private_key | wg pubkey > public_key
# Dummy config:
Address =
ListenPort = 11194
PrivateKey = EKufmuT959jTCnFlK+jjhJvzPQWdEaEzNWsHIYnzTV8=
# Peer1
PublicKey = DJDe260WVX8Cm2gjf/0nmklHkO8N8XgSTpvB34zJzz0=
AllowedIPs =
Endpoint =
# Peer2
#PublicKey = <Peer 2 public key base64 string>
#AllowedIPs = <comma-separated address/cidr ranges allowed access from Peer 2>

To configure wireguard you need to edit the wg0.conf file and generate a private and public key pair for each of the tunnel endpoints.

For detailed information on how to set the up wireguard please refer to wireguard.


This file controls the wireguard daemon. It just defines if the daemon is started at all and the name of the wireguard interface used.

# Configuration for Wireguard init script
# Set to "yes" to start the VPN server at boot time
# Interface name. It must have a matching ${INTERFACE}.conf file in /etc/wireguard

Firewall settings

If you have to pass a firewall then you need to provide a way, possibly on both sides, for the tunnel and the tunneled packages to reach their respective destination. Shorewall provides a configuration file /etc/shorewall/tunnels which can be used to provide this access.