WireGuard: Difference between revisions

← Older edit

VisualWikitext

@@ Line 18: / Line 18: @@
 systemd.network is recommended due to its powerful configuration interface.
 wg-quick is suitable for common usage patterns.  networking.wireguard seems to
-have issues with routing.  NetworkManager does not supoort Proxy server setup, and
+have issues with routing.  NetworkManager does not support Proxy server setup, and
 is cubersome to use.
@@ Line 32: / Line 32: @@
 Internet via another peer.
-== DNS for the proxy client ==
+== Secure DNS for the proxy client ==
-=== External DNS with dnscrypt ===
+You can use a secure DNS client such as knot dns resolver,
+which comes with a set of authenticated dns servers ips
-You can use an external, encrypted DNS such as
+built in.
 <syntaxhighlight lang="nix">
@@ Line 53: / Line 53: @@
 </syntaxhighlight>
+Secure DNS hinders usage of captive portals.  See [[systemd-resolved]] for solutions.
 = AllowedIPs =
@@ Line 125: / Line 126: @@
 Credit: this section is adapted from ArchWiki.
+This section should fully support IPv4 and v6 dual stack.
 == Peer setup ==
@@ Line 164: / Line 166: @@
        wireguardConfig = {
          ListenPort = 51820;
+        # ensure file is readable by `systemd-network` user
+        PrivateKeyFile = config.age.secrets.wg-key-vps.path;
          # To automatically create routes for everything in AllowedIPs,
@@ Line 172: / Line 177: @@
          # with the number 42, which can be used to define policy rules on these packets.
          FirewallMark = 42;
-        PrivateKeyFile = config.age.secrets.wg-key-vps.path;
        };
        wireguardPeers = [
@@ Line 243: / Line 246: @@
        # only works with systemd-resolved
        domains = [ "~." ];
-       dns = [ "192.168.26.9" ];
+       dns = [ "{proxy server internal ip}" ];
-       DNSDefaultRoute = true;
+       networkConfig = {
+        DNSDefaultRoute = true;
+      };
      };
    };
@@ Line 258: / Line 263: @@
    systemd.network = {
      netdevs."50-wg0" = {
+      # FirewallMark simply marks all packets send and received by this wireguard
+      # interface with the number 42, which can be used to define policy rules on these packets.
+      wireguardConfig.FirewallMark = 42;
        wireguardPeers = [
          {
@@ Line 272: / Line 281: @@
            # for the wireguard interface, and no rules are set on the main routing table.
            RouteTable = 1000;
-          # FirewallMark simply marks all packets send and received by this wireguard
-          # interface with the number 42, which can be used to define policy rules on these packets.
-          FirewallMark = 42;
          }
        ];
@@ Line 290: / Line 295: @@
            FirewallMark = 42;
-           # we specify that the routing table 1000 must be used
+           # (... continued) we specify that the routing table 1000 must be used
            # (which is the wireguard routing table). This rule routes all traffic through wireguard.
            # inside routingPolicyRules section is called Table, not RouteTable
@@ Line 309: / Line 314: @@
            # We exempt our endpoint with a higher priority by routing it
            # through the main table (Table=main is default).
-          Family = "both";
            To = "2a01::1/128";
            Priority = 5;
@@ Line 384: / Line 388: @@
        Family = "both";
      }
-   ]
+   ];
+  # Configure port forwarding for Transmission under NAT
+  networking.nat.forwardPorts =
+       [
+         {
+           destination = "10.0.0.1:80";
+           proto = "tcp";
+           sourcePort = 8080;
+         }
+         {
+           destination = "[fc00::2]:80";
+           proto = "tcp";
+           sourcePort = 8080;
+         }
+       ];
 </syntaxhighlight>
+== Test and Troubleshooting ==
+Test the proxy with
+ # ipv4
+ $ curl -4 zx2c4.com/ip
+ # ipv6
+ $ curl -6 zx2c4.com/ip
+Check systemd-networkd log for any error and warning messages.
+ $ journalctl -u systemd-networkd.service
+Invoke <code>wg</code> command from <code>wireguard-tools</code>.
+Use <code>ip route</code> to inspect the route table
+ $ ip route show table 1000
+ default dev wg0 proto static scope link
+ $ ip route show table all
+ ... many entries ...
+ $ ip rule list
+:	not from all fwmark 0x2a lookup 1000 proto static
+ $ ip route get  136.144.57.121
+.144.57.121 dev wg0 table 1000 src 192.168.26.9 uid 1000
+ $ ip route get 2600:1406::1
+:1406::1 from :: dev wg0 table 1000 proto static src fd31:bf08:57cb::9 metric 1024 pref medium
 = wg-quick =
@@ Line 741: / Line 792: @@
 * [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his WireGuard setup]
 * [https://web.archive.org/web/20210101230654/https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ WireGuard Troubleshooting (on Web Archive)] shows how to enable debug logs
+= Additional routing setups =
+For documentation on more routing and topology setups, such as
+* Point to Point Configuration,
+* Hub and Spoke Configuration,
+* Point to Site Configuration,
+* Site to Site Configuration,
+see [https://docs.procustodibus.com/guide/wireguard/ Pro Custodibus Documentation], [https://web.archive.org/web/20250920231827/https://docs.procustodibus.com/guide/wireguard/ Mirror on Internet Archive].
 [[Category:Networking]]
 [[Category:VPN]]