WireGuard: Difference between revisions

← Older edit

VisualWikitext

@@ Line 32: / Line 32: @@
 Internet via another peer.
-== DNS for the proxy client ==
+== Secure DNS for the proxy client ==
-You can use an external, encrypted DNS such as knot dns resolver,
+You can use a secure DNS client such as knot dns resolver,
-which comes with a set of authenticated dns servers
+which comes with a set of authenticated dns servers ips
 built in.
@@ Line 52: / Line 52: @@
 }
 </syntaxhighlight>
+Secure DNS hinders usage of captive portals.  See [[systemd-resolved]] for solutions.
 = AllowedIPs =
@@ Line 124: / Line 126: @@
 Credit: this section is adapted from ArchWiki.
+This section should fully support IPv4 and v6 dual stack.
 == Peer setup ==
@@ Line 242: / Line 245: @@
        # only works with systemd-resolved
        domains = [ "~." ];
-       dns = [ "192.168.26.9" ];
+       dns = [ "{proxy server internal ip}" ];
-       DNSDefaultRoute = true;
+       networkConfig = {
+        DNSDefaultRoute = true;
+      };
      };
    };
@@ Line 289: / Line 294: @@
            FirewallMark = 42;
-           # we specify that the routing table 1000 must be used
+           # (... continued) we specify that the routing table 1000 must be used
            # (which is the wireguard routing table). This rule routes all traffic through wireguard.
            # inside routingPolicyRules section is called Table, not RouteTable
@@ Line 382: / Line 387: @@
        Family = "both";
      }
-   ]
+   ];
+  # Configure port forwarding for Transmission under NAT
+  networking.nat.forwardPorts =
+       [
+         {
+           destination = "10.0.0.1:80";
+           proto = "tcp";
+           sourcePort = 8080;
+         }
+         {
+           destination = "[fc00::2]:80";
+           proto = "tcp";
+           sourcePort = 8080;
+         }
+       ];
 </syntaxhighlight>
@@ Line 400: / Line 419: @@
 Invoke <code>wg</code> command from <code>wireguard-tools</code>.
+Use <code>ip route</code> to inspect the route table
+ $ ip route show table 1000
+ default dev wg0 proto static scope link
+ $ ip route show table all
+ ... many entries ...
+ $ ip rule list
+:	not from all fwmark 0x2a lookup 1000 proto static
+ $ ip route get  136.144.57.121
+.144.57.121 dev wg0 table 1000 src 192.168.26.9 uid 1000
+ $ ip route get 2600:1406::1
+:1406::1 from :: dev wg0 table 1000 proto static src fd31:bf08:57cb::9 metric 1024 pref medium
 = wg-quick =
@@ Line 755: / Line 791: @@
 * [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his WireGuard setup]
 * [https://web.archive.org/web/20210101230654/https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ WireGuard Troubleshooting (on Web Archive)] shows how to enable debug logs
+= Additional routing setups =
+For documentation on more routing and topology setups, such as
+* Point to Point Configuration,
+* Hub and Spoke Configuration,
+* Point to Site Configuration,
+* Site to Site Configuration,
+see [https://docs.procustodibus.com/guide/wireguard/ Pro Custodibus Documentation], [https://web.archive.org/web/20250920231827/https://docs.procustodibus.com/guide/wireguard/ Mirror on Internet Archive].
 [[Category:Networking]]
 [[Category:VPN]]