WireGuard: Difference between revisions
→systemd.network: v4 and v6 notice |
→Peer setup: add comment to indicate permissions needed for networkd secret |
||
| (6 intermediate revisions by one other user not shown) | |||
| Line 32: | Line 32: | ||
Internet via another peer. | Internet via another peer. | ||
== DNS for the proxy client == | == Secure DNS for the proxy client == | ||
You can use | You can use a secure DNS client such as knot dns resolver, | ||
which comes with a set of authenticated dns servers | which comes with a set of authenticated dns servers ips | ||
built in. | built in. | ||
| Line 52: | Line 52: | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Secure DNS hinders usage of captive portals. See [[systemd-resolved]] for solutions. | |||
= AllowedIPs = | = AllowedIPs = | ||
| Line 165: | Line 167: | ||
ListenPort = 51820; | ListenPort = 51820; | ||
# ensure file is readable by `systemd-network` user | |||
PrivateKeyFile = config.age.secrets.wg-key-vps.path; | PrivateKeyFile = config.age.secrets.wg-key-vps.path; | ||
| Line 292: | Line 295: | ||
FirewallMark = 42; | FirewallMark = 42; | ||
# we specify that the routing table 1000 must be used | # (... continued) we specify that the routing table 1000 must be used | ||
# (which is the wireguard routing table). This rule routes all traffic through wireguard. | # (which is the wireguard routing table). This rule routes all traffic through wireguard. | ||
# inside routingPolicyRules section is called Table, not RouteTable | # inside routingPolicyRules section is called Table, not RouteTable | ||
| Line 385: | Line 388: | ||
Family = "both"; | Family = "both"; | ||
} | } | ||
] | ]; | ||
# Configure port forwarding for Transmission under NAT | |||
networking.nat.forwardPorts = | |||
[ | |||
{ | |||
destination = "10.0.0.1:80"; | |||
proto = "tcp"; | |||
sourcePort = 8080; | |||
} | |||
{ | |||
destination = "[fc00::2]:80"; | |||
proto = "tcp"; | |||
sourcePort = 8080; | |||
} | |||
]; | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 775: | Line 792: | ||
* [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his WireGuard setup] | * [https://www.youtube.com/watch?v=us7V2NvsQRA Talk by @fpletz at NixCon 2018 about networkd and his WireGuard setup] | ||
* [https://web.archive.org/web/20210101230654/https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ WireGuard Troubleshooting (on Web Archive)] shows how to enable debug logs | * [https://web.archive.org/web/20210101230654/https://www.the-digital-life.com/wiki/wireguard-troubleshooting/ WireGuard Troubleshooting (on Web Archive)] shows how to enable debug logs | ||
= Additional routing setups = | |||
For documentation on more routing and topology setups, such as | |||
* Point to Point Configuration, | |||
* Hub and Spoke Configuration, | |||
* Point to Site Configuration, | |||
* Site to Site Configuration, | |||
see [https://docs.procustodibus.com/guide/wireguard/ Pro Custodibus Documentation], [https://web.archive.org/web/20250920231827/https://docs.procustodibus.com/guide/wireguard/ Mirror on Internet Archive]. | |||
[[Category:Networking]] | [[Category:Networking]] | ||
[[Category:VPN]] | [[Category:VPN]] | ||