WireGuard: Difference between revisions
imported>MarcoPolo m Move iptables routing within the wiregaurd definition. The previous setup did not work for me (Perhaps because of GCP networking?) |
imported>Wulfsta Add example configuration for wg-quick for a server setup with dnsmasq. |
||
| Line 14: | Line 14: | ||
You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection. | You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection. | ||
==Server setup== | ===Server setup=== | ||
Enable Wireguard on the server via <tt>/etc/nixos/configuration.nix</tt>: | Enable Wireguard on the server via <tt>/etc/nixos/configuration.nix</tt>: | ||
<syntaxHighlight lang="nix"> | <syntaxHighlight lang="nix"> | ||
| Line 74: | Line 74: | ||
</syntaxHighlight> | </syntaxHighlight> | ||
==Client setup== | ===Client setup=== | ||
<syntaxHighlight lang="nix"> | <syntaxHighlight lang="nix"> | ||
{ | { | ||
| Line 118: | Line 118: | ||
Multiple connections can be configured by configuring multiple interfaces under {{nixos:option|networking.wireguard.interfaces}}. | Multiple connections can be configured by configuring multiple interfaces under {{nixos:option|networking.wireguard.interfaces}}. | ||
==Setting up Wireguard server/client with wg-quick and dnsmasq== | |||
===Server setup=== | |||
DNS requires opening TCP/UDP port 53. | |||
<syntaxHighlight lang="nix"> | |||
{ | |||
... | |||
# Enable NAT | |||
networking.nat = { | |||
enable = true; | |||
externalInterface = "eth0"; | |||
internalInterfaces = [ "wg0" ]; | |||
}; | |||
# Open ports in the firewall | |||
networking.firewall = { | |||
allowedTCPPorts = [ 53 ]; | |||
allowedUDPPorts = [ 53 51820 ]; | |||
}; | |||
... | |||
} | |||
</syntaxHighlight> | |||
The wg-quick setup is similar to the previous setup. | |||
<syntaxHighlight lang="nix"> | |||
{ | |||
... | |||
networking.wg-quick.interfaces = { | |||
# "wg0" is the network interface name. You can name the interface arbitrarily. | |||
wg0 = { | |||
# Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface | |||
address = [ "10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64" ]; | |||
# The port that Wireguard listens to - recommended that this be changed from default | |||
listenPort = 51820; | |||
# Path to the server's private key | |||
privateKeyFile = "/root/wireguard-keys/privatekey"; | |||
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN | |||
postUp = '' | |||
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT | |||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE | |||
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT | |||
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE | |||
''; | |||
# Undo the above | |||
preDown = '' | |||
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT | |||
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE | |||
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT | |||
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE | |||
''; | |||
peers = [ | |||
{ # peer0 | |||
publicKey = "{client public key}"; | |||
presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key"; | |||
allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ]; | |||
} | |||
# More peers can be added here. | |||
]; | |||
}; | |||
}; | |||
... | |||
} | |||
</syntaxHighlight> | |||
To enable dnsmasq and only serve DNS requests to the Wireguard interface add the following: | |||
<syntaxHighlight lang="nix"> | |||
{ | |||
... | |||
services = { | |||
... | |||
dnsmasq = { | |||
enable = true; | |||
extraConfig = '' | |||
interface=wg0 | |||
''; | |||
}; | |||
... | |||
}; | |||
... | |||
} | |||
</syntaxHighlight> | |||
===Client setup=== | |||
The client will now point DNS to the server. | |||
<syntaxHighlight lang="nix"> | |||
{ | |||
... | |||
networking.wg-quick.interfaces = { | |||
wg0 = { | |||
address = [ "10.0.0.2/24" "fcd9:281f:04d7:9ee9::2/64" ]; | |||
dns = [ "10.0.0.1" "fcd9:281f:04d7:9ee9::1" ]; | |||
privateKeyFile = "/root/wireguard-keys/privatekey"; | |||
peers = [ | |||
{ | |||
publicKey = "{server public key}"; | |||
presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key"; | |||
allowedIPs = [ "0.0.0.0/0" "::/0" ]; | |||
endpoint = "{server ip}:51820"; | |||
persistentKeepalive = 25; | |||
} | |||
]; | |||
}; | |||
}; | |||
... | |||
} | |||
</syntaxHighlight> | |||
=Setting up Wireguard with systemd-networkd= | ==Setting up Wireguard with systemd-networkd== | ||
Please note, that networkd support in NixOS is still [https://nixos.org/nixos/options.html#usenetworkd experimental]. | Please note, that networkd support in NixOS is still [https://nixos.org/nixos/options.html#usenetworkd experimental]. | ||
==Client setup== | ===Client setup=== | ||
<syntaxHighlight lang="nix"> | <syntaxHighlight lang="nix"> | ||