WireGuard: Difference between revisions
imported>Sjau added masquerading |
imported>Sjau No edit summary |
||
Line 25: | Line 25: | ||
# Add a masquerade rule to iptables so the peers can talk to one another | # Add a masquerade rule to iptables so the peers can talk to one another | ||
networking.firewall.extraCommands = '' | networking.firewall.extraCommands = '' | ||
iptables -t nat -A POSTROUTING -s10.100.0.0/ | iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE | ||
''; | ''; | ||
Revision as of 21:51, 30 December 2017
Setting up Wireguard
Generate keypair
Each peer needs to have a public-private keypair. The keys can be generated on any machine that already has Wireguard installed using the wg utility. If Wireguard isn't installed yet, it can be made available by adding wireguard to environment.systemPackages or by running nix-env -iA wireguard.
Creating a keypair is simple:
mkdir ~/wireguard-keys
umask 077 ~/wireguard-keys
wg genkey > ~/wireguard-keys/private
wg pubkey < ~/wireguard-keys/private > ~/wireguard-keys/public
You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection.
Server setup
Enable Wireguard on the server via /etc/nixos/configuration.nix:
{
...
# Ensure IP forwarding is enabled.
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
# Add a masquerade rule to iptables so the peers can talk to one another
networking.firewall.extraCommands = ''
iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE
'';
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/24" ];
# The port that Wireguard listens to. Must be accessible by the client.
listenPort = 51820;
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "path to private key file";
peers = [
# List of allowed peers.
{ # Feel free to give a meaning full name
# Public key of the peer (not a file path).
publicKey = "{client public key}";
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.2/32" ];
}
{ # John Doe
publicKey = "{john doe's public key}";
allowedIPs = [ "10.100.0.3/32" ];
}
];
};
};
...
}
Client setup
{
...
# Enable Wireguard
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [ "10.100.0.2/24" ];
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "path to private key file";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# Public key of the server (not a file path).
publicKey = "{server public key}";
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
# For a server peer this should be the whole subnet.
allowedIPs = [ "10.100.0.0/24" ];
# Set this to the server IP and port.
endpoint = "{server ip}:51820";
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
...
}
Multiple connections can be configured by configuring multiple interfaces under networking.wireguard.interfaces
.