WireGuard: Difference between revisions
imported>Shad typo in umask use |
imported>User No edit summary |
||
Line 20: | Line 20: | ||
... | ... | ||
# | # enable NAT | ||
networking.nat.enable = true; | |||
networking.nat.externalInterface = "eth0"; | |||
networking.nat.internalInterfaces = [ "wg0" ]; | |||
networking. | |||
networking.wireguard.interfaces = { | networking.wireguard.interfaces = { | ||
Line 87: | Line 84: | ||
publicKey = "{server public key}"; | publicKey = "{server public key}"; | ||
# | # Forward all the traffic via VPN. | ||
allowedIPs = [ "0.0.0.0/0" ]; | |||
allowedIPs = [ " | |||
# Set this to the server IP and port. | # Set this to the server IP and port. |
Revision as of 14:14, 10 November 2018
Setting up Wireguard
Generate keypair
Each peer needs to have a public-private keypair. The keys can be generated on any machine that already has Wireguard installed using the wg
utility. If Wireguard isn't installed yet, it can be made available by adding wireguard
to environment.systemPackages
or by running nix-env -iA wireguard
.
Creating a keypair is simple:
umask 077
mkdir ~/wireguard-keys
wg genkey > ~/wireguard-keys/private
wg pubkey < ~/wireguard-keys/private > ~/wireguard-keys/public
You can create as many keypairs as you like for different connections or roles; it is also possible to reuse the same keypair for every connection.
Server setup
Enable Wireguard on the server via /etc/nixos/configuration.nix:
{
...
# enable NAT
networking.nat.enable = true;
networking.nat.externalInterface = "eth0";
networking.nat.internalInterfaces = [ "wg0" ];
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/24" ];
# The port that Wireguard listens to. Must be accessible by the client.
listenPort = 51820;
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "path to private key file";
peers = [
# List of allowed peers.
{ # Feel free to give a meaning full name
# Public key of the peer (not a file path).
publicKey = "{client public key}";
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.2/32" ];
}
{ # John Doe
publicKey = "{john doe's public key}";
allowedIPs = [ "10.100.0.3/32" ];
}
];
};
};
...
}
Client setup
{
...
# Enable Wireguard
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [ "10.100.0.2/24" ];
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "path to private key file";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# Public key of the server (not a file path).
publicKey = "{server public key}";
# Forward all the traffic via VPN.
allowedIPs = [ "0.0.0.0/0" ];
# Set this to the server IP and port.
endpoint = "{server ip}:51820";
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
...
}
Multiple connections can be configured by configuring multiple interfaces under networking.wireguard.interfaces
.