WireGuard

From NixOS Wiki
Revision as of 21:22, 24 October 2017 by imported>HLandau (Created page with " === Generate Private / Public Key === Each peer needs to have at least one private and one public key. The keys can be generated on any machine that already has wireguard in...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Generate Private / Public Key

Each peer needs to have at least one private and one public key. The keys can be generated on any machine that already has wireguard installed using the wg utility. If wireguard isn't installed yet, it can be added as wireguard in the environment.systemPackages or installed using nix-env -iA wireguard.

The creation of the private/public key is rather simple. In the example below a folder wireguard-keys will be generated and the keys put in there. 

mkdir ~/wireguard-keys
umask 077 ~/wireguard-keys
wg genkey > ~/wireguard-keys/private
wg pubkey < ~/wireguard-keys/private > ~/wireguard-keys/public

For different connections/roles you can of course generate more private/public keys and name them as you want or you can use the same pair for every connection - it's up to you.

Server Instance

  # Enable Wireguard
  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "10.100.0.1/24" ];
      listenPort = 51820;
      privateKey = "{server private key}";
      peers = [ {
        publicKey = "{client public key}";
        allowedIPs = [ "10.100.0.2/32" ];
      } ];
    };
  };
  • wg0: This is the network interface name. You can also use something meaningful like wg_home
  • ips: This defines the server ip and subnet. In this case the server ip will be 10.100.0.1.
  • listenPort: The port the server listens to; don't forget to portforward and allow it through the firewall
  • privateKey: this is the private key of the server. Instead of privateKey also privateKeyFile could be used to point to the key file.
  • peers: That's the list of peers. Wireguard must have each peer that can establish a connection to be listed.
  • peers.publicKey: The public key of the peer/client.
  • allowedIPs: The list of IPs that can be assigned to the client

Client Instance

  # Enable Wireguard
  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "10.100.0.2/24" ];
      privateKey = "{client private key}";
      peers = [ {
        publicKey = "{server public key}";
        allowedIPs = [ "10.100.0.0/24" ];
        endpoint = "{server ip}:51820";
        persistentKeepalive = 25;
      } ];
    };
  };
  • wg0: This is the network interface name. You can also use something meaningful like wg_home
  • ips: This defines the client ip
  • privateKey: this is the private key of the client/peer. Instead of privateKey also privateKeyFile
  • listenPort: The port the server listens to; don't forget to portforward and allow it through the firewall could be used to point to the key file.
  • peers: That's the list of peers. Wireguard must have each peer that can establish a connection to be listed. A peer can be a server or another client. In the above exmample it's just a server entry.
  • peers.publicKey: The public key of the peer/server.
  • allowedIPs: The list of ips that will be routed through the vpn
  • endpoint: The server's ip/hostname and port used for connection.
  • persistentKeepalive: This is not necessary but it helps to keep the connection alive through NAT.

More info

  • More information on the "Wireguard homepage"
  • Current "supported options" in NixOS
  • To use more than one wireguard connection, just add more wgX blocks to your configuration.nix
  • In order for different wg clients to talk to one another, you can enable ip forwarding on the server. All communications will then go through the wg server
  • To enable direct peer-to-peer communications, add according peers you want to talk directly to as new peers, add each such peer's publicKey and allowedIPs to the peers section of the vpn.
Retrieved from "https://wiki.nixos.org/w/index.php?title=WireGuard&oldid=4115"