Last active
May 23, 2024 20:31
-
-
Save chrisswanda/88ade75fc463dcf964c6411d1e9b20f4 to your computer and use it in GitHub Desktop.
Stupid simple setting up WireGuard - Server and multiple peers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Install WireGuard via whatever package manager you use. For me, I use apt. | |
$ sudo add-apt-repository ppa:wireguard/wireguard | |
$ sudo apt-get update | |
$ sudo apt-get install wireguard | |
MacOS | |
$ brew install wireguard-tools | |
Generate key your key pairs. The key pairs are just that, key pairs. They can be | |
generated on any device, as long as you keep the private key on the source and | |
place the public on the destination. | |
$ wg genkey | tee privatekey | wg pubkey > publickey | |
example privatekey - mNb7OIIXTdgW4khM7OFlzJ+UPs7lmcWHV7xjPgakMkQ= | |
example publickey - 0qRWfQ2ihXSgzUbmHXQ70xOxDd7sZlgjqGSPA9PFuHg= | |
One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance. | |
# wg genpsk > preshared | |
Take the above private key, and place it in the server. And conversely, put the | |
public key on the peer. Generate a second key pair, and do the opposite, put the | |
public on the server and the private on the peer. Put the preshared key in the client config if you choose to use it. | |
On the server, create a conf file - /etc/wireguard/wg0.conf (These are examples, | |
so use whatever IP ranges and CIDR blocks that will work for your network. | |
################################ | |
[Interface] | |
Address = 10.0.0.1/24 | |
DNS = 1.1.1.1 | |
PrivateKey = [ServerPrivateKey] | |
ListenPort = 51820 | |
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp9s0 -j MASQUERADE | |
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp9s0 -j MASQUERADE | |
[Peer] | |
#Peer #1 | |
PublicKey = [Peer#1PublicKey] | |
AllowedIPs = 10.0.0.3/32 | |
[Peer] | |
#Peer #2 | |
PublicKey = [Peer#2PublicKey] | |
AllowedIPs = 10.0.0.10/32 | |
[Peer] | |
#Peer #3 | |
PublicKey = [Peer#3PublicKey] | |
AllowedIPs = 10.0.0.2/32 | |
[Peer] | |
#Peer #4 | |
PublicKey = [Peer#4PublicKey] | |
AllowedIPs = 10.0.0.11/32 | |
################################## | |
On each client, define a /etc/wireguard/mobile_user.conf - | |
################################### | |
[Interface] | |
Address = 10.0.0.3/24 | |
PrivateKey = [PrivateKeyPeer#1] | |
[Peer] | |
PublicKey = [ServerPublicKey] | |
PresharedKey = [PresharedKey] | |
Endpoint = some.domain.com:51820 | |
AllowedIPs = 0.0.0.0/0, ::/0 | |
# if you want to do split tunnel, add your allowed IPs | |
# for example if your home network is 192.168.1.0/24 | |
# AllowedIPs = 192.168.1.0/24 | |
# This is for if you're behind a NAT and | |
# want the connection to be kept alive. | |
PersistentKeepalive = 25 | |
######################################## | |
sudo wg show | |
######################################### | |
peer: Peer #1 | |
endpoint: 192.168.2.1:50074 | |
allowed ips: 10.0.0.2/32 | |
latest handshake: 4 minutes, 16 seconds ago | |
transfer: 57.58 KiB received, 113.32 KiB sent | |
peer: Peer #2 | |
endpoint: 99.203.28.43:36770 | |
allowed ips: 10.0.0.10/32 | |
latest handshake: 5 minutes, 30 seconds ago | |
transfer: 92.98 KiB received, 495.89 KiB sent | |
################################################## | |
Start/stop interface | |
wg-quick up wg0 | |
wg-quick down wg0 | |
Start/stop service | |
$ sudo systemctl stop wg-quick@wg0.service | |
$ sudo systemctl start wg-quick@wg0.service | |
Instead of having to modify the file for every client you want to add to the | |
server you could also use the wg tool instead: | |
# add peer | |
wg set wg0 peer <client_pubkey> allowed-ips 10.0.0.x/32 | |
# verify connection | |
wg | |
# save to config | |
wg-quick save wg0 | |
######### EDIT ############## | |
I was setting up a relative with a Wireguard config, and figured I might as well use qrencode to do it since I have it installed on my local machine. | |
qrencode -t ansiutf8 < /etc/wireguard/mobile_user.conf | |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
ββββ βββββ ββββββββββ ββββββ ββββββ β ββββ ββββββ β βββββ ββ βββββ βββββ ββββ | |
ββββ β β β ββββββββ βββββ ββ β ββββββ βββββββ ββ β β ββββββ β β ββββ | |
ββββ βββββ βββββ ββ βββββββ β ββββ β βββ ββββββββββββ ββ β β βββ βββββ ββββ | |
ββββββββββββββ βββββ βββββ β βββ β β βββ βββ βββββββ βββ βββ ββββββββββββββββ | |
ββββββ ββββ β βββ ββββββββ ββββββ β β β β βββ ββββββ β β β ββββ β ββββ | |
ββββββ ββββββ β βββββ βββββ βββββ βββ ββ ββββββββ βββββββββ β ββ ββββββββ | |
βββββ βββ β ββββββ βββ β β β βββ βββ β βββββ ββ βββ βββββ β ββ βββ β ββ ββββ | |
ββββββ β ββββ ββββββββββ ββββ βββββ ββ ββββββ βββ ββββ ββββ ββ ββββ β ββββ | |
ββββ ββ βββββββ ββ ββββ ββ β β β βββββ βββ β β ββ ββββββββ ββββ βββββββββ | |
βββββ ββ ββββββ ββ ββββββββ βββββ βββ ββ ββ β ββββββββββ ββββ ββ βββ βββββ | |
βββββ β ββββββ β βββββββ βββββββββββ ββ βββββββββββββββ β βββββ β ββββ βββββ | |
ββββββ βββββββ ββ β βββ ββ ββ ββββ β β ββββββ ββββββββββββββββ ββββββ ββββ | |
βββββ βββββ ββββββ β ββ ββ ββ ββββββ βββββββ ββ ββ β βββββββ ββββ ββββββββ | |
ββββ βββ βββ ββ β βββββ β ββ ββ β β βββββββββ ββββ ββββ ββββββββ ββββββββ | |
βββββββββββββββββ βββ βββββββββββββββββ βββββββ β ββββββββββββ β β β ββββ | |
βββββ β βββ ββββββββββββ ββββββββββ ββββββββ ββββ β ββββββββββββ ββββββββββ | |
ββββββββ βββ βββββββββββββ ββ ββββ βββ ββββ β βββ βββββ ββββ βββ ββ βββββ | |
βββββ ββ βββ βββ ββ β β ββββββ βββ βββ βββ ββββββββ βββ βββββ βββ ββββββββ | |
ββββ ββ βββββ β ββββββ ββ β ββββ ββββββββββ ββ βββββββ ββ βββββ | |
βββββββββ ββββ ββ ββ ββ ββββ β ββββββββββ ββββ ββββ ββββββββ ββββββ ββββββ | |
ββββββ β β βββ ββ ββββββββββ β βββ βββ βββββ ββ ββββββββ βββββ β ββββ | |
ββββββββ βββ βββ β βββββ ββββββββ β ββ β ββββ ββββββββ βββ βββ β βββββ | |
ββββββ ββββ ββ ββ β β β β βββ ββ ββ βββββ β ββ βββββββββββ ββ βββββ | |
ββββ ββββββββ ββ ββ β ββββββββ β βββββ ββββ β ββββ ββββββββ βββββ ββ ββββ | |
ββββββββββββ β β ββββ ββββββββββ βββββ β β β β βββββββ ββ βββ βββββββ ββββ | |
βββββ βββββββ ββ ββ βββ ββββ ββββββββ ββ β βββ ββ βββββ ββ β βββ β ββββββ | |
ββββ βββ ββββββ βββββββ ββ ββββββββ βββ ββββββββββ β βββββββ ββββ βββ ββββ | |
βββββ β ββββββββ βββ βββββ βββββββ βββββββββββββ βββ β ββββββββββ βββββββ | |
ββββ β β ββββββ βββ ββββ βββββββββββββββββββββ βββ ββββββ βββββ βββββββββ | |
ββββ βββββββ βββββββββ βββββ ββ βββββββββββββββββ β ββ βββ β ββ β β β ββββ | |
ββββββββββββ ββ ββββββ ββ βββββββββ βββ ββββββ βββββββ ββ β βββ βββ ββββββββ | |
ββββ βββββ ββ βββββ βββββββ βββ ββββ βββ βββ βββββ βββββββββββββ βββ βββββββ | |
ββββ β β βββββ βββ β ββββ ββββββββββ ββββββββββ β β ββββββ β ββ ββββββββ | |
ββββ βββββ β ββ ββ β ββββββ ββββββ ββ βββ β βββββββ ββββ ββββ βββ ββ βββββββ | |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
Hi Chriss,
How to configure the wireguard VPN server in the load balancing scenario with multiple vpn servers in active-active mode ?. Wireguard peers should communicate between each other through multiple vpn server placed behind the udp load balancer?
In 10.0.0.x/32
is the x
literally x
? Or should I substitute it with a number?
Google ip address range nomenclature
β¦On Wed, Oct 18, 2023, 10:07 AM tabatinga0x00 ***@***.***> wrote:
***@***.**** commented on this gist.
------------------------------
In 10.0.0.x/32 is the x literally x? Or should I substitute it with a
number?
β
Reply to this email directly, view it on GitHub
<https://gist.github.com/chrisswanda/88ade75fc463dcf964c6411d1e9b20f4#gistcomment-4729891>
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKDGCNMHSKSJ36LYBJEHE2TX77PAJBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TGNRQG42TINNHORZGSZ3HMVZKMY3SMVQXIZI>
.
You are receiving this email because you commented on the thread.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>
.
In
10.0.0.x/32
is thex
literallyx
? Or should I substitute it with a number?
@tabatinga0x00 x would be whatever number you wish between 2 and 254.
Chris, you get the same thing... π
β¦On Wed, Oct 18, 2023, 1:26 PM Chris Swanda ***@***.***> wrote:
***@***.**** commented on this gist.
------------------------------
@Dave9111 <https://github.com/Dave9111> I think you should google IP CIDR
notation. :)
β
Reply to this email directly, view it on GitHub
<https://gist.github.com/chrisswanda/88ade75fc463dcf964c6411d1e9b20f4#gistcomment-4730252>
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKDGCNJDTQPELHV7CXE3DBDYAAGLZBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TGNRQG42TINNHORZGSZ3HMVZKMY3SMVQXIZI>
.
You are receiving this email because you were mentioned.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>
.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you are running that many machines, you might want to look into something else, but that is another conversation.
But, if merely changing out a config file works and you are comfortable with using one credential, then it should work. It is merely a public/private keypair.