{"id":738,"date":"2019-05-03T08:51:39","date_gmt":"2019-05-03T08:51:39","guid":{"rendered":"http:\/\/blogs.gentoo.org\/lu_zero\/?p=738"},"modified":"2019-05-03T17:09:13","modified_gmt":"2019-05-03T17:09:13","slug":"using-wireguard","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/lu_zero\/2019\/05\/03\/using-wireguard\/","title":{"rendered":"Using Wireguard"},"content":{"rendered":"

wireguard<\/a> is a modern, secure and fast vpn tunnel that is extremely simple to setup and works already nearly everywhere.<\/p>\n

Since I spent a little bet to play with it because this<\/a> looked quite interesting, I thought of writing a small tutorial.<\/p>\n

I normally use Gentoo<\/a> (and macos<\/a>) so this guide is about Gentoo<\/strong>.<\/p>\n

General concepts<\/h2>\n

Wireguard sets up peers<\/strong> identified by an public key<\/a> and manages a virtual network interface<\/a> and the routing across them (optionally).<\/p>\n

The server<\/strong> is just a peer<\/strong> that knows about loots of peers while a client<\/strong> knows how to directly reach the server<\/strong> and that’s it.<\/p>\n

Setting up in Gentoo<\/h2>\n

Wireguard on Linux is implemented as a kernel module.<\/p>\n

So in general you have to build the module and the userspace tools (wg<\/code>).
\nIf you want to have some advanced feature make sure that your kernel has the following settings:<\/p>\n

IP_ADVANCED_ROUTER<\/code>
\nIP_MULTIPLE_TABLES<\/code>
\nNETFILTER_XT_MARK<\/code><\/p><\/blockquote>\n

After that using emerge<\/code> will get you all you need:<\/p>\n

\n
$ emerge wireguard\n<\/pre>\n<\/div>\n
Tools<\/h3>\n
The default distribution of tools come with the wg<\/code> command and an helper script called wg-quick<\/code> that makes easier to bring up and down the virtual network interface.<\/p>\n
\n
wg help\nUsage: wg <cmd> [<args>]\n\nAvailable subcommands:\n  show: Shows the current configuration and device information\n  showconf: Shows the current configuration of a given WireGuard interface, for use with `setconf'\n  set: Change the current configuration, add peers, remove peers, or change peers\n  setconf: Applies a configuration file to a WireGuard interface\n  addconf: Appends a configuration file to a WireGuard interface\n  genkey: Generates a new private key and writes it to stdout\n  genpsk: Generates a new preshared key and writes it to stdout\n  pubkey: Reads a private key from stdin and writes a public key to stdout\nYou may pass `--help' to any of these subcommands to view usage.\n<\/pre>\n<\/div>\n
\n
Usage<\/span>:<\/span> wg<\/span>-<\/span>quick<\/span> [<\/span> up<\/span> |<\/span> down<\/span> |<\/span> save<\/span> |<\/span> strip<\/span> ]<\/span> [<\/span> CONFIG_FILE<\/span> |<\/span> INTERFACE<\/span> ]<\/span>\n\n  CONFIG_FILE<\/span> is<\/span> a<\/span> configuration<\/span> file<\/span>,<\/span> whose<\/span> filename<\/span> is<\/span> the<\/span> interface<\/span> name<\/span>\n  followed<\/span> by<\/span> `<\/span>.<\/span>conf<\/span>'. Otherwise, INTERFACE is an interface name, with<\/span>\n  configuration found at \/etc\/wireguard\/INTERFACE.conf. It is to be readable<\/span>\n  by wg(8)'<\/span>s<\/span> `<\/span>setconf<\/span>' sub-command, with the exception of the following additions<\/span>\n  to the [Interface] section, which are handled by wg-quick:<\/span>\n\n  - Address: may be specified one or more times and contains one or more<\/span>\n    IP addresses (with an optional CIDR mask) to be set for the interface.<\/span>\n  - DNS: an optional DNS server to use while the device is up.<\/span>\n  - MTU: an optional MTU for the interface; if unspecified, auto-calculated.<\/span>\n  - Table: an optional routing table to which routes will be added; if<\/span>\n    unspecified or `auto'<\/span>,<\/span> the<\/span> default<\/span> table<\/span> is<\/span> used<\/span>.<\/span> If<\/span> `<\/span>off<\/span>', no routes<\/span>\n    are added.<\/span>\n  - PreUp, PostUp, PreDown, PostDown: script snippets which will be executed<\/span>\n    by bash(1) at the corresponding phases of the link, most commonly used<\/span>\n    to configure DNS. The string `%i'<\/span> is<\/span> expanded<\/span> to<\/span> INTERFACE<\/span>.<\/span>\n  -<\/span> SaveConfig<\/span>:<\/span> if<\/span> set<\/span> to<\/span> `<\/span>true<\/span>'<\/span>,<\/span> the<\/span> configuration<\/span> is<\/span> saved<\/span> from<\/span> the<\/span> current<\/span>\n    state<\/span> of<\/span> the<\/span> interface<\/span> upon<\/span> shutdown<\/span>.<\/span>\n\nSee<\/span> wg<\/span>-<\/span>quick<\/span>(<\/span>8<\/span>)<\/span> for<\/span> more<\/span> info<\/span> and<\/span> examples<\/span>.<\/span>\n<\/pre>\n<\/div>\n
Creating a configuration<\/h2>\n
Wireguard is quite straightforward, you can either prepare a configuration with your favourite text editor or generate one by setting by hand the virtual network device<\/em> and then saving the result wg showconf<\/code> presents.<\/p>\n
A configuration file then can be augmented with wg-quick<\/code>-specific options (such as Address<\/code>) or just passed to wg setconf<\/code> while the other networking details are managed by your usual tools (e.g. ip<\/a>).<\/p>\n
Create your keys<\/h3>\n
The first step is to create the public-private key pair that identifies your peer<\/em>.<\/p>\n