Wireguard-cheat-sheet

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen

WireGuard Cheat Sheet

Installation

  • apt install wireguard

Schlüsselpaar erzeugen

  • mkdir -p /etc/wireguard
  • cd /etc/wireguard
  • wg genkey | tee privatekey | wg pubkey > publickey

Server-Konfiguration

  • /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = SERVER-PRIVATE-KEY
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = CLIENT-PUBLIC-KEY
AllowedIPs = 10.0.0.2/32

Client-Konfiguration

  • /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = CLIENT-PRIVATE-KEY
Address = 10.0.0.2/24

[Peer]
PublicKey = SERVER-PUBLIC-KEY
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Verbindung starten und stoppen

  • wg-quick up wg0
  • wg-quick down wg0

Status anzeigen

  • wg show

Autostart aktivieren/deaktivieren

  • systemctl enable wg-quick@wg0
  • systemctl disable wg-quick@wg0

IPv4-Forwarding aktivieren

  • echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
  • sysctl -p

Beispiel nftables-Konfiguration

  • /etc/nftables.conf:
table inet filter {
 chain input {
  type filter hook input priority 0;
  policy drop;
  iif "wg0" accept
  ct state established,related accept
  tcp dport 22 accept
  udp dport 51820 accept
 }

 chain forward {
  type filter hook forward priority 0;
  policy drop;
  iif "wg0" accept
  oif "eth0" accept
  ct state established,related accept
 }
}

NAT mit iptables

  • iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

NAT mit nftables

  • /etc/nftables.conf (Zusatz für NAT):
table ip nat {
 chain postrouting {
  type nat hook postrouting priority 100;
  oifname "eth0" masquerade
 }
}
Abgerufen von „http://wiki.ixheim.de/index.php?title=Wireguard-cheat-sheet&oldid=61424