Wireguard-cheat-sheet: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „= WireGuard Cheat Sheet = == Installation == *apt install wireguard == Schlüsselpaar erzeugen == *mkdir -p /etc/wireguard *cd /etc/wireguard *wg genkey | te…“) |
(kein Unterschied)
|
Aktuelle Version vom 12. April 2025, 11:57 Uhr
WireGuard Cheat Sheet
Installation
- apt install wireguard
Schlüsselpaar erzeugen
- mkdir -p /etc/wireguard
- cd /etc/wireguard
- wg genkey | tee privatekey | wg pubkey > publickey
Server-Konfiguration
- /etc/wireguard/wg0.conf:
[Interface] PrivateKey = SERVER-PRIVATE-KEY Address = 10.0.0.1/24 ListenPort = 51820 [Peer] PublicKey = CLIENT-PUBLIC-KEY AllowedIPs = 10.0.0.2/32
Client-Konfiguration
- /etc/wireguard/wg0.conf:
[Interface] PrivateKey = CLIENT-PRIVATE-KEY Address = 10.0.0.2/24 [Peer] PublicKey = SERVER-PUBLIC-KEY Endpoint = vpn.example.com:51820 AllowedIPs = 0.0.0.0/0, ::/0 PersistentKeepalive = 25
Verbindung starten und stoppen
- wg-quick up wg0
- wg-quick down wg0
Status anzeigen
- wg show
Autostart aktivieren/deaktivieren
- systemctl enable wg-quick@wg0
- systemctl disable wg-quick@wg0
IPv4-Forwarding aktivieren
- echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
- sysctl -p
Beispiel nftables-Konfiguration
- /etc/nftables.conf:
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
iif "wg0" accept
ct state established,related accept
tcp dport 22 accept
udp dport 51820 accept
}
chain forward {
type filter hook forward priority 0;
policy drop;
iif "wg0" accept
oif "eth0" accept
ct state established,related accept
}
}
NAT mit iptables
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
NAT mit nftables
- /etc/nftables.conf (Zusatz für NAT):
table ip nat {
chain postrouting {
type nat hook postrouting priority 100;
oifname "eth0" masquerade
}
}