Setting up WireGuard

Install

Slackware – only wireguard-tools is required, as -current contains the module already

#sbopkg -i wireguard-linux-compat
sbopkg -i wireguard-tools

Ubuntu

apt install wireguard

shared

lsmod | grep wireguard

Key generation

required on any peer

mkdir ~/wg/
chmod 700 ~/wg/
cd ~/wg/
wg genkey > `uname -n`.key
wg pubkey < `uname -n`.key > `uname -n`.pub
chmod 400 *

also take the chance to define some static name resolution

vi /etc/hosts

# end-points - public ips
x.x.x.x     xc.nethence.com xc
x.x.x.x     wg.os3.su wg

# cross-site internal network
10.1.1.1    hosta
10.1.1.2    hostb

Peer A setup – NETHENCE

now copy/paste the pubkey of the client herein

ip link add dev wg0 type wireguard
ip address add 10.1.1.1/24 dev wg0
wg set wg0 listen-port 51821 private-key /root/wg/`uname -n`.key
wg set wg0 peer PEER-B-PUB-KEY endpoint PUBLIC-IP-PEER-B:51822 allowed-ips 10.1.1.2/32
ip link set wg0 up
ifconfig wg0

Peer B setup – OS3

check that the second end-point can listen on the desired network (eventually enable port-forwarding)

ip link add dev wg0 type wireguard
ip addr add 10.1.1.2/24 dev wg0
wg set wg0 listen-port 51822 private-key /root/wg/`uname -n`.key
wg set wg0 peer PEER-A-PUB-KEY endpoint PUBLIC-IP-PEER-A:51821 allowed-ips 10.1.1.1/32
ip link set wg0 up
    ifconfig wg0

Boot-time setup

as configuration files

on any peer

ls -alF /etc/wireguard/
wg showconf wg0
wg showconf wg0 > /etc/wireguard/wg0.conf

Ready to go

on any peer

enable at boot-time

vi /etc/rc.d/rc.inet1
vi /etc/rc.local

# self-verbose
wg-quick up wg0

# ifconfig issue: netmask becomes /0
echo -n wg0...
ip addr add 10.1.1.1/32 dev wg0 && echo done || echo FAIL
ip addr add 10.1.1.2/32 dev wg0 && echo done || echo FAIL

status

ip addr show dev wg0
wg show
netstat -lnup | grep 518

stop

# self-verbose
    wg-quick down wg0

Troubleshooting

from hosta

nmap -sU -p 51822 wg
netstat -rn --inet
tcpdump -ttttni xenbr0 'udp port 51821'

from hostb

nmap -sU -p 51821 xc
netstat -rn --inet
tcpdump -ttttni eth0 'udp port 51822'

Acceptance

from hosta

ping 10.1.1.2

from hostb

ping 10.1.1.1

Across networks

You don’t need to enable forwarding on the hosts for them to communicate through the encrypted pipe. However in case we’re talking subnet gateways…

on both sides

echo 1 > /proc/sys/net/ipv4/ip_forward

Resources

Installation https://www.wireguard.com/install/

Quick Start https://www.wireguard.com/quickstart/

Key Generation https://www.wireguard.com/quickstart/#key-generation

14.2 > Network > wireguard-linux-compat (1.0.20210219) https://slackbuilds.org/repository/14.2/network/wireguard-linux-compat/

14.2 > Network > wireguard-tools (1.0.20210315) https://slackbuilds.org/repository/14.2/network/wireguard-tools/

WireGuard https://wiki.archlinux.org/title/WireGuard –> file-based configs

WireGuard VPN: Typical Setup https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/

ops

How to check VPN link status on wireguard https://vmwaremine.com/2020/10/01/how-to-check-vpn-link-status-on-wireguard/

troubles

Troubleshooting wireguard - any logs available? https://www.reddit.com/r/WireGuard/comments/a0s6p2/troubleshooting_wireguard_any_logs_available/

FOUR WAYS TO VIEW WIREGUARD LOGS https://www.procustodibus.com/blog/2021/03/wireguard-logs/

https://serverfault.com/questions/1020279/how-to-see-debug-logs-for-wireguard-e-g-to-see-authentication-attempts

https://stackoverflow.com/questions/61109400/wireguard-how-to-log-network-activity

How to debug wireguard on the server? https://lists.zx2c4.com/pipermail/wireguard/2019-March/004027.html


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH