[[linux:wireguard]]

wireguard

# sudo apt install software-properties-common
sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard
# modprobe wireguard ?

Fehlermeldung:

Module build for kernel 4.15.0-96-generic was skipped since the
kernel headers for this kernel does not seem to be installed.
sudo apt install linux-headers-generic
deb http://deb.debian.org/debian buster-backports main contrib
deb-src http://deb.debian.org/debian buster-backports main contrib

pinning des Paketes nicht nötig (weil wireguard erst ab buster-backports vorhanden)

# vi /etc/apt/preferences.d/90_wireguard
Package: wireguard wireguard-dkms wireguard-tools
Pin: release n=buster-backports
Pin-Priority: 990
apt install linux-headers-amd64
# apt install wireguard-dkms
apt install wireguard
  • backported feature linux-image-4.19.0-9 breaks wireguard ( upstream fix für die Dateien unterhalb von /var/lib/dkms/wireguard/1.0.20200429/)
    dkms remove -m wireguard -v 1.0.20200429 -k $(uname -r) # oder: -k all
    dkms install -m wireguard -v 1.0.20200429 -k $(uname -r) # oder: -k all

    Anschließend funktioniert der build:

    Creating symlink /var/lib/dkms/wireguard/1.0.20200429/source ->
                     /usr/src/wireguard-1.0.20200429
    
    DKMS: add completed.
    
    Kernel preparation unnecessary for this kernel.  Skipping...
    
    Building module:
    cleaning build area...
    make -j2 KERNELRELEASE=4.19.0-8-amd64 -C /lib/modules/4.19.0-8-amd64/build M=/var/lib/dkms/wireguard/1.0.20200429/build.......
    cleaning build area...
    
    DKMS: build completed.
    
    wireguard.ko:
    Running module version sanity check.
     - Original module
       - No original module exists within this kernel
     - Installation
       - Installing to /lib/modules/4.19.0-8-amd64/updates/dkms/
    
    depmod........
    
    DKMS: install completed.
cd /etc/wireguard && wg genkey | tee wg-private.key | wg pubkey > wg-public.key
sudo wg genpsk > psk.key
chmod 600 wg-private.key psk.key

Datei anlegen: /etc/wireguard/wg-$NAME.conf

via systemd:

systemctl enable wg-quick@$NAME.service 
systemctl start wg-quick@$NAME.service 
systemctl status wg-quick@$NAME.service

via /etc/network/interfaces oder /etc/network/interfaces.d/$NAME.cfg:

auto $NAME
iface $NAME inet static
  address 1.2.3.4
  netmask 255.255.255.0
#        pre-up ip link add $IFACE type wireguard
#        pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
#        up ip route add 5.6.7.8/24 dev $IFACE
#        down ip route del 5.6.7.8/24 dev $IFACE
#        post-down ip link del $IFACE
pre-up wg-quick up $NAME
post-down wg-quick down $NAME

Alle Teilnehmer brauchen feste IPs (oder müssen z.B. via Dyndns) einen FQDN haben.

[Interface]
PrivateKey = <paste eigener wg-private.key>
ListenPort = <enter a port number to use for Wireguard UDP data, 51820 seems common>
# PresharedKey = <psk.key>

[Peer1]
Endpoint = <server IP>:<server port>
PublicKey = <paste wg-public.key von Peer1>
AllowedIPs = 0.0.0.0/0, ::/0
# PresharedKey = <psk.key>
PersistentKeepalive = 25

https://wiki.ubuntuusers.de/WireGuard/Client-Server_Architektur/

Beispiel: Client und Server teilen sich das Netz 1.2.3.4/24. Der Server hat routing aktiviert und macht via iptables masquerading der privaten IPs. Es muss der Public-key vom Client1 in die Config übernommen werden, die Gegenstelle wird immer als „Peer“ konfiguriert.

Server Config

[Interface]
# meine IP im internen VPN-Netz:
Address = 1.2.3.4/24
ListenPort = 51820
PrivateKey = <paste wg-private.key Server>
# Allow forwarding + masquerading (optional):
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client1
PublicKey = <paste wg-public.key Client1>
# meine IP (muss /32 sein da überlappende AllowedIPs nicht funktionieren!)
AllowedIPs = 1.2.3.5/32
# PersistentKeepalive = 25

[Peer]
# Client2
PublicKey = <paste wg-public.key Client1>
AllowedIPs = 1.2.3.6/32

Client Config

[Interface]
# meine interne IP:
Address = 1.2.3.4/24
PrivateKey = <paste wg-private.key Client1>                          
# resolvconf needed:
# DNS = 9.9.9.9, 8.8.4.4

[Peer]
Endpoint = vpn.server.tld:51820
PublicKey = <paste wg-public.key Server>
# nur interne Netze?
# AllowedIPs = 1.2.3.4/24
# ..oder alles durch den Tunnel?
AllowedIPs = 0.0.0.0/0, ::/0
# Falls es zu Verbindungabbrüchen kommt:
#PersistentKeepalive = 25 
systemctl enable wg-quick@$NAME.service
systemctl start wg-quick@$NAME.service
  • Konfiguration anzeigen:
    wg showconf $Verbindungsname
  • Verbindungsstatus anzeigen:
    wg show
Usage: wg <cmd> [<args>]

Available subcommands:
  show: Shows the current configuration and device information
  showconf: Shows the current configuration of a given WireGuard interface, for use with `setconf'
  set: Change the current configuration, add peers, remove peers, or change peers
  setconf: Applies a configuration file to a WireGuard interface
  addconf: Appends a configuration file to a WireGuard interface
  syncconf: Synchronizes a configuration file to a WireGuard interface
  genkey: Generates a new private key and writes it to stdout
  genpsk: Generates a new preshared key and writes it to stdout
  pubkey: Reads a private key from stdin and writes a public key to stdout
You may pass `--help' to any of these subcommands to view usage.