WireGuard : Configure Server2024/09/20 |
|
Install WireGuard which is the simple yet fast and modern VPN software. This example is based on the environment like follows. First, it needs to configure IP masquerade setting on your router that UDP packets to global IP address of WireGuard server from WireGuard client via internet are forwared to local IP address of WireGuard server.
+------------------------+
| [ WireGuard Server ] |172.16.100.1 (VPN IP)
| dlp.srv.world +--------+
| |wg0 |
+-----------+------------+ |
vtnet0|10.0.0.30/24 |
| |
| Local Network |
+------+-----+ |
-------| Router#1 |---------------|-----
+------+-----+ |
| |
Internet | Internet |
| |
+------+-----+ |
-------| Router#2 |---------------|-----
+------+-----+ |
| Local Network |
| |
vtnet0|192.168.10.30/24 |
+-----------+------------+ |
| [ WireGuard Client ] |wg0 |
| +--------+
| |172.16.100.5 (VPN IP)
+------------------------+
|
| [1] | Install WireGuard. |
|
root@dlp:~ # pkg install -y wireguard-tools
|
| [2] | Configure WireGuard. |
|
root@dlp:~ #
umask 077
# generate private key for server root@dlp:~ # wg genkey | tee /usr/local/etc/wireguard/server.key oAcshF4/a4LEwA8Od1OmukhrOydhWHPJqCIEEIpOL30= # generate public key for server root@dlp:~ # cat /usr/local/etc/wireguard/server.key | wg pubkey | tee /usr/local/etc/wireguard/server.pub AazFOtPUm8ZM7rfqMhOYdF4UFKXENOkSB7r0LMxZNnA= # generate private key for client root@dlp:~ # wg genkey | tee /usr/local/etc/wireguard/client.key eMJa2BQliS8mNFZiYrebWaCFlda9cNC9JPEvWOb3G2A= # generate public key for client root@dlp:~ # cat /usr/local/etc/wireguard/client.key | wg pubkey | tee /usr/local/etc/wireguard/client.pub lFQASdqSmQhPXuEtTO8/xBVrbgpXSVZQhP9mQAbyNUw= # confirm network interface root@dlp:~ # ip addr
vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6>
ether 52:54:00:e6:cc:6e
inet 10.0.0.30 netmask 0xffffff00 broadcast 10.0.0.255
inet6 fe80::5054:ff:fee6:cc6e%vtnet0 prefixlen 64 scopeid 0x1
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
# create a new config # [wg0.conf] ⇒ [(VPN interface name).conf] # VPN interface name ⇒ any name you like root@dlp:~ # vi /usr/local/etc/wireguard/wg0.conf [Interface] # specify generated private key for server PrivateKey = oAcshF4/a4LEwA8Od1OmukhrOydhWHPJqCIEEIpOL30= # IP address for VPN interface Address = 172.16.100.1/24 # UDP port WireGuard server listens ListenPort = 51820 [Peer] # specify public key for client PublicKey = lFQASdqSmQhPXuEtTO8/xBVrbgpXSVZQhP9mQAbyNUw= # clients' VPN IP addresses you allow to connect # possible to specify subnet ⇒ [172.16.100.0/24] AllowedIPs = 172.16.100.5, 172.16.100.6 sysrc wireguard_interfaces="wg0" wireguard_interfaces: -> wg0 root@dlp:~ # service wireguard enable wireguard enabled in /etc/rc.conf root@dlp:~ # service wireguard start [#] ifconfig wg create name wg0 [#] wg setconf wg0 /dev/stdin [#] ifconfig wg0 inet 172.16.100.1/24 alias [#] ifconfig wg0 mtu 1420 [#] ifconfig wg0 up [#] route -q -n add -inet 172.16.100.6/32 -interface wg0 [#] route -q -n add -inet 172.16.100.5/32 -interface wg0 [+] Backgrounding route monitorroot@dlp:~ # ifconfig
vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6>
ether 52:54:00:e6:cc:6e
inet 10.0.0.30 netmask 0xffffff00 broadcast 10.0.0.255
inet6 fe80::5054:ff:fee6:cc6e%vtnet0 prefixlen 64 scopeid 0x1
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
options=80000<LINKSTATE>
inet 172.16.100.1 netmask 0xffffff00
groups: wg
nd6 options=109<PERFORMNUD,IFDISABLED,NO_DAD>
|
| [3] | Configure packet filters to allow VPN clients to access to local network. |
|
root@dlp:~ #
sysctl net.inet.ip.forwarding=1 net.inet.ip.forwarding: 0 -> 1 root@dlp:~ # echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf
root@dlp:~ #
vi /etc/pf.conf # create new ext_if = "vtnet0" wg_net = "172.16.100.0/24" set skip on lo scrub in on $ext_if all fragment reassemble nat on $ext_if from $wg_net to any -> ($ext_if)
root@dlp:~ #
service pflog enable pflog enabled in /etc/rc.conf root@dlp:~ # service pf enable pf enabled in /etc/rc.conf root@dlp:~ # service pf start root@dlp:~ # service pflog start
# if your WireGuard server is running on virtual machine, disable checksum offload root@dlp:~ # ifconfig vtnet0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro root@dlp:~ # echo "ifconfig vtnet0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro" >> /etc/rc.conf
|
| Sponsored Link |