FreeBSD 14
Sponsored Link

WireGuard : Configure Client (FreeBSD)2024/09/20
 
Install WireGuard which is the simple yet fast and modern VPN software.
This example is based on the environment like follows.
First, it needs to configure IP masquerade setting on your router that UDP packets to global IP address of WireGuard server from WireGuard client via internet are forwared to local IP address of WireGuard server. 
  +------------------------+
  | [  WireGuard Server  ] |172.16.100.1 (VPN IP)
  |      dlp.srv.world     +--------+
  |                        |wg0     |
  +-----------+------------+        |
        vtnet0|10.0.0.30/24         |
              |                     |
              |       Local Network |
       +------+-----+               |
-------|  Router#1  |---------------|-----
       +------+-----+               |
              |                     |
    Internet  |  Internet           |
              |                     |
       +------+-----+               |
-------|  Router#2  |---------------|-----
       +------+-----+               |
              |       Local Network |
              |                     |
        vtnet0|192.168.10.30/24     |
  +-----------+------------+        |
  |  [ WireGuard Client ]  |wg0     |
  |                        +--------+
  |                        |172.16.100.5 (VPN IP)
  +------------------------+
[1]
Transfer files or notify contents of [Private key for client] and [Public key for server] generated on WireGuard server to target Client computer.
[2] Install WireGuard.
root@client:~ #
pkg install -y wireguard-tools
[3] Configure WireGuard.
root@client:~ #
umask 077
# create a new config
# [wg0.conf] ⇒ [(VPN interface name).conf]
# VPN interface name ⇒ any name you like

root@client:~ #
vi /usr/local/etc/wireguard/wg0.conf 
[Interface]
# specify private key for client generated on WireGuard server
PrivateKey = eMJa2BQliS8mNFZiYrebWaCFlda9cNC9JPEvWOb3G2A=
# IP address for VPN interface
Address = 172.16.100.5/24

[Peer]
# specify public key for server generated on WireGuard server
PublicKey = AazFOtPUm8ZM7rfqMhOYdF4UFKXENOkSB7r0LMxZNnA=
# IP addresses you allow to connect
# on the example below, set WireGuard server's VPN IP address and real local network
AllowedIPs = 172.16.100.1, 10.0.0.0/24
# specify server's global IP address:port
# (acutually, example of IP below is for private range, replace to your own global IP)
EndPoint = 172.29.10.100:51820
root@client:~ #
sysrc wireguard_interfaces="wg0"

wireguard_interfaces: -> wg0
root@client:~ #
service wireguard enable

wireguard enabled in /etc/rc.conf
root@client:~ #
service wireguard start 

[#] ifconfig wg create name wg0
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 172.16.100.5/24 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] route -q -n add -inet 172.16.100.1/32 -interface wg0
[#] route -q -n add -inet 10.0.0.0/24 -interface wg0
[+] Backgrounding route monitor
root@client:~ #
ifconfig 

vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6>
        ether 52:54:00:7c:de:11
        inet 192.168.0.30 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::5054:ff:fe7c:de11%vtnet0 prefixlen 64 scopeid 0x1
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 172.16.100.5 netmask 0xffffff00
        groups: wg
        nd6 options=109<PERFORMNUD,IFDISABLED,NO_DAD>
# confirm connection state

root@client:~ #
wg show 

interface: wg0
  public key: lFQASdqSmQhPXuEtTO8/xBVrbgpXSVZQhP9mQAbyNUw=
  private key: (hidden)
  listening port: 23438

peer: AazFOtPUm8ZM7rfqMhOYdF4UFKXENOkSB7r0LMxZNnA=
  endpoint: 172.29.10.100:51820
  allowed ips: 10.0.0.0/24, 172.16.100.1/32
[4] After VPN session is successfully established, Verify access to local network of WireGuard server.
root@client:~ #
ping -c 3 10.0.0.30 

PING 10.0.0.30 (10.0.0.30): 56 data bytes
64 bytes from 10.0.0.30: icmp_seq=0 ttl=64 time=3.302 ms
64 bytes from 10.0.0.30: icmp_seq=1 ttl=64 time=1.205 ms
64 bytes from 10.0.0.30: icmp_seq=2 ttl=64 time=1.264 ms

--- 10.0.0.30 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.205/1.924/3.302/0.975 ms
root@client:~ #
ssh -o StrictHostKeyChecking=no ubuntu@10.0.0.203 hostname

Warning: Permanently added '10.0.0.203' (ED25519) to the list of known hosts.
ubuntu@10.0.0.203's password:
ubuntu
Matched Content