Difference between revisions of "Wireguard"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
| Line 1: | Line 1: | ||
==Rocky Linux== | ==Rocky Linux== | ||
Dual NIC wireguard setup | Dual NIC wireguard setup | ||
| − | + | ==Prerequisite Network Config== | |
*Configure the firewall to only allow the wireguard port, then move the internal interface to the internal zone. | *Configure the firewall to only allow the wireguard port, then move the internal interface to the internal zone. | ||
*NOTE : We are going to NAT to the internal network for the time being. | *NOTE : We are going to NAT to the internal network for the time being. | ||
| Line 13: | Line 13: | ||
firewall-cmd --permanent --add-forward | firewall-cmd --permanent --add-forward | ||
firewall-cmd --permanent --zone=internal --add-masquerade | firewall-cmd --permanent --zone=internal --add-masquerade | ||
| − | |||
firewall-cmd --reload | firewall-cmd --reload | ||
</pre> | </pre> | ||
| Line 38: | Line 37: | ||
</pre> | </pre> | ||
*Reboot and verify things work. | *Reboot and verify things work. | ||
| + | ==wireguard== | ||
*Install wireguard | *Install wireguard | ||
<pre> | <pre> | ||
Revision as of 11:26, 19 May 2025
Rocky Linux
Dual NIC wireguard setup
Prerequisite Network Config
- Configure the firewall to only allow the wireguard port, then move the internal interface to the internal zone.
- NOTE : We are going to NAT to the internal network for the time being.
firewall-cmd --permanent --add-port=51820/udp --zone=public firewall-cmd --permanent --remove-service=dhcpv6-client --zone=public firewall-cmd --permanent --remove-service=cockpit --zone=public firewall-cmd --permanent --remove-service=ssh --zone=public firewall-cmd --permanent --zone=internal --change-interface=enp3s0 firewall-cmd --permanent --add-masquerade firewall-cmd --permanent --add-forward firewall-cmd --permanent --zone=internal --add-masquerade firewall-cmd --reload
- Enable forwarding
echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.d/01-sysctl.conf sysctl -p
- Disable selinux because we are lazy
setenforce 0 sed -i 's/ELINUX\=enforcing/SELINUX\=disabled/' /etc/selinux/config
- Create tables for the ISPs
echo '200 ISP1' >> /etc/iproute2/rt_tables echo '201 ISP2' >> /etc/iproute2/rt_tables
- Add commands to route scripts. In this case we are setting the non-default route connection
echo 'ip rule add from <interface IP> lookup ISP2' >> /etc/NetworkManager/dispatcher.d/200-custom-routes echo 'ip route add table ISP2 default via <gateway IP>' >> /etc/NetworkManager/dispatcher.d/200-custom-routes chmod +x /etc/NetworkManager/dispatcher.d/200-custom-routes
- Reboot and verify things work.
wireguard
- Install wireguard
dnf install -y wireguard-tools
- Configure basic wiregaurd config
cd /etc/wireguard/ ip link add dev wg0 type wireguard ip address add dev wg0 192.168.124.1/24 wg genkey > privatekey wg pubkey < privatekey > publickey wg set wg0 private-key ./privatekey ip link set wg0 up
firewall-cmd --permanent --zone=internal --add-interface=wg0
