Difference between revisions of "Wireguard"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 13: | Line 13: | ||
firewall-cmd --permanent --add-forward | firewall-cmd --permanent --add-forward | ||
firewall-cmd --permanent --zone=internal --add-masquerade | firewall-cmd --permanent --zone=internal --add-masquerade | ||
| − | |||
firewall-cmd --reload | firewall-cmd --reload | ||
</pre> | </pre> | ||
| Line 38: | Line 37: | ||
</pre> | </pre> | ||
*Reboot and verify things work. | *Reboot and verify things work. | ||
| + | ===wireguard=== | ||
*Install wireguard | *Install wireguard | ||
<pre> | <pre> | ||
| Line 45: | Line 45: | ||
<pre> | <pre> | ||
cd /etc/wireguard/ | cd /etc/wireguard/ | ||
| − | |||
| − | |||
wg genkey > privatekey | wg genkey > privatekey | ||
wg pubkey < privatekey > publickey | wg pubkey < privatekey > publickey | ||
| − | |||
| − | |||
</pre> | </pre> | ||
| + | *Create wg0.conf file with the following contents | ||
| + | [Interface] | ||
| + | PrivateKey = <private key> | ||
| + | Address = 192.168.124.1/24 | ||
| + | ListenPort = 51820 | ||
| + | </pre> | ||
| + | *Enable the interface | ||
| + | <pre> | ||
| + | wg-quick up wg0 | ||
| + | systemctl enable wg-quick@wg0 | ||
| + | </pre> | ||
| + | *Configure additional firewall settings. | ||
| + | <pre> | ||
| + | firewall-cmd --permanent --zone=trusted --change-interface wg0 | ||
| + | </pre> | ||
| + | *Optional IPtables rules that might be needed | ||
<pre> | <pre> | ||
| − | + | sudo iptables -F | |
| + | sudo iptables -t nat -F | ||
| + | sudo iptables -t nat -A POSTROUTING -s 192.168.124.0/24 -o enp1s0 -j MASQUERADE | ||
| + | sudo iptables -A FORWARD -i wg0 -o enp1s0 -j ACCEPT | ||
| + | sudo iptables -A FORWARD -i enp1s0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
| + | sudo iptables -t nat -A POSTROUTING -s 192.168.124.0/24 -o enp2s0 -j MASQUERADE | ||
| + | sudo iptables -A FORWARD -i wg0 -o enp2s0 -j ACCEPT | ||
| + | sudo iptables -A FORWARD -i enp2s0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
</pre> | </pre> | ||
Latest revision as of 11:41, 19 May 2025
Rocky Linux
Dual NIC wireguard setup
Prerequisite Network Config
- Configure the firewall to only allow the wireguard port, then move the internal interface to the internal zone.
- NOTE : We are going to NAT to the internal network for the time being.
firewall-cmd --permanent --add-port=51820/udp --zone=public firewall-cmd --permanent --remove-service=dhcpv6-client --zone=public firewall-cmd --permanent --remove-service=cockpit --zone=public firewall-cmd --permanent --remove-service=ssh --zone=public firewall-cmd --permanent --zone=internal --change-interface=enp3s0 firewall-cmd --permanent --add-masquerade firewall-cmd --permanent --add-forward firewall-cmd --permanent --zone=internal --add-masquerade firewall-cmd --reload
- Enable forwarding
echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.d/01-sysctl.conf sysctl -p
- Disable selinux because we are lazy
setenforce 0 sed -i 's/ELINUX\=enforcing/SELINUX\=disabled/' /etc/selinux/config
- Create tables for the ISPs
echo '200 ISP1' >> /etc/iproute2/rt_tables echo '201 ISP2' >> /etc/iproute2/rt_tables
- Add commands to route scripts. In this case we are setting the non-default route connection
echo 'ip rule add from <interface IP> lookup ISP2' >> /etc/NetworkManager/dispatcher.d/200-custom-routes echo 'ip route add table ISP2 default via <gateway IP>' >> /etc/NetworkManager/dispatcher.d/200-custom-routes chmod +x /etc/NetworkManager/dispatcher.d/200-custom-routes
- Reboot and verify things work.
wireguard
- Install wireguard
dnf install -y wireguard-tools
- Configure basic wiregaurd config
cd /etc/wireguard/ wg genkey > privatekey wg pubkey < privatekey > publickey
- Create wg0.conf file with the following contents
[Interface] PrivateKey = <private key> Address = 192.168.124.1/24 ListenPort = 51820
- Enable the interface
wg-quick up wg0 systemctl enable wg-quick@wg0
- Configure additional firewall settings.
firewall-cmd --permanent --zone=trusted --change-interface wg0
- Optional IPtables rules that might be needed
sudo iptables -F sudo iptables -t nat -F sudo iptables -t nat -A POSTROUTING -s 192.168.124.0/24 -o enp1s0 -j MASQUERADE sudo iptables -A FORWARD -i wg0 -o enp1s0 -j ACCEPT sudo iptables -A FORWARD -i enp1s0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -t nat -A POSTROUTING -s 192.168.124.0/24 -o enp2s0 -j MASQUERADE sudo iptables -A FORWARD -i wg0 -o enp2s0 -j ACCEPT sudo iptables -A FORWARD -i enp2s0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
