christoph ender's

blog

saturday the 5th of november, 2022

wireguard

Having to keep a large number of systems operational requires some kind of monitoring, which in turn needs to be able to connect to the monitored systems. So far I've set up connections using OpenVPN or SSH, but using wireguard turned out to provide the best of both worlds.

On the one hand, configuration is extremely easy. One simply needs to create a public/private key pair on both the client and the server: 

wg genkey | tee privatekey | wg pubkey > publickey

A client's configuration file will include the client's private key and the server's public key, along with, in this example, the client's tunnel-ip 192.168.100.2 and the server's public internet address 192.0.2.1. 

[Interface]
PrivateKey = +IbvH5g+ArYgwOnJfeIs1y+5DUtZ8NdpoJODdW2pfW8=
Address = 192.168.100.2/24

[Peer]
PublicKey = LGVTEOmohkN7Iog7w9g20upjL+NzFLseqI6dmEEj4Q8=
AllowedIPs = 192.168.100.2/24
Endpoint = 192.0.2.1:51820
PersistentKeepalive = 20

For the server we'll put the server's private key and the client's public key in the file, along with the server's tunnel-ip 192.168.100.1, the udp port the server is listening on an the client's tunnel-ip. 

[Interface]
Address = 192.168.100.1/24
ListenPort = 51820
PrivateKey = 8GV73D7/04YxOkdnvsrCSKmZ1EVImzKxM2IbIilwJ30=

[Peer]
PublicKey = pj/vmU+hz0Rn9uMkR33qb81YKqINZN55gwqQD7UeLDo=
AllowedIPs = 192.168.100.2/32

If the configuation resides in /etc/wireguard/wg01.conf the tunnel can be brought alive on both sides using: 

systemctl start wg-quick@wg01

That's all. It appears that there's a separate [Peer] section required for every client, which in turn means every client needs to have a fixed private ip, contrary to OpenVPN where an IP is assigned by the server from a pre-defined subnet.

It's also notable that the AllowedIPs parameter defines which ip ranges are routed thought the subnet. That means it's extremely simply to route additional ip ranges: In case there's a private subnet 172.16.0.0/16 on the other side of the tunnel, one can simply alter the AllowedIPs parameter in the following way on the client to access the subnet in question: 

AllowedIPs = 192.168.100.2/24, 172.16.0.0/16

Wireguard will also work nice with ipv6. You'll just have to define an additional ipv6 tunnel, which can be done alongside of the ipv4 settings: 

[Interface]
Address = 192.168.100.1/24, fd00:0:0:10::1/64
ListenPort = 51820
PrivateKey = 8GV73D7/04YxOkdnvsrCSKmZ1EVImzKxM2IbIilwJ30=

[Peer]
PublicKey = pj/vmU+hz0Rn9uMkR33qb81YKqINZN55gwqQD7UeLDo=
AllowedIPs = 192.168.100.2/32, fd00:0:0:10::2/128