diff --git a/wireguard-go/README.md b/wireguard-go/README.md index b0c241b..c0cc987 100644 --- a/wireguard-go/README.md +++ b/wireguard-go/README.md @@ -1,36 +1,64 @@ # Wireguard VPN server / client -### Features +## Features + 1. Wireguard VPN to anywhere! Uses wireguard-go, not the kernel module. 1. Persists through reboots and firmware updates. 1. Tested with a Wireguard Server in AWS. -### Requirements +## Requirements + 1. You have successfully setup the on boot script described [here](https://github.com/boostchicken/udm-utilities/tree/master/on-boot-script) 1. Not recommended for Wireguard newbies. Set it up on other devices first. This document does not include iptables / nat rules. -### Customization -* Update [wg0.conf](configs/wg0.conf) to match your env +## Customization + +* Update [wg0.conf](configs/wg0.conf) to match your environment +* You can use a custom interface name by changing wg0.conf to whatever you like +* Use PostUp and PostDown in your wg.conf to execute any commands after the interface is created or destroyed + +## Steps -### Steps 1. Create your public and private keys - ```shell script + + ```sh podman run -i --rm --net=host --name wireguard_conf masipcat/wireguard-go wg genkey > /mnt/data/wireguard/privatekey podman run -i --rm --net=host --name wireguard_conf masipcat/wireguard-go wg genkey < /mnt/data/wireguard/privatekey > /mnt/data/wireguard/publickey ``` -1. Make configurations dir - ```shell script + +2. Make a directory for your configuration + + ```sh mkdir -p /mnt/data/wireguard ``` -1. Create wireguard configuration file in /mnt/data/wireguard. Template: [wg0.conf](configs/wg0.conf) -1. Copy [20-wireguard.sh](on_boot.d/20-wireguard.sh) to /mnt/data/on_boot.d and update its values to reflect your environment -1. Execute /mnt/data/on_boot.d/20-wireguard.sh -1. If you are running a server, make the appropriate firewall rules / port forwards + +3. Create a [Wireguard configuration](configs/wg0.conf) in /mnt/data/wireguard. +4. Copy [20-wireguard.sh](on_boot.d/20-wireguard.sh) to /mnt/data/on_boot.d and update its values to reflect your environment +5. Execute /mnt/data/on_boot.d/[20-wireguard.sh](on_boot.d/20-wireguard.sh) +6. If you are running a server, make the appropriate firewall rules / port forwards +7. Execute the wg command in the container to verify the tunnel is up. It should look something like this. + + ```sh + $ podman exec -it wireguard wg + interface: wg0 + public key: <your public key here> + private key: (hidden) + listening port: 54321 + + peer: <your peers public key> + endpoint: 10.0.0.2:54321 + allowed ips: 10.1.0.0/16, 10.2.0.0/16 + latest handshake: 1 day, 14 hours, 46 minutes, 27 seconds ago + transfer: 138.44 MiB received, 5.00 GiB sent + ``` ### Useful commands -```shell script + +```sh +# See interface status, see your public key podman exec -it wireguard wg +# Bring up wg0 podman exec -it wireguard wg-quick up wg0 +# Bring down wg0 podman exec -it wireguard wg-quick down wg0 ``` - diff --git a/wireguard-go/configs/wg0.conf b/wireguard-go/configs/wg0.conf index 0504ee2..aa93d64 100644 --- a/wireguard-go/configs/wg0.conf +++ b/wireguard-go/configs/wg0.conf @@ -1,7 +1,7 @@ [Interface] # Change to map to your subnet Address = 10.20.0.3/24 -PrivateKey = <server privatekey> +PrivateKey = <server private key> # Can be whatever port you like ListenPort = 51820 diff --git a/wireguard-go/on_boot.d/20-wireguard.sh b/wireguard-go/on_boot.d/20-wireguard.sh index ee01b34..09de3f5 100644 --- a/wireguard-go/on_boot.d/20-wireguard.sh +++ b/wireguard-go/on_boot.d/20-wireguard.sh @@ -1,3 +1,10 @@ #!/bin/sh -podman run -i -d --rm --net=host --name wireguard --privileged -v /mnt/data/wireguard:/etc/wireguard -v /dev/net/tun:/dev/net/tun -e LOG_LEVEL=info -e WG_COLOR_MODE=always masipcat/wireguard-go +# Starts a wireguard container that is deleted after it is stopped. +# All configs stored in /mnt/data/wireguard + +podman run -i -d --rm --net=host --name wireguard --privileged \ + -v /mnt/data/wireguard:/etc/wireguard \ + -v /dev/net/tun:/dev/net/tun \ + -e LOG_LEVEL=info -e WG_COLOR_MODE=always \ + masipcat/wireguard-go