mirror of
https://git.myvelabs.com/lab/archlinux.git
synced 2025-12-17 21:26:25 +00:00
73 lines
No EOL
2.4 KiB
Text
73 lines
No EOL
2.4 KiB
Text
############
|
|
# Key generation
|
|
############
|
|
for peer in {0..9}
|
|
do
|
|
wg genkey | (umask 0077 && tee peer${peer}.key) | wg pubkey > peer${peer}.pub
|
|
done
|
|
|
|
############
|
|
# Server configuration
|
|
############
|
|
/etc/wireguard/wg0.conf
|
|
############
|
|
[Interface]
|
|
Address = 10.200.200.1/24
|
|
ListenPort = 51820
|
|
PrivateKey = SERVER_PRIVATE_KEY
|
|
|
|
# substitute eth0 in the following lines to match the Internet-facing interface
|
|
# the FORWARD rules will always be needed since traffic needs to be forwarded between the WireGuard
|
|
# interface and the other interfaces on the server.
|
|
# if the server is behind a router and receives traffic via NAT, specify static routing back to the
|
|
# 10.200.200.0/24 subnet, the NAT iptables rules are not needed but the FORWARD rules are needed.
|
|
# if the server is behind a router and receives traffic via NAT but one cannot specify static routing back to
|
|
# 10.200.200.0/24 subnet, both the NAT and FORWARD iptables rules are needed.
|
|
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
|
|
|
[Peer]
|
|
# foo
|
|
PublicKey = PEER_FOO_PUBLIC_KEY
|
|
PresharedKey = PRE-SHARED_KEY
|
|
AllowedIPs = 10.200.200.2/32
|
|
|
|
[Peer]
|
|
# bar
|
|
PublicKey = PEER_BAR_PUBLIC_KEY
|
|
PresharedKey = PRE-SHARED_KEY
|
|
AllowedIPs = 10.200.200.3/32
|
|
|
|
###
|
|
# The interface may be brought up using wg-quick up wg0 respectively by starting and potentially enabling the interface via wg-quick@interface.service, e.g. wg-quick@wg0.service. To close the interface use wg-quick down wg0 respectively stop wg-quick@interface.service.
|
|
###
|
|
|
|
############
|
|
# Client configuration
|
|
############
|
|
foo.conf
|
|
[Interface]
|
|
Address = 10.200.200.2/32
|
|
PrivateKey = PEER_FOO_PRIVATE_KEY
|
|
DNS = 10.200.200.1
|
|
|
|
[Peer]
|
|
PublicKey = SERVER_PUBLICKEY
|
|
PresharedKey = PRE-SHARED_KEY
|
|
Endpoint = my.ddns.example.com:51820
|
|
AllowedIPs = 0.0.0.0/0, ::/0
|
|
bar.conf
|
|
[Interface]
|
|
Address = 10.200.200.3/32
|
|
PrivateKey = PEER_BAR_PRIVATE_KEY
|
|
DNS = 10.200.200.1
|
|
|
|
[Peer]
|
|
PublicKey = SERVER_PUBLICKEY
|
|
PresharedKey = PRE-SHARED KEY
|
|
Endpoint = my.ddns.example.com:51820
|
|
AllowedIPs = 0.0.0.0/0, ::/0
|
|
|
|
###
|
|
# Note: Users of NetworkManager, may need to enable the NetworkManager-wait-online.service and users of systemd-networkd may need to enable the systemd-networkd-wait-online.service to wait until devices are network-ready before attempting a WireGuard connection.
|
|
### |