Wireguard

Wireguard on Debian

Linux

Wireguard with Debian

Grab a Fresh Debian which has Public Internet Access. Target is to build a WG Tunnel and assign a Public IP to the Server.

Debian 11.6

apt-get install -y wireguard wireguard-tools

Gen Key

cd /etc/wireguard
umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Set Vars

myprivkey=$(cat privatekey)
mypublicaddress="45.xx.xx.xx/28, 2a0e:xxxx:xxx::xxx/64"
yourpubkey="3XK8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
yourpubip="45.xxx.xxx.xxx"
yourpubport="443"

Config

cat << EOF > wg0.conf
[Interface]
PrivateKey = ${myprivkey}
Address    = PUBLIC_IP_V4/xx, PUBLIC_IP_V6/xx
 
[Peer]
PublicKey  = ${yourpubkey}
Endpoint   = ${yourpubip}:${yourpubport}
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 60
EOF

Tunnel UP

systemctl enable wg-quick@wg0
systemctl start  wg-quick@wg0
systemctl status wg-quick@wg0

Check IP

i3
Any Comments ?

sha256: c4d87bfca434aca32d6a8869720220b6ea4abe1ff534dd6e715cbb73d4f7025e

Headscale - OpenBSD

OpenBSD, Network

Running Headscale Server on OpenBSD

i like and widely use wireguard for my infrastructure. i’m also aware of it’s limitation and i know the tailscale project but never gave try. recently, i stumbled upon the headscale project, an opensource alternative to for the (closed) tailscale server. perfect, let’s give a try!

and, of course, i’m gooing to implement this with OpenBSD, what else ;)

Doku

on the Server

compile and install server

this is working on OpenBSD 7.1, and also on the upcomming Version 7.2

Wireguard with Public IP behind NAT

OpenBSD, Wireguard

… or how to host a Dualstacked Public Website behind a IPv4 NAT Box without Reverse Proxy, Portforwarding and other ugly stuff …

inspired by the following Post, i started a little project and redesigned the connectifity for my Hamster’s Webserver :)

i wrote a mail to the guys from tetaneutral.net and asked them for the wireguard vpn service with public ipv4/ipv6 adresses for my server. as i didn’t get any feedback, i had to implement the “Server” on my own.

Wireguard Puffy to OPNsense

OpenBSD

WG Tunnel between OpenBSD and OPNsense

How to Setup an WG Tunnel between OpenBSD and OPNSense ? That’s quite simple …

OpenBSD

Install Packages

pkg_add wireguard-tools--

Gen Key Onliner

wg genkey | tee privatekey | wg pubkey > publickey

Build Interface

r=$(openssl rand -base64 32)
remote_ip="1.2.3.4"
remote_net="192.168.0.0/24"

cat << 'EOF' > /etc/hostname.wg0
# WG Tunnel to OPNsense
wgkey   ${r}
wgport  51820
wgpeer  xxxxx - PUBLIC-KEY-OF-REMOTE-HOST - xxxxx= wgendpoint ${remote_ip} 51820 wgaip ${remote_net}
inet    10.0.0.1/24
!route add ${remote_net} 10.0.0.2
up
EOF

sh /etc/netstart wg0
ifconfig wg0

update pf.conf

# skip on wg Interface
set skip on { lo0 wg0 }

# Wireguard
pass in log quick inet proto udp from ${remote_ip}/32 to (self) port 51820

OPNsense

Install Wireguard

Menu System -> Firmware -> Plugins -> Install Wireguard

Wireguard on (current | 6.8 and higher )

OpenBSD

Wireguard on OpenBSD

OpenBSD added wg to the Kernel a while ago … why not have a look into and do some speedtests … ?

Setup

CLIENT1 — WireGuard — CLIENT2

and running tcpbench between Client1 and Client2

Fireup VMs

Stage 3 VM’s on my litte Proxmox Server (Intel NUC)

host nic ip wg nic ip
Client1 em0 192.168.108.7 wg0 10.0.0.1
WireGuard em0 192.168.108.8 wg0 10.0.0.2
Client2 em0 192.168.108.0 wg0 10.0.0.3

wg_overlay: 10.0.0.0/24

Wireguard

OpenBSD

WireGuard Stuff, 2019-09-18

Resourcen

Also Check my new Post about Wireguard on Current …

Using wireguard on OpenBSD

OpenBSD Router: VPN

Wireguard Server

Packages

pkg_add wireguard-go \
  wireguard-tools \
  libqrencode

Config & Enable WG

rcctl enable wireguard_go
rcctl set wireguard_go flags tun2

Prepare Environment

mkdir -p /etc/wireguard/{keys,config}
cd /etc/wireguard

Generate Keys

wg genkey | tee keys/server-private.key    | wg pubkey > keys/server-public.key
wg genkey | tee keys/client001-private.key | wg pubkey > keys/client001-public.key
wg genkey | tee keys/client002-private.key | wg pubkey > keys/client002-public.key
wg genkey | tee keys/client003-private.key | wg pubkey > keys/client003-public.key

chmod 600 keys/*private.key

Config Interface

cat << 'EOF' > /etc/hostname.tun2
10.0.0.1 10.0.0.2 netmask 255.255.255.0
inet6 alias 2001:db8::1 128
dest 2001:db8::2
!/bin/sleep 10 && /usr/local/bin/wg setconf tun2 /etc/wireguard/server.conf &
EOF

IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
EOF

sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1

server.conf

cat << 'EOF' > server.conf

[Interface]
PrivateKey  = $(cat keys/server-private.key)
ListenPort  = 51820

# IPv4 only
[Peer]
PublicKey   = $(cat keys/client001-public.key)
AllowedIPs  = 10.0.0.2/32

# IPv6 only
[Peer]
PublicKey   = $(cat keys/client002-public.key)
AllowedIPs  = 2001:db8::3/128

# IPv4 and IPv6
[Peer]
PublicKey   = $(cat keys/client003-public.key)
AllowedIPs  = 2001:db8::4/128, 10.0.0.4/32
EOF

chmod 600 server.conf

Update PF

... snip ...

set skip on { lo0 enc0 tun2 }

# WG Stuff
match out log on egress inet  from (tun2:network) nat-to (egress:0)
match out log on egress inet6 from (tun2:network) nat-to (egress)

... snip ...

# Block all
block log

... snip ...

# Allow Wireguard from any
pass in log quick inet  proto { tcp udp } from any to (self) port { 51820 }
pass in log quick inet6 proto { tcp udp } from any to (self) port { 51820 }

... snip ...

Reboot Server and active all config

reboot

cd /etc/wireguard

Update Config Script

cat << 'EOF' > wg_update_config.sh
# !/bin/sh
wg setconf tun2 server.conf
wg show
exit 0
EOF

chmod 755 wg_update_config.sh

Wireguard Client

IPv4 only

cat << 'EOF' > config/client001.conf
[Interface]
PrivateKey  = $(cat keys/client001-private.key)
Address     = 10.0.0.2/32
DNS         = 8.8.8.8

[Peer]
PublicKey   = $(cat keys/server-public.key)
AllowedIPs  = 8.8.8.8/32
Endpoint    = $(ifconfig egress |awk '/inet / {print $2}'):51820
EOF

IPv6 only

cat << 'EOF' > config/client002.conf
[Interface]
PrivateKey  = $(cat keys/client002-private.key)
Address     = 2001:db8::3/128
DNS         = 2001:4860:4860::8888

[Peer]
PublicKey   = $(cat keys/server-public.key)
AllowedIPs  = 2001:4860:4860::8888/128
Endpoint    = [$(ifconfig egress |awk '/inet6 / {print $2}' |grep -v 'fe80::')]:51820
EOF

IPv4+6 (not yet working …)

cat << 'EOF' > config/client003.conf
[Interface]
PrivateKey  = $(cat keys/client003-private.key)
Address     = 10.0.0.4/32, 2001:db8::4/128
DNS         = 8.8.8.8, 2001:4860:4860::8888

[Peer]
PublicKey   = $(cat keys/server-public.key)
AllowedIPs  = 8.8.8.8/32, 2001:4860:4860::8888/128
Endpoint    = $(ifconfig egress |awk '/inet / {print $2}'):51820, [$(ifconfig egress |awk '/inet6 / {print $2}' |grep -v 'fe80::')]:51820
EOF

Generate QR

cat config/client001.conf | qrencode -t ansiutf8
cat config/client002.conf | qrencode -t ansiutf8
cat config/client003.conf | qrencode -t ansiutf8

Show Commands

puffy66 1 ../wireguard# wg show
interface: tun2
  public key: eBzb9Q+95EQj2C2hRd7RuGH4dES9sjfgjWHHFskJ+SQ=
  private key: (hidden)
  listening port: 51820

peer: 6i2k+s3bgUgRRbVefCNzjQPJZbsIzipNsFOmjFCnLHE=
  endpoint: 192.168.108.125:52565
  allowed ips: 10.0.0.2/32
  latest handshake: 56 seconds ago
  transfer: 13.19 KiB received, 8.07 KiB sent

peer: gRWzWzJIelqez9/lHsL/KsDDKjCoZK6I91hggeNELmc=
  allowed ips: 2001:db8::3/128

peer: pulLKxKk6dwFf6xlb+mEiP4AdS0jbs5hYOvMC7FfNXM=
  allowed ips: 10.0.0.4/32, 2001:db8::4/128
Any Comments ?

sha256: eac4ea99441b96d1bd1b22b00d615ca82cda2d67a6dfada8f9876ba75e6fb4f1