VPN - Using Wireguard
This papge documents all Wireguard tunnels within BaziCloud and family computers.
BazOne ⇔ Pi1
On each host make a private and public key.
wg genkey | tee privkey | wg pubkey > pubkey
chmod 400 *keyI will use 192.168.199.* as address for each wg interface.
| Host | WG I/face IP | Accessible Endpoint | Subnets accessible |
|---|---|---|---|
| Bazone | 192.168.199.1 | baz.brusch.co.uk:64246 | docker subnets (see below) |
| Far1 | 192.168.199.2 | n/a (for now) | 192.168.182.8/32 |
| Pi1 | 192.168.199.3 | n/a (for now) | 192.168.182.0/24 |
Config
Config is via INI style conf file in /etc/wireguard, named <interface>.conf.
To make the config file, the following info is required:
- local private key
- the public keys of each peer
On BazOne
[Interface]
Address=192.168.199.1/24
ListenPort = 64246
PrivateKey = blahBlahKey=
[Peer]
PublicKey = blahBlahKey=
AllowedIPs = 192.168.182.0/24, 192.168.199.3/32On Pi1
[Interface]
Address=192.168.199.3/24
ListenPort = 64246
PrivateKey = blahBlahKey=
[Peer]
PublicKey = blahBlahKey=
AllowedIPs = 10.0.1.0/24, 192.168.199.1/32
Endpoint = baz.brusch.co.uk:64246Endpoint is only needed on hosts that connect to a server which must have a fixed FQDN or IP address.
Making into Systemd Service
Hoping this will ensure it autostarts.
systemctl enable wg-quick@bazicloud.serviceIP Forwarding
Test showed that packets were not being forwarded by pi1 as the local end of the tunnel.
Eventually I found that I needed to enter the commands:
iptables -A FORWARD -i eth0 -o bazicloud -j ACCEPT
iptables -A FORWARD -i bazicloud -o eth0 -j ACCEPTThe fix continued to work after the tunnel was taken down and back up.
These commands were added to pi1://etc/wireguard/bazicloud.conf [Peer] section as PostUp commands.
Full Contents of bazicloud.conf:
[Interface]
Address=192.168.199.2/32
ListenPort = 64246
PrivateKey = WNe8UaA/xwLfZkzD/7WMNq9s6JcufHGSk+o5wALM6Fo=
[Peer]
PublicKey = rdJVeajmx8mNPWcNX14A0ff4jvAjspoqGLX+9sol3hI=
AllowedIPs = 10.0.1.0/24, 192.168.199.0/24
Endpoint = 213.171.203.63:64246
PostUp = iptables -A FORWARD -i eth0 -o bazicloud -j ACCEPT
PostUp = iptables -A FORWARD -i bazicloud -o eth0 -j ACCEPTDocker Subnets
It looks like each host should use a different IP address range for the docker hosts. I found https://cylab.be/blog/277/changing-dockers-default-subnet-ip-range which says you can set the range in /etc/docker/daemon.json e.g.:
{
"default-address-pools":
[
{"base":"172.18.0.0/16","size":24}
]
}The docker default is 172.17.0.0.
A one-liner to list the address on all docker networks is: for DOCK in $(docker ps --format "table {{.Names}}") ; do docker inspect $DOCK | grep -E 'IPAddress|^ "Name' ; done