root@www:~# cat /etc/wireguard/wg0.conf # define the local WireGuard interface (client)[Interface]# contents of file wg-private.key that was recently createdPrivateKey = 8OnGEbyl8sJG3456795wVWfGurmyFjIRqkjL16ix0k0=ListenPort = 39026# define the remote WireGuard interface (server)[Peer]# contents of wg-public.key on the WireGuard serverPublicKey = 27Pu1yyz2qw7DNF4m+mVn5gD/yS/9BBYp9Yqo+HqVTU=# the IP address of the server on the WireGuard network AllowedIPs = 10.160.0.1/32# public IP address and port of the WireGuard serverEndpoint = dns.name.com:11950
root@opnsense2:~ # cat /usr/local/etc/wireguard/wg1.conf[Interface]PrivateKey = GCeK43mnQwtekhnG1dgN3eUes8+qYCmA=Address = 10.160.0.1/24ListenPort = 11950[Peer]# friendly_name = RW-VPNPublicKey = 27Pu1yy7DNF4m+mVn5g9BBYp9Yqo+HqVTU=Endpoint = ip.of.rw.client:39026AllowedIPs = 10.160.0.2/24
root@www:~# wg show wg0interface: wg0 public key: 27Pu1yyz2qw7DNF4m+mVn5gD/yS/9BBYp9Yqo+HqVTU= private key: (hidden) listening port: 39026
root@opnsense2:~ # wg show wg1interface: wg1 public key: aNgUGpyjamqFPxbwK0Niy+HyesugijGTm1U= private key: (hidden) listening port: 11950peer: 27Pu1yyz2qw7DNFm+mVn5gD/yS/9BBYp9Yqo+HqVTU= endpoint: ip.of.client.rw:39026 allowed ips: 10.160.0.0/24 transfer: 0 B received, 148 B sent
root@www:~# ping 10.160.0.1PING 10.160.0.1 (10.160.0.1) 56(84) bytes of data.From 10.160.0.2 icmp_seq=1 Destination Host Unreachableping: sendmsg: Der notwendige Schlüssel ist nicht verfügbarFrom 10.160.0.2 icmp_seq=2 Destination Host Unreachableping: sendmsg: Der notwendige Schlüssel ist nicht verfügbar^C--- 10.160.0.1 ping statistics ---2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms
# indicate that wg0 should be created when the system boots, and on ifup -aauto wg0# describe wg0 as an IPv4 interface with static addressiface wg0 inet static # the IP address of this client on the WireGuard network address 10.10.10.2/32 # before ifup, create the device with this ip link command pre-up ip link add $IFACE type wireguard # before ifup, set the WireGuard config from earlier pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf # after ifdown, destroy the wg0 interface post-down ip link del $IFACE
# define the local WireGuard interface (client)[Interface]#Address = 10.10.10.2/32# contents of file wg-private.key that was recently createdPrivateKey = 8On*ix0k0=#ListenPort = 39026# define the remote WireGuard interface (server)[Peer]# contents of wg-public.key on the WireGuard serverPublicKey = ZA6*ipXg=# the IP address of the remote network(s) AllowedIPs = 192.168.8.0/24# public IP address and port of the WireGuard serverEndpoint = [public ip of server]:51280
root@client:/etc# ifup wg0Line unrecognized: `Address=10.10.10.2/32'Configuration parsing errorifup: failed to bring up wg0
root@netcup:/etc# wginterface: wg0 public key: 27Pu1yyz*p9Yqo+HqVTU= private key: (hidden) listening port: 51838peer: ZA6BNlmf7z*jj32rKDDh5l6WipXg= endpoint: publicsrvip:51280 allowed ips: 192.168.8.0/24
$ umask 077$ wg genkey | tee private.key | wg pubkey > public.key
[Interface]Address = x.x.x.x/32DNS = PrivateKey = PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECTPreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT[Peer]PublicKey = PreSharedKey = AllowedIPs = 0.0.0.0/0, ::/0Endpoint =