Wireguard
zdroje:
- https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-22-04
IPv6 má dle RFC použí unicast prefix fd00/8 Zde je přidán náhodný řetězec 24609a6c18 :: x /64
- /etc/wireguard/wg0.conf
[Interface] PrivateKey = base64_encoded_private_key_goes_here Address = 10.8.0.1/24, fd24:609a:6c18::1/64 ListenPort = 51820 SaveConfig = true
PostUp = ufw route allow in on wg0 out on eth0 PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE PreDown = ufw route delete allow in on wg0 out on eth0 PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
---
sysctl net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 sysctl -p
---
- nastavit NAT
- zjistit public interface:
ip route list default
- otevřít port pro WG v nftables
sudo ufw allow 51820/udp
---
- nastavit systemd service
systemctl enable wg-quick@wg0.service
client -------
- vygenerovat klíče
wg genkey | tee /etc/wireguard/private.key chmod go= /etc/wireguard/private.key cat /etc/wireguard/private.key | wg pubkey | tee /etc/wireguard/public.key
- /etc/wireguard/wg0.conf
[Interface] PrivateKey = base64_encoded_peer_private_key_goes_here Address = 10.8.0.2/24 Address = fd24:609a:6c18::2/64
[Peer] PublicKey = U9uE2kb/nrrzsEU58GD3pKFU3TLYDMCbetIsnV8eeFE= AllowedIPs = 10.8.0.0/24, fd24:609a:6c18::/64 Endpoint = 203.0.113.1:51820
- Takto na sebe uvidí všichni peer.
- Tohle pošle veškerý traffic skrz WG GW?
AllowedIPs = 0.0.0.0/0, ::/0