I tried to install but got the following error, @devfx11 do you know what to do?
[root@testserver ~]# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Key is not the correct length or format: `/etc/wireguard/server-private.key'
Configuration parsing error
[#] ip link delete dev wg0
[root@testserver wireguard]# cat server-private.key
YBzjPYaJFTZqn0u1xpLsb33qucPeVvm47Rt7+On8fXE=
I installed wireguard and followed your instructions:
curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install wireguard-dkms wireguard-tools
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
mkdir /etc/wireguard
cd /etc/wireguard
wg genkey | tee server-private.key | wg pubkey > server-public.key
wg genkey | tee client-private.key | wg pubkey > client-public.key # just to have test client keys
printf "[Interface]\nAddress = 192.168.1.187/24\nListenPort = 51820\nPostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o NIC1 -j MASQUERADE\nPostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o NIC1 -j MASQUERADE\nPrivateKey = /etc/wireguard/server-private.key\nSaveConfig = true\n\n[Peer]\nPublicKey = /etc/wireguard/client-public.key\nAllowedIPs = 192.168.1.155/32\n" > /etc/wireguard/wg0.conf
chmod 700 *.key /etc/wireguard/wg0.conf
wg-quick up wg0
I just shouldn’t believe in false assumptions, I was absolutely sure a file is needed here
Thanks for pointing this out. I’ll go on with wireguard asap. I’d like to win at least a howto (you started already) out of this feature request, so others may try it and share their experiences…
[root@testvm2 wireguard]# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to get device: Protocol not supported
Server:
[root@testserver wireguard]# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 dev wg0
[#] ip link set wg0 up
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3
[root@testserver wireguard]# ifconfig
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.0.0.1 netmask 255.255.255.0 destination 10.0.0.1
inet6 fe80::6175:2002:5bdf:7d00 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 3 dropped 0 overruns 0 carrier 0 collisions 0
Configuration steps:
# Download jdoss wireguard repo
curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
# Install wireguard
yum -y install wireguard-dkms wireguard-tools
# Enable IP forward if not enabled
grep -qF "net.ipv4.ip_forward=1" "/etc/sysctl.conf" || echo "net.ipv4.ip_forward=1" >> "/etc/sysctl.conf"
sysctl -p
# Create wireguard dirs and keys
mkdir /etc/wireguard
cd /etc/wireguard
wg genkey | tee server-private.key | wg pubkey > server-public.key
wg genkey | tee client-private.key | wg pubkey > client-public.key
# Server conf
address=192.168.77.1/24
port=51820
interface=ens33
privatekey=$(cat /etc/wireguard/server-private.key)
publickey=$(cat /etc/wireguard/client-public.key)
allowedips=192.168.77.0/24
printf "[Interface]\nAddress = $address\nListenPort = $port\nPostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE\nPostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o $interface -j MASQUERADE\nPrivateKey = $privatekey\nSaveConfig = true\n\n[Peer]\nPublicKey = $publickey\nAllowedIPs = $allowedips\n" > /etc/wireguard/wg0.conf
# Client conf
address=192.168.77.2/24
port=51820
interface=ens33
privatekey=$(cat /etc/wireguard/client-private.key)
publickey=$(cat /etc/wireguard/server-public.key)
allowedips=0.0.0.0/0
publicvpnip=1.2.3.4
printf "[Interface]\nAddress = $address\nListenPort = $port\nPostUp = echo UP\nPostDown = echo DOWN\nPrivateKey = $privatekey\nSaveConfig = true\n\n[Peer]\nPublicKey = $publickey\nAllowedIPs = $allowedips\nEndpoint = $publicvpnip:$port\n" > /etc/wireguard/wg1.conf
# Set permissions
chmod 700 server-*.key *.conf
# Firewall config
config set fw_wireguard service TCPPort 51820 access green,red status enabled
signal-event firewall-adjust
# Start up wireguard
wg-quick up wg0
I’ve gotten wireguard to work from my PC, however I’m trying to connect Nethserver to my VPS and route all traffic from the green interface via wireguard, while traffic from the blue interface goes through the open internet. Seems like Shorewall is clobbering the traffic and dumping insane amounts of log messages to the console making almost impossible to debug. Any thoughts or suggestions? Thanks!
I’ve tried the following firewall rule without success:
config set fw_wireguard service status enabled TCPPorts 53 UDPPorts 53,51820 access green,red
I could establish a wireguard connection between my Nethserver and my Android mobile device.
As you mentioned shorewall blocks so I had to create custom templates to create a new zone and an interface for wireguard and rules to allow the traffic:
I just started to look at this, and while searching for an Android version came across AzireVPN who are offering their VPN for free (at the moment) for people to use via wireguard.
Has there been any traction on integrating wireguard directly in to NS? I would love to implement this where I work so we can abandon the rather poor Cisco solution that is currently in place.
I think for now 2 different implementations (well, 3 if we count roadwarrior and tunnels for OpenVPN) are enough.
If anyone wants to try creating an howto use, I will gladly help.
I’ve been playing with this for a while, so a couple of my observations:
While Wireguard runs as a kernel module, it still isn’t incorporated into the main tree, so it is currently installed by the DKMS framework. It could be built on a central machine and then just the module distributed.
The helper program, wg-quick, when setting up a client machine relies on an ip feature that doesn’t appear to be work correctly (at least not currently) in the version of iproute/kernel in the CentOS repositories. It issues a command using a suppressor: ‘ip -4 rule add table main suppress_prefixlength 0’, which is actually added to the routing as: ‘from all lookup main’, which completely breaks what is being attempted. So all updates to routing would have to be manually configured.
There is no concept of a roadwarrior service. All connections are PtoP and have to be configured as such.
