WireGuard

From Extremely Corporate Wiki
Jump to navigation Jump to search

WireGuard Logo (funny dragon)

We have a WireGuard VPN as of January 14th 2022.

Setting Up

Instructions are different depending on your platform:

Linux

  1. Install WireGuard (it should be packaged for your distribution)
  2. Generate your public and private keys: wg genkey | tee privatekey | wg pubkey > publickey
  3. Obtain your number, which will be referred to as N from this point forwards.
  4. Create the WireGuard interface configuration at /etc/wireguard/wg0.conf. Replace wg0 with something else if you want the WireGuard interface to use a different name.
  5. Populate the configuration as described in § Base Config. (Substitute PUBLIC KEY, PRIVATE KEY, and N appropriately!!!)
  6. Delete publickey and privatekey.
  7. Initialize the WireGuard interface: wg-quick up wg0. Replace wg0 if you used a different name for the interface.
  8. For a more permanent connection that persists reboots, use systemctl enable wg-quick@wg0.service

Windows and MacOS (they are more or less the same)

  1. Re-Evaluate your life choices.
  2. Install WireGuard for your platform.
  3. Obtain your number, which will be referred to as N from this point forwards.
  4. Open up the GUI, select "Add Tunnel" (in the bottom right of the window), choose "Add Empty Tunnel"
  5. Type something into the "Name" field. (doesn't matter what it is)
  6. Update the configuration so that it matches § Base Config. (Substitute PUBLIC KEY, PRIVATE KEY, and N appropriately!!!)
  7. Select the tunnel you created and press the "Activate" button.

Using It

After WireGuard is set up, you can visit http://10.0.0.1/ to see a list of other peers as well as the addresses of other people within the VPN. The server needs to know at what address you can be reached before it can forward traffic to you, but visiting http://10.0.0.1/ in a web browser or pinging 10.0.0.1 is enough to get it sorted.

Base Config

# Your local interface
[Interface]
PrivateKey = PRIVATE KEY
#PublicKey = PUBLIC KEY
Address = 10.11.0.N/12
MTU = 1420

# extremelycorporate.ca VPN endpoint
[Peer]
PublicKey = a33auPUz//w3WEYfObQc31bGXnSPGTvap2G7YrVW6D0=
AllowedIPs = 10.11.0.0/12
Endpoint = extremelycorporate.ca:5003

NOTE: If your configuration contains multiple peers, you must be careful that they do not overlap. For example, the address 10.0.0.0/16 matches any address with the same beginning 16 bits, i.e. any 10.0.x.x. If you have multiple peers, consider defining their AllowedIPs explicitly by setting the sub-net mask to 32 for IPv4 and 128 for IPv6.

Note that if you are configuring a WireGuard server, you should also add a value ListenPort to the [Interface] section.

The 10.x.x.x IPv4 address range is reserved for private networks (i.e. no address in this range will ever collide with an address on the public internet). [1]

IPv6 addresses prefixed with fd are similar but are specified differently and are known as Unique Local Addresses. [2]

  1. https://en.wikipedia.org/wiki/Reserved_IP_addresses
  2. https://en.wikipedia.org/wiki/Unique_local_address
Retrieved from "https://wiki.extremelycorporate.ca/index.php?title=WireGuard&oldid=2653"