El 20/1/26 a las 15:00, Sad Clouds escribió:
These are my notes for NetBSD and Linux.>
My normal subnet is 10.0.0.0/16 and wireguard VPN subnet is 10.1.0.0/16.
rp4-4g is my Raspberry Pi 4 4GB NFS server.
rp4-8g is my Raspberry Pi 4 8GB Debian NFS client.
z600 is my HP Z600 Debian NFS client.
Substitute these for your own IP addresses and peers. Good luck.
--------------------------------------------------------------------------------
Configure NetBSD as WireGuard server:
Load if_wg module on boot:
vi /etc/modules.conf
if_wg
and then reboot
Generate server private and public keys:
umask 0077
mkdir /etc/wireguard
wg-keygen > /etc/wireguard/wg0.prv
wg-keygen --pub < /etc/wireguard/wg0.prv > /etc/wireguard/wg0.pub
umask 0022
Configure wg0 interface and add peers (max peer name length is 16 chars):
cat > /etc/ifconfig.wg0 << 'EOF'
inet 10.1.0.5/16
!wgconfig ${int} set private-key /etc/wireguard/${int}.prv
!wgconfig ${int} set listen-port 51820
!wgconfig ${int} add peer z600 <base64 client public key>
--allowed-ips=10.1.0.2/32
!wgconfig ${int} add peer rp4-8g <base64 client public key>
--allowed-ips=10.1.0.6/32
up
EOF
rp4-4g$ ifconfig
genet0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ec_capabilities=0x1<VLAN_MTU>
ec_enabled=0
address: dc:a6:32:31:71:32
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::dea6:32ff:fe31:7132%genet0/64 flags 0 scopeid 0x1
inet 10.0.0.5/16 broadcast 10.0.255.255 flags 0
lo0: flags=0x8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33624
status: active
inet6 ::1/128 flags 0x20<NODAD>
inet6 fe80::1%lo0/64 flags 0 scopeid 0x2
inet 127.0.0.1/8 flags 0
wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
status: active
inet6 fe80::dea6:32ff:fe31:7132%wg0/64 flags 0 scopeid 0x3
inet 10.1.0.5/16 flags 0
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Configure Debian as WireGuard client:
sudo aptitude install wireguard
Generate client private and public keys:
prv_key=$(wg genkey) &&
pub_key=$(echo ${prv_key:?} | wg pubkey) &&
echo "prv_key: ${prv_key}" &&
echo "pub_key: ${pub_key}" &&
unset prv_key pub_key
Manual config:
cat > /etc/network/interfaces.d/wg0 << 'EOF'
auto wg0
iface wg0 inet static
address 10.1.0.6
netmask 255.255.0.0
pre-up ip link add $IFACE type wireguard
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
#post-up ip route add 10.1.0.0/16 dev wg0
post-down ip link del $IFACE
EOF
cat > /etc/wireguard/wg0.conf << 'EOF'
[Interface]
PrivateKey = <base64 client private key>
[Peer]
Endpoint = 10.0.0.5:51820
PublicKey = <base64 server public key>
AllowedIPs = 10.1.0.5/32
EOF
Network manager config (alternative to manual config):
Connection name: vpn-rp4-4g
Interface name : wg0
Private key : XXX
Peers:
Public key : XXX
Allowed IPs: 10.1.0.5/32
Endpoint : 10.0.0.5:51820
IPv4 Settings:
Method : Manual
IP : 10.1.0.2
Netmask: 16
Gateway: <empty>
--------------------------------------------------------------------------------
Thanks so much Sad for your great notes. I appreciate them very much. I
see that my NetBSD configuration is same as yours except for the
"wgconfig set listen-port <port>" that I did not use cause I am in the
client side.
I observe that:
-Pinging from outside of the local network to 44.x.y.z: it doesn’t
work.
-Pinging from another machine on the local network to 44.x.y.z: it
works. But it only works for a while; afterwards it stops working. To
make it work again I have to do:
ifconfig wg0 down
ifconfig wg0 up
And then it works again from the local network. This may be related to
the absence of the PersistentKeepalive = 20 parameter that comes in the
configuration file sent by email from the tunnel provider and that does
not exist in NetBSD implementation of WireGuard.
I do not know...
I have tested the same thing in RaspberrypiZeroW and Raspberrypi4 with
same result. Both systems in NetBSD 10.1
Regards.
Ramiro.
