wireguard systemd

use systemd to manage wireguard

Goals

• setup a default VPN through wireguard using just systemd-networkd

additional reading

• ArchWiki WireGuard/Systemd
• WireGuard WireGuard/Improved Rule

How

Use the improved rule-based solution similar to wg-quick

40-wireguard.netdev

creating the network device

• WireGuard: sets mark 1234 on outgoing packets

 1[NetDev]
 2Name = wg0
 3Kind = wireguard
 4
 5[WireGuard]
 6PrivateKey = CLIENT_PRIVATE_KEY
 7FirewallMark = 1234
 8
 9[WireGuardPeer]
10PublicKey = SERVER_PUBLIC_KEY
11AllowedIPs = 0.0.0.0/0
12Endpoint = SERVER_ENDPOINT:51820

40-wireguard.network

routing rules

• Route: sets a default route to use wg0 and table 2468
• RoutingPolicyRule: unmarked packets use table 2468
• RoutingPolicyRule: bypass wireguard / table 2468 if using non default route

results:

umarked packet: -> table 2468 -> wg0 -> marked -> table main

 1[Match]
 2Name = wg0
 3
 4[Network]
 5Address = CLIENT_IP_ADDRESS/SUBNET
 6
 7[Route]
 8Destination = 0.0.0.0/0
 9Table = 2468
10
11[RoutingPolicyRule]
12InvertRule = true
13FirewallMark = 1234
14Table = 2468
15
16[RoutingPolicyRule]
17Table = main
18SuppressPrefixLength = 0