wireguard systemd part 2

use systemd to manage wireguard

Goals

• setup a dual stack "server-client vpn" through wireguard using just systemd-networkd
• use public addresses

server

setup interface, give client a /32 ipv4 and a /64 ipv6

 1# 40-wg0.netdev
 2[NetDev]
 3Name = wg0
 4Kind = wireguard
 5
 6[WireGuard]
 7PrivateKey = SERVER_PRIVATE_KEY
 8FirewallMark = 1234
 9ListenPort = 51820
10
11[WireGuardPeer]
12PublicKey = CLIENT_PUBLIC_KEY
13AllowedIPs = CLIENT_SUBNET_ADDRESS/32,CLIENT_SUBNET_PREFIX::/64

setup networking, give server address in shared ranges

• IPForward is important and must be set as well as in /etc/sysctl.d/

1# 41-wg0.network
2[Match]
3Name = wg0
4
5[Network]
6IPForward = yes
7Address = SERVER_SUBNET_ADDRESS/28
8Address = SERVER_SUBNET_PREFIX::1/60

client

combined config

setup interface, endpoints are only evaluated once at startup though...

 1[NetDev]
 2Name = wg0
 3Kind = wireguard
 4
 5[WireGuard]
 6PrivateKey = CLIENT_PRIVATE_KEY
 7FirewallMark = 1234
 8
 9[WireGuardPeer]
10PublicKey = SERVER_PUBLIC_KEY
11AllowedIPs = 0.0.0.0/0,::/0
12Endpoint = SERVER_PUBLIC_ADDRESS:51820

setup networking

 1[Match]
 2Name = wg0
 3
 4[Network]
 5Address = CLIENT_SUBNET_ADDRESS/28
 6
 7[Route]
 8Destination = 0.0.0.0/0
 9Table = 2468
10
11[Route]
12Destination = ::/0
13Table = 2468
14
15[RoutingPolicyRule]
16Family = both
17InvertRule = true
18FirewallMark = 1234
19Table = 2468
20
21[RoutingPolicyRule]
22Family = both
23Table = main
24SuppressPrefixLength = 0

separate ipv4 / ipv6

ex you only need an ipv6 address

• should probably use separate key / peers

ipv4

interface

 1[NetDev]
 2Name = wg4
 3Kind = wireguard
 4
 5[WireGuard]
 6PrivateKey = CLIENT_PRIVATE_KEY
 7FirewallMark = 1234
 8
 9[WireGuardPeer]
10PublicKey = SERVER_PUBLIC_KEY
11AllowedIPs = 0.0.0.0/0
12Endpoint = SERVER_PUBLIC_ADDRESS:51820

networking

 1[Match]
 2Name = wg4
 3
 4[Network]
 5Address = CLIENT_SUBNET_ADDRESS/28
 6
 7[Route]
 8Destination = 0.0.0.0/0
 9Table = 2468
10
11[RoutingPolicyRule]
12Family = ipv4
13InvertRule = true
14FirewallMark = 1234
15Table = 2468
16
17[RoutingPolicyRule]
18Family = ipv4
19Table = main
20SuppressPrefixLength = 0

ipv6

interface

 1[NetDev]
 2Name = wg6
 3Kind = wireguard
 4
 5[WireGuard]
 6PrivateKey = CLIENT_PRIVATE_KEY
 7FirewallMark = 1234
 8
 9[WireGuardPeer]
10PublicKey = SERVER_PUBLIC_KEY
11AllowedIPs = ::/0
12Endpoint = SERVER_PUBLIC_ADDRESS:51820

networking

 1[Match]
 2Name = wg6
 3
 4[Network]
 5Address = CLIENT_SUBNET_PREFIX/64
 6
 7[Route]
 8Destination = ::/0
 9Table = 2468
10
11[RoutingPolicyRule]
12Family = ipv6
13InvertRule = true
14FirewallMark = 1234
15Table = 2468
16
17[RoutingPolicyRule]
18Family = ipv6
19Table = main
20SuppressPrefixLength = 0