wireguard networking
openbsd builtin server
# create private key for public key crypto
> openssl rand -base64 32 > /root/wg0.key
# create pre shared key for additional symmetric crypto layer
> openssl rand -base64 32 > /root/wg0.psk
# create and bind wg interface to port 81520
> ifconfig wg0 create wgport 81520 wgkey `cat /root/wg0.key`
# show config
> ifconfig wg0
# set ip and broadcast
> ifconfig wg0 192.168.2.1 netmask 255.255.255.0
# setup interface
> edit /etc/hostname.wg0
## == server key
wgkey XXXXXXXXXXXXXXX=
## == server port
wgport 81520
## == linux-client
wgpeer XXXXXXXXXXXXXX= wgaip 192.168.2.3
## == linux-client including psk
wgpeer XXXXXXXXXXXXXX= wgpsk XXXXXXXXXXXXXX= wgaip 192.168.2.3
## == mikrotik-side "192.168.20.0/24"
wgpeer XXXXXXXXXXXXXX= wgaip 0.0.0.0/0
## == server address
inet 192.168.2.1 255.255.255.0
## == route mikrotik-side
!route add -net 192.168.20.0/24 192.168.2.200
## == interface up
up
# create psk using libressl
> openssl rand -base64 32
# firewall rules
> edit /etc/pf.conf
## == wg server port
wg_port = "{8152}"
# pass wg0 peering
pass on wg0
## == udp input
pass in quick on egress proto udp to port $wg_port
# change file permissions
> chmod go-rwx /etc/hostname.wg0
# destroy interface
> ifconfig wg0 destroy
# start interface
> sh /etc/netstart wg0
# allow ip forwarding
> edit /etc/sysctl.conf
net.inet.ip.forwarding=
# directly start forwarding
> sysctl net.inet.ip.forwarding=1
linux client
# install wireguard tools
> dnf install -y elrepo-release epel-release
> dnf install -y kmod-wireguard wireguard-tools
# create dir
> mkdir -p /etc/wireguard
# change into it
> cd /etc/wireguard
# create keys
> umask 077 \
| wg genkey \
| tee /etc/wireguard/private.key \
| wg pubkey \
| tee /etc/wireguard/public.key
# write config
> edit /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.2.3/32
ListenPort = 39012
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXX=
[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXX==
AllowedIPs = 192.168.2.0/24,192.168.20.0/24
Endpoint = <server-ip>:81520
PersistentKeepalive = 25
# wg quick
> wg-quick up wg0
> systemctl enable wg-quick@wg0
# if needed set static router to enter the lan behind the endpoint
> ip route add 192.168.20.0/24 via 192.168.2.1 dev wg0
mikrotik side network
# create interface
> /interface/wireguard/add \
name=wg1 listen-port=38014
# create config
> /interface/wireguard/peers/add \
endpoint-address=x.x.x.x \
endpoint-port=81520 \
interface=wg1 \
allowed-address=192.168.2.0/24 \
persistent-keepalive=25 \
public-key="XXXxxx="
# accept networking
> /ip/firewall/filter
add action=accept chain=forward dst-address=192.168.30.0/24 src-address=192.168.2.0/24
add action=accept chain=forward dst-address=192.168.2.0/24 src-address=192.168.30.0/24
# allow incomming udp traffic
/ip/firewall/filter
add action=accept chain=input dst-port=38014 protocol=udp src-address=192.168.2.1
# set ip address
/ip/address
add address=192.168.2.202/32 interface=wg1
# add route
/ip/route
add dst-address=192.168.2.0/24 gateway=wg1
# on jump server route traffic to side
route add -priority 2 192.168.30.0/24 192.168.2.1
26-09-2021