checkpoint commit

active/software_wireguard/wireguard.md

@@ -1,6 +1,83 @@
 # Wireguard
 
-## Install
+## Manual Install
+
+### 1. Install WireGuard
+
+```bash
+sudo dnf install -y wireguard-tools qrencode
+```
+
+### 2. Generate server keys
+
+```bash
+sudo mkdir -p /etc/wireguard
+cd /etc/wireguard
+sudo umask 077
+sudo wg genkey | sudo tee privatekey | sudo wg pubkey | sudo tee publickey
+```
+
+### 3. Create the WireGuard config
+
+```bash
+sudo tee /etc/wireguard/wg0.conf > /dev/null <<'EOF'
+[Interface]
+Address = 10.10.0.1/24
+ListenPort = 51820
+PrivateKey = INSERT_SERVER_PRIVATE_KEY_HERE
+PostUp = firewall-cmd --add-port=51820/udp
+PostDown = firewall-cmd --remove-port=51820/udp
+
+[Peer]
+# Clients will be added here
+EOF
+```
+
+Replace `INSERT_SERVER_PRIVATE_KEY_HERE` with the content of `/etc/wireguard/privatekey`.
+
+### 4. Enable IP forwarding
+
+```bash
+sudo tee /etc/sysctl.d/99-wireguard.conf > /dev/null <<'EOF'
+net.ipv4.ip_forward = 1
+net.ipv6.conf.all.forwarding = 1
+EOF
+
+sudo sysctl -p /etc/sysctl.d/99-wireguard.conf
+```
+
+### 5. Start and enable WireGuard
+
+```bash
+sudo systemctl enable --now wg-quick@wg0
+```
+
+### 6. Configure firewalld
+
+```bash
+# Allow WireGuard through the firewall
+sudo firewall-cmd --permanent --add-port=51820/udp
+
+# Enable masquerading (NAT) so clients can reach the internet
+sudo firewall-cmd --permanent --add-masquerade
+
+# Allow forwarded traffic from the WireGuard subnet
+sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.10.0.0/24" accept'
+
+# Reload and verify
+sudo firewall-cmd --reload
+sudo firewall-cmd --list-all
+```
+
+### 7. Verify it's working
+
+```bash
+sudo wg
+sudo wg-quick show wg0
+systemctl status wg-quick@wg0
+```
+
+## Ansible Install
 
 ```bash
 ansible-playbook \
@@ -37,3 +114,4 @@ read
 wg set wg0 peer $PUBKEY allowed-ips 10.10.0.$WG_IP_SUFFIX/32
 wg-quick down wg0 && wg-quick up wg0
 ```
+