# Wireguard ## Install Wireguard ## Ansible ```bash ansible-playbook -i ansible/inventory.yaml wireguard/keys.yaml ansible-playbook -i ansible/inventory.yaml wireguard/wireguard.yaml ansible-playbook -i ansible/inventory.yaml wireguard/peers.yaml ``` ## DNS Records Collect DNS records from vars.yaml ```bash cat wireguard/vars.yaml | \ yq -r '.ip | map([.hostname + "-wg.reeselink.com", .address]).[].[]' > dns/duconet-wg.txt ``` ## CLI Setup ```bash # Peer 1 wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey ip link add dev duconet-wg type wireguard ip address add dev duconet-wg fd00:fd41:d0f1:1010::0/64 wg set duconet-wg \ listen-port 51821 \ private-key /etc/wireguard/privatekey wg set duconet-wg \ peer CQxNsdPgfzjvOszjn/UZHFdAY3k+D9J+vI8qKUjCYV0= \ allowed-ips '10.10.10.0/24' \ endpoint 10.1.200.253:51821 ip link set up dev duconet-wg touch /etc/wireguard/duconet-wg.conf wg-quick save duconet-wg # Peer 2 wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey ip link add dev duconet-wg type wireguard ip address add dev duconet-wg 10.10.10.2/24 wg set duconet-wg \ listen-port 51821 \ private-key /etc/wireguard/privatekey \ peer kzbHUGzYk6Uyan/NFYY5mh3pxf2IX/WzWZtImeyp6Sw= \ allowed-ips '10.10.10.0/24' \ endpoint 10.1.203.197:51821 ip link set up dev duconet-wg touch /etc/wireguard/duconet-wg.conf wg-quick save duconet-wg # Peer 3 wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey ip link add dev duconet-wg type wireguard ip address add dev duconet-wg 10.10.10.3/24 wg set duconet-wg \ listen-port 51821 \ private-key /etc/wireguard/privatekey \ peer kzbHUGzYk6Uyan/NFYY5mh3pxf2IX/WzWZtImeyp6Sw= \ allowed-ips '10.10.10.0/24' \ endpoint 10.1.203.197:51821 wg set duconet-wg \ peer 9/dBUlO9TGf0H9M3xwPiuIuz6Q/u7fSJVZaUxqAiqi8= \ allowed-ips '10.10.10.0/24' \ endpoint 10.1.2.10:51821 ip link set up dev duconet-wg touch /etc/wireguard/duconet-wg.conf wg-quick save duconet-wg ``` ## Teardown ```bash # teardown ip link delete duconet-wg systemctl disable wg-quick@duconet-wg ``` ## Truenas Because truenas's /etc/wireguard is ephemeral we need to create scripts to save and load our wireguard config at shutdown/boot. Select these scripts in system settings -> advanced -> init/shutdown scripts Startup Script: /mnt/enc1/truenas/wireguard/duconet-save.sh ```bash #!/bin/bash cp -a /mnt/enc1/truenas/wireguard/* /etc/wireguard/ wg-quick up duconet-wg ``` Shutdown Script: /mnt/enc1/truenas/wireguard/duconet-load.sh ```bash #!/bin/bash wg-quick save duconet-wg cp -a /etc/wireguard/* /mnt/enc1/truenas/wireguard/ ```