# Wireguard

## Manual Install

### 1. Install WireGuard

```bash
sudo dnf install -y wireguard-tools qrencode
```

### 2. Generate server keys

```bash
sudo mkdir -p /etc/wireguard
cd /etc/wireguard
sudo umask 077
sudo wg genkey | sudo tee privatekey | sudo wg pubkey | sudo tee publickey
```

### 3. Create the WireGuard config

```bash
sudo tee /etc/wireguard/wg0.conf > /dev/null <<'EOF'
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = INSERT_SERVER_PRIVATE_KEY_HERE
PostUp = firewall-cmd --add-port=51820/udp
PostDown = firewall-cmd --remove-port=51820/udp

[Peer]
# Clients will be added here
EOF
```

Replace `INSERT_SERVER_PRIVATE_KEY_HERE` with the content of `/etc/wireguard/privatekey`.

### 4. Enable IP forwarding

```bash
sudo tee /etc/sysctl.d/99-wireguard.conf > /dev/null <<'EOF'
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
EOF

sudo sysctl -p /etc/sysctl.d/99-wireguard.conf
```

### 5. Start and enable WireGuard

```bash
sudo systemctl enable --now wg-quick@wg0
```

### 6. Configure firewalld

```bash
# Allow WireGuard through the firewall
sudo firewall-cmd --permanent --add-port=51820/udp

# Enable masquerading (NAT) so clients can reach the internet
sudo firewall-cmd --permanent --add-masquerade

# Allow forwarded traffic from the WireGuard subnet
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.10.0.0/24" accept'

# Reload and verify
sudo firewall-cmd --reload
sudo firewall-cmd --list-all
```

### 7. Verify it's working

```bash
sudo wg
sudo wg-quick show wg0
systemctl status wg-quick@wg0
```

## Ansible Install

```bash
ansible-playbook \
-i ansible/inventory.yaml \
-l wireguard \
active/systemd_wireguard/install_backup.yaml \
-e "@active/systemd_wireguard/secrets/vars.yaml"
```

## Add a client

```bash
export WG_IP_SUFFIX=$(cat IP && echo $(($(cat IP) + 1)) > IP)
export PRIVKEY=$(wg genkey)
export PUBKEY=$(echo $PRIVKEY | wg pubkey)
export SERVER_PUBKEY=$(cat publickey)
cat <<EOF > id_$WG_IP_SUFFIX
[Interface]
PrivateKey = $PRIVKEY
Address = 10.10.0.$WG_IP_SUFFIX/32
DNS = 10.10.0.1

[Peer]
PublicKey = $SERVER_PUBKEY
Endpoint = pihole.reeserelease.com:51820
AllowedIPs = 10.10.0.1/32
EOF

cat id_$WG_IP_SUFFIX | qrencode -t ansiutf8
echo "Added ID $WG_IP_SUFFIX"
echo "Press enter to continue"
read

wg set wg0 peer $PUBKEY allowed-ips 10.10.0.$WG_IP_SUFFIX/32
wg-quick down wg0 && wg-quick up wg0
```