services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a56402c2cc4262527eeda8f1bdb8392cd3a37e22
homelab/active/software_wireguard/wireguard.md
ducoterra f2015e2c71
All checks were successful
Podman DDNS Image / build-and-push-ddns (push) Successful in 1m3s
Details
checkpoint commit
2026-05-05 06:26:40 -04:00

118 lines
2.4 KiB
Markdown
Executable File
Raw Blame History

# Wireguard
## Manual Install
### 1. Install WireGuard
```bash
sudo dnf install -y wireguard-tools qrencode
```
### 2. Generate server keys
```bash
sudo mkdir -p /etc/wireguard
cd /etc/wireguard
sudo umask 077
sudo wg genkey | sudo tee privatekey | sudo wg pubkey | sudo tee publickey
```
### 3. Create the WireGuard config
```bash
sudo tee /etc/wireguard/wg0.conf > /dev/null <<'EOF'
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = INSERT_SERVER_PRIVATE_KEY_HERE
PostUp = firewall-cmd --add-port=51820/udp
PostDown = firewall-cmd --remove-port=51820/udp
[Peer]
# Clients will be added here
EOF
```
Replace `INSERT_SERVER_PRIVATE_KEY_HERE` with the content of `/etc/wireguard/privatekey`.
### 4. Enable IP forwarding
```bash
sudo tee /etc/sysctl.d/99-wireguard.conf > /dev/null <<'EOF'
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
EOF
sudo sysctl -p /etc/sysctl.d/99-wireguard.conf
```
### 5. Start and enable WireGuard
```bash
sudo systemctl enable --now wg-quick@wg0
```
### 6. Configure firewalld
```bash
# Allow WireGuard through the firewall
sudo firewall-cmd --permanent --add-port=51820/udp
# Enable masquerading (NAT) so clients can reach the internet
sudo firewall-cmd --permanent --add-masquerade
# Allow forwarded traffic from the WireGuard subnet
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.10.0.0/24" accept'
# Reload and verify
sudo firewall-cmd --reload
sudo firewall-cmd --list-all
```
### 7. Verify it's working
```bash
sudo wg
sudo wg-quick show wg0
systemctl status wg-quick@wg0
```
## Ansible Install
```bash
ansible-playbook \
-i ansible/inventory.yaml \
-l wireguard \
active/systemd_wireguard/install_backup.yaml \
-e "@active/systemd_wireguard/secrets/vars.yaml"
```
## Add a client
```bash
export WG_IP_SUFFIX=$(cat IP && echo $(($(cat IP) + 1)) > IP)
export PRIVKEY=$(wg genkey)
export PUBKEY=$(echo $PRIVKEY | wg pubkey)
export SERVER_PUBKEY=$(cat publickey)
cat <<EOF > id_$WG_IP_SUFFIX
[Interface]
PrivateKey = $PRIVKEY
Address = 10.10.0.$WG_IP_SUFFIX/32
DNS = 10.10.0.1
[Peer]
PublicKey = $SERVER_PUBKEY
Endpoint = pihole.reeserelease.com:51820
AllowedIPs = 10.10.0.1/32
EOF
cat id_$WG_IP_SUFFIX | qrencode -t ansiutf8
echo "Added ID $WG_IP_SUFFIX"
echo "Press enter to continue"
read
wg set wg0 peer $PUBKEY allowed-ips 10.10.0.$WG_IP_SUFFIX/32
wg-quick down wg0 && wg-quick up wg0
```
Reference in New Issue View Git Blame Copy Permalink