User Tools

Site Tools

Trace: raspberry_wireguard
raspberry_wireguard

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
raspberry_wireguard [2022/02/17 18:15] herwarthraspberry_wireguard [2022/02/17 19:07] (current) herwarth
Line 15: Line 15:
 systemctl enable ssh.service systemctl enable ssh.service
 systemctl start ssh.service systemctl start ssh.service
 +</code>
 +==== Setting fixed IP on interface ====
 +<code - /etc/dhcpcd.conf>
 +.
 +.
 +.
 +interface eth0
 +static ip_address=172.16.2.1/24
 +static routers=172.16.2.254
 +static domain_name_servers=172.16.1.50 208.67.222.222
 +</code>
 +==== Use SSH keys to login ====
 +<code>
 +ssh-keygen
 +</code>
 +<code - ~/.ssh/authorized_keys>
 +ssh-rsa ...
 +ssh-rsa ...
 +ssh-rsa ...
 </code> </code>
 ==== Making the system as read-only as-possible ==== ==== Making the system as read-only as-possible ====
 <code> <code>
-apt-get update +apt update 
-apt-get -y upgrade +apt upgrade -y 
-apt-get -y remove --purge triggerhappy logrotate dphys-swapfile dc nano +apt remove -y --purge triggerhappy logrotate dphys-swapfile dc nano 
-apt-get -y autoremove --purge+apt autoremove --purge -y
 </code> </code>
 Edit the following file and add "fastboot noswap ro" to the end of the line so it looks something like this: Edit the following file and add "fastboot noswap ro" to the end of the line so it looks something like this:
Line 27: Line 46:
 console=serial0,115200 console=tty1 root=PARTUUID=6c586e13-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait fastboot noswap ro</code> console=serial0,115200 console=tty1 root=PARTUUID=6c586e13-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait fastboot noswap ro</code>
 <code> <code>
-apt-get -y install busybox-syslogd +apt install -y busybox-syslogd 
-apt-get -y remove --purge rsyslog+apt remove -y --purge rsyslog
 </code> </code>
 ==== Bashrc aliases ==== ==== Bashrc aliases ====
Line 34: Line 53:
 <code - /etc/bash.bashrc> <code - /etc/bash.bashrc>
 alias temp='/usr/bin/vcgencmd measure_temp' alias temp='/usr/bin/vcgencmd measure_temp'
 +</code>
 +====Unattended upgrades====
 +I do not want to update manually.
 +<code>
 +apt install -y unattended-upgrades apt-listchanges
 +</code>
 +<code>
 +cp /etc/apt/apt.conf.d/50unattended-upgrades /etc/apt/apt.conf.d/52unattended-upgrades
 +</code>
 +<code - /etc/apt/apt.conf.d/52unattended-upgrades>
 +.
 +.
 +Unattended-Upgrade::Origins-Pattern {
 +        // Codename based matching:
 +        // This will follow the migration of a release through different
 +        // archives (e.g. from testing to stable and later oldstable).
 +        // Software will be the latest available for the named release,
 +        // but the Debian release itself will not be automatically upgraded.
 +        "${distro_id}:${distro_codename}";
 +
 +        // Archive or Suite based matching:
 +        // Note that this will silently match a different release after
 +        // migration to the specified archive (e.g. testing becomes the
 +        // new stable).
 +//      "o=Debian,a=stable";
 +//      "o=Debian,a=stable-updates";
 +//      "o=Debian,a=proposed-updates";
 +//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
 +};
 +.
 +.
 +.
 +// Remove unused automatically installed kernel-related packages
 +// (kernel images, kernel headers and kernel version locked tools).
 +Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
 +
 +// Do automatic removal of newly unused dependencies after the upgrade
 +Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
 +
 +// Do automatic removal of unused packages after the upgrade
 +// (equivalent to apt-get autoremove)
 +Unattended-Upgrade::Remove-Unused-Dependencies "true";
 +
 +// Automatically reboot *WITHOUT CONFIRMATION* if
 +//  the file /var/run/reboot-required is found after the upgrade
 +Unattended-Upgrade::Automatic-Reboot "true";
 +
 +// Automatically reboot even if there are users currently logged in
 +// when Unattended-Upgrade::Automatic-Reboot is set to true
 +Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
 +
 +// If automatic reboot is enabled and needed, reboot at the specific
 +// time instead of immediately
 +//  Default: "now"
 +Unattended-Upgrade::Automatic-Reboot-Time "02:00";
 +.
 +.
 +</code>
 +Test
 +<code>
 +unattended-upgrades -d
 +</code>
 +This should not give any error
 +<code>
 +dpkg-reconfigure -plow unattended-upgrades
 +</code>
 +===== Wireguard =====
 +==== Packages ====
 +<code>
 +apt install -y wireguard qrencode
 +</code>
 +==== IP forwarding====
 +<code - /etc/sysctl.conf>
 +.
 +.
 +net.ipv4.ip_forward=1
 +.
 +.
 +</code>
 +<code>
 +sysctl -p /etc/sysctl.conf
 +</code>
 +==== Configuration====
 +I am not going to explain how Wireguard works. There is plenty to find on internet. In this example we ha defined two clients (peers) who can connect to the server
 +<code - /etc/wireguard/wg0.conf>
 +[Interface]
 +Address = 192.168.168.1
 +ListenPort = 51820
 +PrivateKey = <PRIVATE-KEY-SERVER>
 +
 +[Peer]
 +PublicKey = <PUBLIC-KEY-CLIENT1>
 +AllowedIPs = 192.168.168.2/32
 +
 +[Peer]
 +PublicKey = <PUBLIC-KEY-CLIENT2>
 +AllowedIPs = 192.168.168.3/32
 +</code>
 +
 +==== Enable the wg-quick service====
 +<code>
 +systemctl enable wg-quick@wg0
 +systemctl start wg-quick@wg0
 +systemctl status wg-quick@wg0
 +● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
 +     Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
 +     Active: active (exited) since Thu 2022-02-17 19:52:38 CET; 7s ago
 +       Docs: man:wg-quick(8)
 +             man:wg(8)
 +             https://www.wireguard.com/
 +             https://www.wireguard.com/quickstart/
 +             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
 +             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
 +    Process: 913 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
 +   Main PID: 913 (code=exited, status=0/SUCCESS)
 +        CPU: 144ms
 +
 +Feb 17 19:52:38 wireguard systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
 +Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip link add wg0 type wireguard
 +Feb 17 19:52:38 wireguard wg-quick[913]: [#] wg setconf wg0 /dev/fd/63
 +Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 address add 192.168.168.1 dev wg0
 +Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip link set mtu 1420 up dev wg0
 +Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 route add 192.168.168.3/32 dev wg0
 +Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 route add 192.168.168.2/32 dev wg0
 +Feb 17 19:52:38 wireguard systemd[1]: Finished WireGuard via wg-quick(8) for wg0.
 +</code>
 +
 +==== Enable masquerading ====
 +Raspberry OS has changed to nftables instead of iptabes
 +<code - /etc/nftables.conf>
 +.
 +.
 +.
 +add table wireguard-nat
 +
 +table ip wireguard-nat {
 +        chain prerouting {
 +                type nat hook prerouting priority -100; policy accept;
 +        }
 +
 +        chain postrouting {
 +                type nat hook postrouting priority 100; policy accept;
 +                oifname "eth0" masquerade
 +        }
 +}
 +</code>
 +<code>
 +systemctl enable --now nftables
 +systemctl start nftables
 +</code>
 +====Done====
 +Do a final reboot
 +<code>
 +shutdown -r now
 </code> </code>
 {{tag>linux}} {{tag>linux}}
 +
raspberry_wireguard.1645121727.txt.gz · Last modified: by herwarth

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki