Differences

This shows you the differences between two versions of the page.

--- raspberry_wireguard [2022/02/17 18:35] – herwarth
+++ raspberry_wireguard [2022/02/17 19:07] (current) – herwarth
@@ Line 15: / Line 15: @@
 systemctl enable ssh.service
 systemctl start ssh.service
+</code>
+==== Setting fixed IP on interface ====
+<code - /etc/dhcpcd.conf>
+.
+.
+.
+interface eth0
+static ip_address=172.16.2.1/24
+static routers=172.16.2.254
+static domain_name_servers=172.16.1.50 208.67.222.222
+</code>
+==== Use SSH keys to login ====
+<code>
+ssh-keygen
+</code>
+<code - ~/.ssh/authorized_keys>
+ssh-rsa ...
+ssh-rsa ...
+ssh-rsa ...
 </code>
 ==== Making the system as read-only as-possible ====
@@ Line 35: / Line 54: @@
 alias temp='/usr/bin/vcgencmd measure_temp'
 </code>
-==== Wireguard ====
+====Unattended upgrades====
-===== Installation =====
+I do not want to update manually.
+<code>
+apt install -y unattended-upgrades apt-listchanges
+</code>
+<code>
+cp /etc/apt/apt.conf.d/50unattended-upgrades /etc/apt/apt.conf.d/52unattended-upgrades
+</code>
+<code - /etc/apt/apt.conf.d/52unattended-upgrades>
+.
+.
+Unattended-Upgrade::Origins-Pattern {
+        // Codename based matching:
+        // This will follow the migration of a release through different
+        // archives (e.g. from testing to stable and later oldstable).
+        // Software will be the latest available for the named release,
+        // but the Debian release itself will not be automatically upgraded.
+        "${distro_id}:${distro_codename}";
+        // Archive or Suite based matching:
+        // Note that this will silently match a different release after
+        // migration to the specified archive (e.g. testing becomes the
+        // new stable).
+//      "o=Debian,a=stable";
+//      "o=Debian,a=stable-updates";
+//      "o=Debian,a=proposed-updates";
+//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
+};
+.
+.
+.
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+// Do automatic removal of newly unused dependencies after the upgrade
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+// Do automatic removal of unused packages after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "true";
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
+Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+.
+.
+</code>
+Test
+<code>
+unattended-upgrades -d
+</code>
+This should not give any error
+<code>
+dpkg-reconfigure -plow unattended-upgrades
+</code>
+===== Wireguard =====
+==== Packages ====
+<code>
+apt install -y wireguard qrencode
+</code>
+==== IP forwarding====
+<code - /etc/sysctl.conf>
+.
+.
+net.ipv4.ip_forward=1
+.
+.
+</code>
+<code>
+sysctl -p /etc/sysctl.conf
+</code>
+==== Configuration====
+I am not going to explain how Wireguard works. There is plenty to find on internet. In this example we ha defined two clients (peers) who can connect to the server
+<code - /etc/wireguard/wg0.conf>
+[Interface]
+Address = 192.168.168.1
+ListenPort = 51820
+PrivateKey = <PRIVATE-KEY-SERVER>
+[Peer]
+PublicKey = <PUBLIC-KEY-CLIENT1>
+AllowedIPs = 192.168.168.2/32
+[Peer]
+PublicKey = <PUBLIC-KEY-CLIENT2>
+AllowedIPs = 192.168.168.3/32
+</code>
+==== Enable the wg-quick service====
+<code>
+systemctl enable wg-quick@wg0
+systemctl start wg-quick@wg0
+systemctl status wg-quick@wg0
+● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
+     Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
+     Active: active (exited) since Thu 2022-02-17 19:52:38 CET; 7s ago
+       Docs: man:wg-quick(8)
+             man:wg(8)
+             https://www.wireguard.com/
+             https://www.wireguard.com/quickstart/
+             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
+             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
+    Process: 913 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
+   Main PID: 913 (code=exited, status=0/SUCCESS)
+        CPU: 144ms
+Feb 17 19:52:38 wireguard systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
+Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip link add wg0 type wireguard
+Feb 17 19:52:38 wireguard wg-quick[913]: [#] wg setconf wg0 /dev/fd/63
+Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 address add 192.168.168.1 dev wg0
+Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip link set mtu 1420 up dev wg0
+Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 route add 192.168.168.3/32 dev wg0
+Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 route add 192.168.168.2/32 dev wg0
+Feb 17 19:52:38 wireguard systemd[1]: Finished WireGuard via wg-quick(8) for wg0.
+</code>
+==== Enable masquerading ====
+Raspberry OS has changed to nftables instead of iptabes
+<code - /etc/nftables.conf>
+.
+.
+.
+add table wireguard-nat
+table ip wireguard-nat {
+        chain prerouting {
+                type nat hook prerouting priority -100; policy accept;
+        }
+        chain postrouting {
+                type nat hook postrouting priority 100; policy accept;
+                oifname "eth0" masquerade
+        }
+}
+</code>
+<code>
+systemctl enable --now nftables
+systemctl start nftables
+</code>
+====Done====
+Do a final reboot
+<code>
+shutdown -r now
+</code>
 {{tag>linux}}

User Tools

Site Tools

Differences

Page Tools