User Tools

Site Tools

Trace:
raspberry_wireguard

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
raspberry_wireguard [2022/02/17 18:45] โ€“ herwarthraspberry_wireguard [2022/02/17 19:07] (current) โ€“ herwarth
Line 53: Line 53:
 <code - /etc/bash.bashrc> <code - /etc/bash.bashrc>
 alias temp='/usr/bin/vcgencmd measure_temp' alias temp='/usr/bin/vcgencmd measure_temp'
 +</code>
 +====Unattended upgrades====
 +I do not want to update manually.
 +<code>
 +apt install -y unattended-upgrades apt-listchanges
 +</code>
 +<code>
 +cp /etc/apt/apt.conf.d/50unattended-upgrades /etc/apt/apt.conf.d/52unattended-upgrades
 +</code>
 +<code - /etc/apt/apt.conf.d/52unattended-upgrades>
 +.
 +.
 +Unattended-Upgrade::Origins-Pattern {
 +        // Codename based matching:
 +        // This will follow the migration of a release through different
 +        // archives (e.g. from testing to stable and later oldstable).
 +        // Software will be the latest available for the named release,
 +        // but the Debian release itself will not be automatically upgraded.
 +        "${distro_id}:${distro_codename}";
 +
 +        // Archive or Suite based matching:
 +        // Note that this will silently match a different release after
 +        // migration to the specified archive (e.g. testing becomes the
 +        // new stable).
 +//      "o=Debian,a=stable";
 +//      "o=Debian,a=stable-updates";
 +//      "o=Debian,a=proposed-updates";
 +//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
 +};
 +.
 +.
 +.
 +// Remove unused automatically installed kernel-related packages
 +// (kernel images, kernel headers and kernel version locked tools).
 +Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
 +
 +// Do automatic removal of newly unused dependencies after the upgrade
 +Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
 +
 +// Do automatic removal of unused packages after the upgrade
 +// (equivalent to apt-get autoremove)
 +Unattended-Upgrade::Remove-Unused-Dependencies "true";
 +
 +// Automatically reboot *WITHOUT CONFIRMATION* if
 +//  the file /var/run/reboot-required is found after the upgrade
 +Unattended-Upgrade::Automatic-Reboot "true";
 +
 +// Automatically reboot even if there are users currently logged in
 +// when Unattended-Upgrade::Automatic-Reboot is set to true
 +Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
 +
 +// If automatic reboot is enabled and needed, reboot at the specific
 +// time instead of immediately
 +//  Default: "now"
 +Unattended-Upgrade::Automatic-Reboot-Time "02:00";
 +.
 +.
 +</code>
 +Test
 +<code>
 +unattended-upgrades -d
 +</code>
 +This should not give any error
 +<code>
 +dpkg-reconfigure -plow unattended-upgrades
 </code> </code>
 ===== Wireguard ===== ===== Wireguard =====
 ==== Packages ==== ==== Packages ====
 <code> <code>
-apt install -y wireguard +apt install -y wireguard qrencode
 </code> </code>
 ==== IP forwarding==== ==== IP forwarding====
Line 70: Line 135:
 sysctl -p /etc/sysctl.conf sysctl -p /etc/sysctl.conf
 </code> </code>
 +==== Configuration====
 +I am not going to explain how Wireguard works. There is plenty to find on internet. In this example we ha defined two clients (peers) who can connect to the server
 +<code - /etc/wireguard/wg0.conf>
 +[Interface]
 +Address = 192.168.168.1
 +ListenPort = 51820
 +PrivateKey = <PRIVATE-KEY-SERVER>
  
 +[Peer]
 +PublicKey = <PUBLIC-KEY-CLIENT1>
 +AllowedIPs = 192.168.168.2/32
  
 +[Peer]
 +PublicKey = <PUBLIC-KEY-CLIENT2>
 +AllowedIPs = 192.168.168.3/32
 +</code>
 +
 +==== Enable the wg-quick service====
 +<code>
 +systemctl enable wg-quick@wg0
 +systemctl start wg-quick@wg0
 +systemctl status wg-quick@wg0
 +โ— wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
 +     Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
 +     Active: active (exited) since Thu 2022-02-17 19:52:38 CET; 7s ago
 +       Docs: man:wg-quick(8)
 +             man:wg(8)
 +             https://www.wireguard.com/
 +             https://www.wireguard.com/quickstart/
 +             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
 +             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
 +    Process: 913 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
 +   Main PID: 913 (code=exited, status=0/SUCCESS)
 +        CPU: 144ms
 +
 +Feb 17 19:52:38 wireguard systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
 +Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip link add wg0 type wireguard
 +Feb 17 19:52:38 wireguard wg-quick[913]: [#] wg setconf wg0 /dev/fd/63
 +Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 address add 192.168.168.1 dev wg0
 +Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip link set mtu 1420 up dev wg0
 +Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 route add 192.168.168.3/32 dev wg0
 +Feb 17 19:52:38 wireguard wg-quick[913]: [#] ip -4 route add 192.168.168.2/32 dev wg0
 +Feb 17 19:52:38 wireguard systemd[1]: Finished WireGuard via wg-quick(8) for wg0.
 +</code>
 +
 +==== Enable masquerading ====
 +Raspberry OS has changed to nftables instead of iptabes
 +<code - /etc/nftables.conf>
 +.
 +.
 +.
 +add table wireguard-nat
 +
 +table ip wireguard-nat {
 +        chain prerouting {
 +                type nat hook prerouting priority -100; policy accept;
 +        }
 +
 +        chain postrouting {
 +                type nat hook postrouting priority 100; policy accept;
 +                oifname "eth0" masquerade
 +        }
 +}
 +</code>
 +<code>
 +systemctl enable --now nftables
 +systemctl start nftables
 +</code>
 +====Done====
 +Do a final reboot
 +<code>
 +shutdown -r now
 +</code>
 {{tag>linux}} {{tag>linux}}
  
raspberry_wireguard.1645123553.txt.gz ยท Last modified: by herwarth

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki