WireGuard notes and tips n tricks!!

[lilith]

haiiihaiii fellow tinkerers!!

ever bashed your head once because WireGuard was running well and up but you couldn't get handshake working between two your computers?

well, turns out, yeah, the guides for it are imo just... yeah, too messy, so I'll basically note one thing when you do in fact have both WireGuard interfaces up already and running, but can't handshake nor receive or send:

both your configurations must mention each other directly in [peer] section!!!

yeah, i was like, what the heck??????????

so yeah, had to fix that quickly and bam, now it works!! :3c

oh also, don't get confused by the artificial label "server"; in WireGuard there are no servers, only peers, awawawawa (really, it's just connecting computers directly, so now logically you will know all your peers need [Peer] section instead of thinking you can leave that out for like, a peer to connect to bc it will not work since it will not recognize anything else)

[lilith]

oh also, if you want to connect over Internet, it's kinda obvious at first except if you set like AllowedIPs = 0.0.0.0/0, you won't be able to uh, yeah, have Internet connection because iirc you're uh, basically, binding to all addresses, so it's stealing all your yummy online videos or should i spit, literally tv for all your meal needs (who doesn't watch the 0.25p computer build????? while eating they fries?????????), so yeah

edit: almost forgot this BUT if using router firewall, you need to set protocol for open port to UDP!! like, WireGuard uses UDP for connections :3c (i think by default but feel free to correct me!!)

[lilith]

but yes, if you want to connect to your wireguard externally, just replace the endpoint with public address (assuming you've first tried it inside your local network) :3c

[lilith]

furthermore :3c:

ideally you should have the keys inaccessible for anyone but yourself, with like umask 077 before creating stuff :3c and reverting to prior umask after being done!!

oh also, make sure to have like, separate configs on your machine if you're connecting not just inside your place, but even outside as well, awawawa!!

also from that point, your peers are pretty much extensible in terms of configuration regarding peers; you can have as many as you need!! just make sure to ever not leak your keys

[lilith]

now, when you do have SSH listening to WireGuard network interface, there's a problem or few waiting for you if you reboot!!

1) the system if it's behind the router needs to receive IP addresses and stuff assigned by the router --> just get a daemon responsible for DHCP

now, that's easy to solve. BUT, sshd will fail usually because WireGuard virtual network interface isn't up yet, and it never tries again, so you're basically going to lock yourself out 100% everytime you restart. </3

that's why it's very necessary to have services wait for WireGuard virtual network interface to be up!! then everything else should proceed nicely!!

in that case, assuming we use systemd, i read that we simply need to change the systemd file for sshd to run only if WireGuard virtual net interface such as wg0 is up!! to do that, simply do

Code: Select all

# systemctl edit --full sshd

and then do these lines under [Unit]:

Code: Select all

After=network.target wg-quick@wg0.service
Requires=sys-devices-virtual-net-wg0.device

reload the sshd service and bam, now it should always wait for wg0 before listening to the virtual interface!!

of course if the WireGuard interface is of different name, say "tincan", you will reflect that in the systemd file as well :3c

but yeah, heck yeah, should work nicely and issues be gone!!

[lilith]

by the way if anyone happens to wants to route their Internet traffic entirely through VPN because we all entirely understand us bird flipping the anti-fun people and entities, this one is a pretty good summary that leads to you having a script for it :3c

tldr; network namespaces for the win!!

https://www.wireguard.com/netns/