Re: Wireguard woes

Tue, 20 Jan 2026 06:01:08 -0800 

These are my notes for NetBSD and Linux.

My normal subnet is 10.0.0.0/16 and wireguard VPN subnet is 10.1.0.0/16.

rp4-4g is my Raspberry Pi 4 4GB NFS server.
rp4-8g is my Raspberry Pi 4 8GB Debian NFS client.
z600   is my HP Z600 Debian NFS client.

Substitute these for your own IP addresses and peers. Good luck.



--------------------------------------------------------------------------------
Configure NetBSD as WireGuard server:

Load if_wg module on boot:
vi /etc/modules.conf
if_wg

and then reboot

Generate server private and public keys:
umask 0077
mkdir /etc/wireguard
wg-keygen > /etc/wireguard/wg0.prv
wg-keygen --pub < /etc/wireguard/wg0.prv > /etc/wireguard/wg0.pub
umask 0022

Configure wg0 interface and add peers (max peer name length is 16 chars):
cat > /etc/ifconfig.wg0 << 'EOF'
inet 10.1.0.5/16
!wgconfig ${int} set private-key /etc/wireguard/${int}.prv
!wgconfig ${int} set listen-port 51820
!wgconfig ${int} add peer z600   <base64 client public key> 
--allowed-ips=10.1.0.2/32
!wgconfig ${int} add peer rp4-8g <base64 client public key> 
--allowed-ips=10.1.0.6/32
up
EOF

rp4-4g$ ifconfig 
genet0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ec_capabilities=0x1<VLAN_MTU>
        ec_enabled=0
        address: dc:a6:32:31:71:32
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet6 fe80::dea6:32ff:fe31:7132%genet0/64 flags 0 scopeid 0x1
        inet 10.0.0.5/16 broadcast 10.0.255.255 flags 0
lo0: flags=0x8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33624
        status: active
        inet6 ::1/128 flags 0x20<NODAD>
        inet6 fe80::1%lo0/64 flags 0 scopeid 0x2
        inet 127.0.0.1/8 flags 0
wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
        status: active
        inet6 fe80::dea6:32ff:fe31:7132%wg0/64 flags 0 scopeid 0x3
        inet 10.1.0.5/16 flags 0
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Configure Debian as WireGuard client:

sudo aptitude install wireguard

Generate client private and public keys:
prv_key=$(wg genkey) &&
pub_key=$(echo ${prv_key:?} | wg pubkey) &&
echo "prv_key: ${prv_key}" &&
echo "pub_key: ${pub_key}" &&
unset prv_key pub_key

Manual config:
cat > /etc/network/interfaces.d/wg0 << 'EOF'
auto wg0
iface wg0 inet static
  address 10.1.0.6
  netmask 255.255.0.0
  pre-up ip link add $IFACE type wireguard
  pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
  #post-up ip route add 10.1.0.0/16 dev wg0
  post-down ip link del $IFACE
EOF

cat > /etc/wireguard/wg0.conf << 'EOF'
[Interface]
PrivateKey = <base64 client private key>

[Peer]
Endpoint   = 10.0.0.5:51820
PublicKey  = <base64 server public key>
AllowedIPs = 10.1.0.5/32
EOF


Network manager config (alternative to manual config):
Connection name: vpn-rp4-4g
Interface name : wg0
Private key    : XXX

Peers:
  Public key : XXX
  Allowed IPs: 10.1.0.5/32
  Endpoint   : 10.0.0.5:51820

IPv4 Settings:
  Method : Manual
  IP     : 10.1.0.2
  Netmask: 16
  Gateway: <empty>
--------------------------------------------------------------------------------

Reply via email to