Funtoo:User Services/VPN Setup
We use WireGuard for our internal VPN. These steps will help you to connect to our VPN. WireGuard is really quite simple to use but does have a learning curve. Once you're up and running, you'll appreciate the fast, reliable experience. Let's get started!
Your first step is to emerge
root # emerge -av wireguard-tools
If you're using our
sys-kernel/debian-sources kernel like a good, upstanding funtoo citizen, then you already have
wireguard kernel modules available to load.
Before I can get you set up on the VPN, I need you to generate a public and private key. You will send the public key to me, and you'll keep the private key private. This can be done by running the following command:
root # wg genkey | tee private.key | wg pubkey > public.key
After running this command, please send me the contents of your
Now, create an
/etc/wireguard/wg0.conf file with the following contents:
[Interface] Address = 172.30.0.x/16 [IPv4/netmask I provide to you] ListenPort = 56875 PrivateKey = [Your Private Key] DNS = 172.19.0.3,22.214.171.124 MTU = 1280 [Peer] PublicKey = ct6WFz1ZaIPfsyRSw4NNq7cosE6pMldkP3y0B9fTh0U= AllowedIPs = 172.16.0.0/12 Endpoint = [Endpoint I Provide to you]
The recent addition of
MTU = 1280 will ensure that your connection to the VPN will work over mobile/5G networks. WireGuard uses UDP, and this MTU avoids fragmentation which can essentially prevent non-trivial network traffic from flowing to/from the VPN. See this Google Fi Help thread for more details.
Make this file non-readable by anyone but root:
root # chmod go-rwx /etc/wireguard/wg0.conf
Really, you're now pretty much set up!
About the Funtoo Internal Network
Up above in
wg0.conf, you'll see the line
AllowedIPs = 172.16.0.0/12. This specifies the network that Funtoo has mapped for its VPN.
This is a special non-routeable range of addresses sort of close to the
localhost address of
126.96.36.199, which consists of IP addresses
172.31.255.254. All traffic for these addresses will be routed to the VPN.
Starting the VPN
To start the VPN, you'll want to run this command after every boot:
root # wg-quick up wg0
You can then view network status by typing:
root # wg show interface: wg0 public key: MTwAQ60ecjiN3H6PCBbq+u7+RLbsVWRw3HCZHTmgtBQ= private key: (hidden) listening port: 56875 peer: ct6WFz1ZaIPfsyRSw4NNq7cosE6pMldkP3y0B9fTh0U= endpoint: [VPN endpoint] allowed ips: 172.16.0.0/12 latest handshake: 11 seconds ago transfer: 9.05 MiB received, 1.73 MiB sent root #
You can also bring down the VPN by typing
wg-quick down wg0.
Cool Things About WireGuard
Here are some cool things you should know about WireGuard. When WireGuard is 'up', you can happily connect and reconnect to various Wi-Fi networks, and WireGuard will automatically and transparently re-establish connection to the VPN, generally with no apparent disruption to your connections. This is super handy on laptops and makes working with WireGuard a very pleasant experience.
Funtoo is running an internal DNS server and all addresses ending in
.funtoo are handled by this DNS server.
Also note that sometimes you may have an issue where DNS resolution fails on your local system, either for Funtoo addresses or for Internet addresses.
When you experience this, try changing the order of nameservers in
/etc/resolv.conf. I am still trying to track down the source of this issue.
Reloading Server-Side Changes
This should be moved to the future WireGuard wiki page.
One handy way to reload services on the main system running WireGuard, if you have added new clients, is via the following snippet:
root # wg syncconf wg0 <(wg-quick strip wg0)
/etc/conf.d/netif.wg0 file with the following contents:
Now enable the interface:
To bring up the interface now:
root # cd /etc/init.d root # ln -s netif.tmpl netif.wg0 root # rc-update add netif.wg0 root # /etc/init.d/netif.wg0 start