Difference between revisions of "Funtoo:User Services/VPN Setup"

From Funtoo
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 30: Line 30:
PrivateKey = [Your Private Key]
PrivateKey = [Your Private Key]
DNS = 172.19.0.3,1.1.1.1
DNS = 172.19.0.3,1.1.1.1
MTU = 1280


[Peer]
[Peer]
Line 36: Line 37:
Endpoint = [Endpoint I Provide to you]
Endpoint = [Endpoint I Provide to you]
}}
}}
{{Important|1=The recent addition of {{c|1=MTU = 1280}} will ensure that your connection to the VPN will work over mobile/5G networks. WireGuard uses UDP, and this MTU avoids fragmentation which can essentially prevent non-trivial network traffic from flowing to/from the VPN. See [https://support.google.com/fi/thread/159775634?hl=en this Google Fi Help thread] for more details.}}


Make this file non-readable by anyone but root:
Make this file non-readable by anyone but root:

Latest revision as of 19:36, October 27, 2022

We use WireGuard for our internal VPN. These steps will help you to connect to our VPN. WireGuard is really quite simple to use but does have a learning curve. Once you're up and running, you'll appreciate the fast, reliable experience. Let's get started!

Initial Setup

Your first step is to emerge net-vpn/wireguard-tools:

root # emerge -av wireguard-tools

If you're using our sys-kernel/debian-sources kernel like a good, upstanding funtoo citizen, then you already have wireguard kernel modules available to load.

Before I can get you set up on the VPN, I need you to generate a public and private key. You will send the public key to me, and you'll keep the private key private. This can be done by running the following command:

root # wg genkey | tee private.key | wg pubkey > public.key

After running this command, please send me the contents of your public.key file.

Now, create an /etc/wireguard/wg0.conf file with the following contents:

   /etc/wireguard/wg0.conf
[Interface]
Address = 172.30.0.x/16 [IPv4/netmask I provide to you]
ListenPort = 56875
PrivateKey = [Your Private Key]
DNS = 172.19.0.3,1.1.1.1
MTU = 1280

[Peer]
PublicKey = ct6WFz1ZaIPfsyRSw4NNq7cosE6pMldkP3y0B9fTh0U=
AllowedIPs = 172.16.0.0/12
Endpoint = [Endpoint I Provide to you]
   Important

The recent addition of MTU = 1280 will ensure that your connection to the VPN will work over mobile/5G networks. WireGuard uses UDP, and this MTU avoids fragmentation which can essentially prevent non-trivial network traffic from flowing to/from the VPN. See this Google Fi Help thread for more details.

Make this file non-readable by anyone but root:

root #  chmod go-rwx /etc/wireguard/wg0.conf

Really, you're now pretty much set up!

About the Funtoo Internal Network

Up above in wg0.conf, you'll see the line AllowedIPs = 172.16.0.0/12. This specifies the network that Funtoo has mapped for its VPN. This is a special non-routeable range of addresses sort of close to the localhost address of 172.0.0.1, which consists of IP addresses from 172.16.0.1 to 172.31.255.254. All traffic for these addresses will be routed to the VPN.

Starting the VPN

To start the VPN, you'll want to run this command after every boot:

root # wg-quick up wg0

You can then view network status by typing:

root # wg show
interface: wg0
  public key: MTwAQ60ecjiN3H6PCBbq+u7+RLbsVWRw3HCZHTmgtBQ=
  private key: (hidden)
  listening port: 56875

peer: ct6WFz1ZaIPfsyRSw4NNq7cosE6pMldkP3y0B9fTh0U=
  endpoint: [VPN endpoint]
  allowed ips: 172.16.0.0/12
  latest handshake: 11 seconds ago
  transfer: 9.05 MiB received, 1.73 MiB sent
root #

You can also bring down the VPN by typing wg-quick down wg0.

Cool Things About WireGuard

Here are some cool things you should know about WireGuard. When WireGuard is 'up', you can happily connect and reconnect to various Wi-Fi networks, and WireGuard will automatically and transparently re-establish connection to the VPN, generally with no apparent disruption to your connections. This is super handy on laptops and makes working with WireGuard a very pleasant experience.

Funtoo DNS

Funtoo is running an internal DNS server and all addresses ending in .funtoo are handled by this DNS server.

Also note that sometimes you may have an issue where DNS resolution fails on your local system, either for Funtoo addresses or for Internet addresses. When you experience this, try changing the order of nameservers in /etc/resolv.conf. I am still trying to track down the source of this issue.

Reloading Server-Side Changes

   Note

This should be moved to the future WireGuard wiki page.

One handy way to reload services on the main system running WireGuard, if you have added new clients, is via the following snippet:

root # wg syncconf wg0 <(wg-quick strip wg0)

OpenRC Startup

Create an /etc/conf.d/netif.wg0 file with the following contents:

   /etc/conf.d/netif.wg0
template=wireguard

Now enable the interface:

To bring up the interface now:

root # cd /etc/init.d
root # ln -s netif.tmpl netif.wg0
root # rc-update add netif.wg0
root # /etc/init.d/netif.wg0 start