Funtoo:User Services/VPN Setup

From Funtoo
< Funtoo:User Services
Revision as of 21:56, April 11, 2022 by Coffnix (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

We use WireGuard for our internal VPN. These steps will help you to connect to our VPN. WireGuard is really quite simple to use but does have a learning curve. Once you're up and running, you'll appreciate the fast, reliable experience. Let's get started!

Initial Setup

Your first step is to emerge net-vpn/wireguard-tools:

root # emerge -av wireguard-tools

If you're using our sys-kernel/debian-sources kernel like a good, upstanding funtoo citizen, then you already have wireguard kernel modules available to load.

Before I can get you set up on the VPN, I need you to generate a public and private key. You will send the public key to me, and you'll keep the private key private. This can be done by running the following command:

root # wg genkey | tee private.key | wg pubkey > public.key

After running this command, please send me the contents of your public.key file.

Now, create an /etc/wireguard/wg0.conf file with the following contents:

   /etc/wireguard/wg0.conf
[Interface]
Address = 172.30.0.x/16 [IPv4/netmask I provide to you]
ListenPort = 56875
PrivateKey = [Your Private Key]
DNS = 172.19.0.3,1.1.1.1

[Peer]
PublicKey = ct6WFz1ZaIPfsyRSw4NNq7cosE6pMldkP3y0B9fTh0U=
AllowedIPs = 172.16.0.0/12
Endpoint = [Endpoint I Provide to you]

Make this file non-readable by anyone but root:

root #  chmod go-rwx /etc/wireguard/wg0.conf

Really, you're now pretty much set up!

About the Funtoo Internal Network

Up above in wg0.conf, you'll see the line AllowedIPs = 172.16.0.0/12. This specifies the network that Funtoo has mapped for its VPN. This is a special non-routeable range of addresses sort of close to the localhost address of 172.0.0.1, which consists of IP addresses from 172.16.0.1 to 172.31.255.254. All traffic for these addresses will be routed to the VPN.

Starting the VPN

To start the VPN, you'll want to run this command after every boot:

root # wg-quick up wg0

You can then view network status by typing:

root # wg show
interface: wg0
  public key: MTwAQ60ecjiN3H6PCBbq+u7+RLbsVWRw3HCZHTmgtBQ=
  private key: (hidden)
  listening port: 56875

peer: ct6WFz1ZaIPfsyRSw4NNq7cosE6pMldkP3y0B9fTh0U=
  endpoint: [VPN endpoint]
  allowed ips: 172.16.0.0/12
  latest handshake: 11 seconds ago
  transfer: 9.05 MiB received, 1.73 MiB sent
root #

You can also bring down the VPN by typing wg-quick down wg0.

Cool Things About WireGuard

Here are some cool things you should know about WireGuard. When WireGuard is 'up', you can happily connect and reconnect to various Wi-Fi networks, and WireGuard will automatically and transparently re-establish connection to the VPN, generally with no apparent disruption to your connections. This is super handy on laptops and makes working with WireGuard a very pleasant experience.

Funtoo DNS

Funtoo is running an internal DNS server and all addresses ending in .funtoo are handled by this DNS server.

Also note that sometimes you may have an issue where DNS resolution fails on your local system, either for Funtoo addresses or for Internet addresses. When you experience this, try changing the order of nameservers in /etc/resolv.conf. I am still trying to track down the source of this issue.

Reloading Server-Side Changes

   Note

This should be moved to the future WireGuard wiki page.

One handy way to reload services on the main system running WireGuard, if you have added new clients, is via the following snippet:

root # wg syncconf wg0 <(wg-quick strip wg0)

init script

Create an /etc/netif.d/wireguard file with the following contents:

   /etc/netif.d/wireguard
#!/bin/sh

WG_QUICK="/usr/bin/wg-quick"

start() {
    if [ ! -f "${WG_QUICK}" ]; then
        echo "wg-quick binary not found. Did you emerge net-vpn/wireguard-tools?"
        exit 1
    fi
    if [ ! -f /etc/wireguard/${interface}.conf ]; then
        echo "Can't find /etc/wireguard/${interface}.conf. Please ensure this file exists."
    fi
    ebegin "Configuring wireguard interface $interface"
    $WG_QUICK up $interface 2>/dev/null
    eend $?
}

stop() {
    ebegin "Stopping wireguard interface $interface"
    $WG_QUICK down $interface 2>/dev/null
    eend $?
}

And create an /etc/conf.d/netif.wg0 file with the following contents:

   /etc/conf.d/netif.wg0
template=wireguard

To bring up the interface now:

root # cd /etc/init.d
root # ln -s netif.tmpl netif.wg0
root # rc-update add netif.wg0
root # /etc/init.d/netif.wg0 start