Aug 182022
 

NOTE: I wrote this, got stuck, then went a slightly different direction:

  • I stopped using wg set
  • Instead, I updated the configuration files directly
  • I was not satisfied with the wg approach
  • Although it is great for modifying things on the file, I don’t think it helps novices learn Wireguard

I’m leaving it here anyway. Please use Creating a wireguard connection between my home and colo instead.

None of these keys/IP addresses are now in use.

My first attempt

For years I’ve run the dev, test, and stage nodes for FreshPorts off servers in my basement. This meant that those hostnames have always pointed at my home IP address. I’d like to change that.

Why? Nobody needs to know my home IP address. It’s a static IP, and keeping a hostname pointed there is not difficult, but sometimes it does mess up, if only briefly.

What will I do instead?

I will use a server in a colo. The hostnames will point at that server. Let’s call it my portal. I will configure Nginx on the portal to relay to my home servers. The connection between the portal and my basement will be maintained by the server at home and Wireguard will be involved.

In this post:

  • FreeBSD 13.1-RELEASE
  • net/wireguard-go: 0.0.20220316_4,1
  • wireguard-tools: 1.0.20210914_1
  • Simple and Secure VPN in FreeBSD – Introducing WireGuard
  • portal.int.example.org – 10.0.0.51 – the IP address on the portal which is part of my home network. This is the server.
  • slocum-portal.int.example.org – 10.0.0.59 – the IP address on my home internal which will be connected to the portal. This is the client.

The portal configuration

First, I installed wireguard-go and wireguard-tools.

I created the keys for the server

[r720-02 root /usr/local/etc/wireguard] # (umask 0077; wg genkey > server.key)
[r720-02 root /usr/local/etc/wireguard] # ls -l
total 1
-rw-------  1 root  wheel  45 Aug 15 16:41 server.key
[r720-02 root /usr/local/etc/wireguard] # wg pubkey < server.key
ABC[redacted]DEF=

Next, create a wireguard interface:

[r720-02 root /usr/local/etc/wireguard] # wireguard-go wg0
????????????????????????????????????????????????????????
?                                                      ?
?   Running wireguard-go is not required because this  ?
?   kernel has first class support for WireGuard. For  ?
?   information on installing the kernel module,       ?
?   please visit:                                      ?
?         https://www.wireguard.com/install/           ?
?                                                      ?
????????????????????????????????????????????????????????

Oh, umm, well, wtf? Try again?

[r720-02 root /usr/local/etc/wireguard] # wireguard-go wg0
????????????????????????????????????????????????????????
?                                                      ?
?   Running wireguard-go is not required because this  ?
?   kernel has first class support for WireGuard. For  ?
?   information on installing the kernel module,       ?
?   please visit:                                      ?
?         https://www.wireguard.com/install/           ?
?                                                      ?
????????????????????????????????????????????????????????
ERROR: (wg0) 2022/08/15 16:45:39 Failed to create TUN device: interface wg0 already exists
[r720-02 root /usr/local/etc/wireguard] # 

Oh well, why not tell us that the first time. Let us know that it was created.

[r720-02 root /usr/local/etc/wireguard] # ifconfig wg0
wg0: flags=8002 metric 0 mtu 1420
	options=80000
	groups: tun
	nd6 options=109
	Opened by PID 9264
[r720-02 root /usr/local/etc/wireguard] # 

Configure the interface to have an IP address in the private network:

[r720-02 root /usr/local/etc/wireguard] # ifconfig wg0 inet 10.0.0.51/24 10.0.0.51

Route traffic for that network into the wireguard interface:

[r720-02 root /usr/local/etc/wireguard] # route add 10.0.0.0/24 -interface wg0
add net 10.0.0.0: gateway wg0 fib 0: route already in table
[r720-02 root /usr/local/etc/wireguard] # 

Assign a port:

[r720-02 root /usr/local/etc/wireguard] # wg set wg0 private-key ./server.key listen-port 444

Take it down, and bring it back up, then see what we have:

[r720-02 root /usr/local/etc/wireguard] # ifconfig wg0 down
[r720-02 root /usr/local/etc/wireguard] # ifconfig wg0 up  
[r720-02 root /usr/local/etc/wireguard] # ifconfig wg0 
wg0: flags=8043 metric 0 mtu 1420
	options=80000
	inet 10.0.0.51 netmask 0xffffff00 broadcast 10.0.0.51
	groups: tun
	nd6 options=109
	Opened by PID 9264
[r720-02 root /usr/local/etc/wireguard] # 

Not shown, because we don't have the data yet, is the assigning of the peers which are allowed to contact the portal.

Client side

Install:

[slocum dan ~] % sudo pkg install wireguard-go wireguard-tools

Create the keys:

[slocum root /usr/local/etc/wireguard] # (umask 0077; wg genkey > client.key)

Configure the interface:

[slocum root /usr/local/etc/wireguard] # wireguard-go wg0
????????????????????????????????????????????????????????
?                                                      ?
?   Running wireguard-go is not required because this  ?
?   kernel has first class support for WireGuard. For  ?
?   information on installing the kernel module,       ?
?   please visit:                                      ?
?         https://www.wireguard.com/install/           ?
?                                                      ?
????????????????????????????????????????????????????????
[slocum root /usr/local/etc/wireguard] # ifconfig wg0
wg0: flags=8002 metric 0 mtu 1420
	options=80000
	groups: tun
	nd6 options=109
	Opened by PID 52117
[slocum root /usr/local/etc/wireguard] # 

Now I configure the client wireguard instance to the client IP address I want to use:

[r720-01 root /usr/local/etc/wireguard] # ifconfig wg0 inet 10.0.0.59/24 10.0.0.59
[r720-01 root /usr/local/etc/wireguard] # ifconfig wg0                              
wg0: flags=8043 metric 0 mtu 1420
	options=80000
	inet 10.0.0.59 netmask 0xffffff00 broadcast 10.0.0.59
	groups: tun
	nd6 options=109
	Opened by PID 81163
[r720-01 root /usr/local/etc/wireguard] # 

save your configuration

If wireguard stop, your configuration is lost.

Here is me saving that configuration.

[r720-02 dan ~] % sudo touch /usr/local/etc/wireguard/wg0.conf
[r720-02 dan ~] % sudo wg-quick save wg0

I also needed to do this, because I wanted forwarding enabled:

sudo sysrc gateway_enable="YES"
Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive