-
Notifications
You must be signed in to change notification settings - Fork 137
system configuration/wireguard: suggest using NetworkManager #653
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -10,9 +10,16 @@ https://www.wireguard.com/[WireGuard] is a novel VPN that runs inside the Linux | |||||
|
||||||
FCOS has full support for WireGuard out of the box. This guide is going to demonstrate how to set up a single connection between a FCOS server and one client computer. It goes over the basic client configuration, but it does not cover installing WireGuard on your clients. | ||||||
|
||||||
There are two options to set up wireguard on FCOS: | ||||||
* Using [wg-quick](https://www.man7.org/linux/man-pages/man8/wg-quick.8.html). | ||||||
* Importing the Wireguard configuration in NetworkManager. | ||||||
|
||||||
== Generate Keys | ||||||
|
||||||
You will need to generate some keys to configure WireGuard. For this guide, the keys should be pre-generated on your workstation. First, let's create the FCOS WireGuard keys: | ||||||
You will need to generate some keys to configure WireGuard. | ||||||
You can generate the keys on your workstation or a running FCOS system. | ||||||
|
||||||
First, let's create the FCOS WireGuard keys: | ||||||
|
||||||
.Generate FCOS WireGuard keys | ||||||
[source,bash] | ||||||
|
@@ -34,7 +41,7 @@ $ wg genkey | tee privatekey | wg pubkey > publickey | |||||
|
||||||
These keys will be referenced as `client_one_public_key` and `client_one_private_key` from here on out in this guide. | ||||||
|
||||||
Now create a PresharedKey: | ||||||
You can optionnaly generate a pre-shared key to increase security: | ||||||
|
||||||
.Generate a Preshared key per peer pair | ||||||
[source,bash] | ||||||
|
@@ -69,19 +76,62 @@ storage: | |||||
[Peer] | ||||||
PublicKey = <client_one_public_key> | ||||||
PresharedKey = <fcos_client_one_psk> | ||||||
AllowedIPs = 192.168.71.0/24,fdc9:3c6b:21c7:e6bd::/64 | ||||||
AllowedIPs = 192.168.71.2/32,fdc9:3c6b:21c7:e6bd::2/128 | ||||||
travier marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
---- | ||||||
|
||||||
=== Import the wireguard configuration to NetworkManager | ||||||
|
||||||
You can import the configuration with a simple oneshot unit : | ||||||
[source,yaml,subs="attributes"] | ||||||
---- | ||||||
systemd: | ||||||
units: | ||||||
- name: import-wireguard-config.service | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same idea with the names here:
Suggested change
|
||||||
enabled: true | ||||||
contents: | | ||||||
[Unit] | ||||||
ConditionPathExists=!/etc/NetworkManager/system-connections/wg0.nmconnection | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
Description=Import wireguard configuration to NetworkManager | ||||||
[Service] | ||||||
Type=oneshot | ||||||
RemainAfterExit=yes | ||||||
ExecStart=nmcli connection import type wireguard file /etc/wireguard/wg0.conf | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
[Install] | ||||||
WantedBy=multi-user.target | ||||||
---- | ||||||
|
||||||
NOTE: NetworkManager will ignore `PostUp` and `PostDown` directives in the wiregaurd config. | ||||||
If you have firewall configuration to apply, make sure to apply it with a separate unit, or manually. | ||||||
|
||||||
NOTE: If you need to make further changes to update Wireguard's configuration, delete the connection and re-import it from the updated configuration file. | ||||||
jbtrystram marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
.Re-import updated Wireguard configuration on FCOS | ||||||
[source,bash] | ||||||
---- | ||||||
[core@wireguard-demo ~]$ sudo nmcli con delete wg0 && sudo nmcli con import type wireguard file /etc/wireguard/wg0.conf | ||||||
Connection 'wg0' (1e4f869e-f95c-4221-b2b9-99726ffde92b) successfully deleted. | ||||||
Connection 'wg0' (18cd8e61-1cc2-43a2-9f2e-467b75cd99da) successfully added. | ||||||
---- | ||||||
|
||||||
|
||||||
jbtrystram marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
=== Using wg-quick | ||||||
|
||||||
[source,yaml,subs="attributes"] | ||||||
---- | ||||||
systemd: | ||||||
units: | ||||||
- name: [email protected] | ||||||
enabled: true | ||||||
---- | ||||||
|
||||||
NOTE: If you need to make further changes to Wireguard's configuration, reload the service with `systemctl reload [email protected]`. | ||||||
|
||||||
Boot FCOS and log in. When you run `sudo wg show` you should see this: | ||||||
|
||||||
.Check WireGuard configuration on FCOS | ||||||
[source,bash] | ||||||
---- | ||||||
[core@wireguard-demo ~]$ sudo wg show | ||||||
[core@wireguard-demo ~]# sudo wg show | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we have '$' for user shells and '#' for root ones
Suggested change
|
||||||
interface: wg0 | ||||||
public key: <fcos_public_key> | ||||||
private key: (hidden) | ||||||
|
@@ -92,7 +142,7 @@ peer: <client_one_public_key> | |||||
endpoint: <Client IP Address>:51821 | ||||||
allowed ips: 192.168.71.0/24, fdc9:3c6b:21c7:e6bd::/64 | ||||||
|
||||||
[root@wireguard-demo ~]# ip a s wg0 | ||||||
[core@wireguard-demo ~]# sudo ip a s wg0 | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 | ||||||
link/none | ||||||
inet 192.168.71.1/24 scope global wg0 | ||||||
|
@@ -124,7 +174,8 @@ AllowedIPs = 192.168.71.0/24,fdc9:3c6b:21c7:e6bd::/64 | |||||
|
||||||
NOTE: <FCOS IP address> is the IP or FQDN of the FCOS server. | ||||||
|
||||||
Write the above config to `/etc/wireguard/wg0.conf` and `chmod 0600 /etc/wireguard/wg0.conf` on your client. Run `sudo systemctl start [email protected]` and then check your configuration: | ||||||
Write the above config to `/etc/wireguard/wg0.conf` and `chmod 0600 /etc/wireguard/wg0.conf` on your client. | ||||||
Run `nmcli con import type wireguard file /etc/wireguard/wg0.conf` and then check your configuration: | ||||||
|
||||||
.Check WireGuard configuration on a client | ||||||
[source,bash] | ||||||
|
@@ -139,6 +190,7 @@ peer: <fcos_public_key> | |||||
preshared key: (hidden) | ||||||
endpoint: <FCOS IP address>:51820 | ||||||
allowed ips: 192.168.71.0/24, fdc9:3c6b:21c7:e6bd::/64 | ||||||
|
||||||
[root@wireguard-client ~]# ip a s wg0 | ||||||
21: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 | ||||||
link/none | ||||||
|
@@ -187,7 +239,6 @@ interface: wg0 | |||||
public key: <client_one_public_key> | ||||||
private key: (hidden) | ||||||
listening port: 51821 | ||||||
|
||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let's |
||||||
peer: <fcos_public_key> | ||||||
preshared key: (hidden) | ||||||
endpoint: <Client IP address>:51820 | ||||||
|
@@ -237,8 +288,18 @@ storage: | |||||
AllowedIPs = 192.168.71.0/24,fdc9:3c6b:21c7:e6bd::/64 | ||||||
systemd: | ||||||
units: | ||||||
- name: wg-quick@wg0.service | ||||||
- name: import-wireguard-config@wg0.service | ||||||
enabled: true | ||||||
contents: | | ||||||
[Unit] | ||||||
ConditionPathExists=!/etc/NetworkManager/system-connections/%i.nmconnection | ||||||
Description=Import wireguard configuration at %I to NetworkManager | ||||||
[Service] | ||||||
Type=oneshot | ||||||
RemainAfterExit=yes | ||||||
ExecStart=nmcli connection import type wireguard file /etc/wireguard/%i.conf | ||||||
[Install] | ||||||
WantedBy=multi-user.target | ||||||
---- | ||||||
|
||||||
NOTE: FCOS uses https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/[predictable interface names] by https://lists.fedoraproject.org/archives/list/[email protected]/thread/6IPTZL57Z5NLBMPYMXNVSYAGLRFZBLIP/[default]. Please take care to use the correct interface name for your hardware in the above PostUp and PostDown commands! | ||||||
|
Uh oh!
There was an error while loading. Please reload this page.