Skip to content

system configuration/wireguard: suggest using NetworkManager #653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 69 additions & 8 deletions modules/ROOT/pages/sysconfig-configure-wireguard.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,16 @@ https://www.wireguard.com/[WireGuard] is a novel VPN that runs inside the Linux

FCOS has full support for WireGuard out of the box. This guide is going to demonstrate how to set up a single connection between a FCOS server and one client computer. It goes over the basic client configuration, but it does not cover installing WireGuard on your clients.

There are two options to set up wireguard on FCOS:
* Using [wg-quick](https://www.man7.org/linux/man-pages/man8/wg-quick.8.html).
* Importing the Wireguard configuration in NetworkManager.

== Generate Keys

You will need to generate some keys to configure WireGuard. For this guide, the keys should be pre-generated on your workstation. First, let's create the FCOS WireGuard keys:
You will need to generate some keys to configure WireGuard.
You can generate the keys on your workstation or a running FCOS system.

First, let's create the FCOS WireGuard keys:

.Generate FCOS WireGuard keys
[source,bash]
Expand All @@ -34,7 +41,7 @@ $ wg genkey | tee privatekey | wg pubkey > publickey

These keys will be referenced as `client_one_public_key` and `client_one_private_key` from here on out in this guide.

Now create a PresharedKey:
You can optionnaly generate a pre-shared key to increase security:

.Generate a Preshared key per peer pair
[source,bash]
Expand Down Expand Up @@ -69,19 +76,62 @@ storage:
[Peer]
PublicKey = <client_one_public_key>
PresharedKey = <fcos_client_one_psk>
AllowedIPs = 192.168.71.0/24,fdc9:3c6b:21c7:e6bd::/64
AllowedIPs = 192.168.71.2/32,fdc9:3c6b:21c7:e6bd::2/128
----

=== Import the wireguard configuration to NetworkManager

You can import the configuration with a simple oneshot unit :
[source,yaml,subs="attributes"]
----
systemd:
units:
- name: import-wireguard-config.service
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same idea with the names here:

Suggested change
- name: import-wireguard-config.service
- name: import-wireguard-config@wg0.service

enabled: true
contents: |
[Unit]
ConditionPathExists=!/etc/NetworkManager/system-connections/wg0.nmconnection
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ConditionPathExists=!/etc/NetworkManager/system-connections/wg0.nmconnection
ConditionPathExists=!/etc/NetworkManager/system-connections/%i.nmconnection

Description=Import wireguard configuration to NetworkManager
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=nmcli connection import type wireguard file /etc/wireguard/wg0.conf
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ExecStart=nmcli connection import type wireguard file /etc/wireguard/wg0.conf
ExecStart=nmcli connection import type wireguard file /etc/wireguard/%i.conf

[Install]
WantedBy=multi-user.target
----

NOTE: NetworkManager will ignore `PostUp` and `PostDown` directives in the wiregaurd config.
If you have firewall configuration to apply, make sure to apply it with a separate unit, or manually.

NOTE: If you need to make further changes to update Wireguard's configuration, delete the connection and re-import it from the updated configuration file.

.Re-import updated Wireguard configuration on FCOS
[source,bash]
----
[core@wireguard-demo ~]$ sudo nmcli con delete wg0 && sudo nmcli con import type wireguard file /etc/wireguard/wg0.conf
Connection 'wg0' (1e4f869e-f95c-4221-b2b9-99726ffde92b) successfully deleted.
Connection 'wg0' (18cd8e61-1cc2-43a2-9f2e-467b75cd99da) successfully added.
----


=== Using wg-quick

[source,yaml,subs="attributes"]
----
systemd:
units:
- name: [email protected]
enabled: true
----

NOTE: If you need to make further changes to Wireguard's configuration, reload the service with `systemctl reload [email protected]`.

Boot FCOS and log in. When you run `sudo wg show` you should see this:

.Check WireGuard configuration on FCOS
[source,bash]
----
[core@wireguard-demo ~]$ sudo wg show
[core@wireguard-demo ~]# sudo wg show
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we have '$' for user shells and '#' for root ones

Suggested change
[core@wireguard-demo ~]# sudo wg show
[core@wireguard-demo ~]$ sudo wg show

interface: wg0
public key: <fcos_public_key>
private key: (hidden)
Expand All @@ -92,7 +142,7 @@ peer: <client_one_public_key>
endpoint: <Client IP Address>:51821
allowed ips: 192.168.71.0/24, fdc9:3c6b:21c7:e6bd::/64

[root@wireguard-demo ~]# ip a s wg0
[core@wireguard-demo ~]# sudo ip a s wg0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[core@wireguard-demo ~]# sudo ip a s wg0
[core@wireguard-demo ~]$ sudo ip a s wg0

12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.71.1/24 scope global wg0
Expand Down Expand Up @@ -124,7 +174,8 @@ AllowedIPs = 192.168.71.0/24,fdc9:3c6b:21c7:e6bd::/64

NOTE: <FCOS IP address> is the IP or FQDN of the FCOS server.

Write the above config to `/etc/wireguard/wg0.conf` and `chmod 0600 /etc/wireguard/wg0.conf` on your client. Run `sudo systemctl start [email protected]` and then check your configuration:
Write the above config to `/etc/wireguard/wg0.conf` and `chmod 0600 /etc/wireguard/wg0.conf` on your client.
Run `nmcli con import type wireguard file /etc/wireguard/wg0.conf` and then check your configuration:

.Check WireGuard configuration on a client
[source,bash]
Expand All @@ -139,6 +190,7 @@ peer: <fcos_public_key>
preshared key: (hidden)
endpoint: <FCOS IP address>:51820
allowed ips: 192.168.71.0/24, fdc9:3c6b:21c7:e6bd::/64

[root@wireguard-client ~]# ip a s wg0
21: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
Expand Down Expand Up @@ -187,7 +239,6 @@ interface: wg0
public key: <client_one_public_key>
private key: (hidden)
listening port: 51821

Copy link
Member

@travier travier Jul 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's skip keep this one for readability?

peer: <fcos_public_key>
preshared key: (hidden)
endpoint: <Client IP address>:51820
Expand Down Expand Up @@ -237,8 +288,18 @@ storage:
AllowedIPs = 192.168.71.0/24,fdc9:3c6b:21c7:e6bd::/64
systemd:
units:
- name: wg-quick@wg0.service
- name: import-wireguard-config@wg0.service
enabled: true
contents: |
[Unit]
ConditionPathExists=!/etc/NetworkManager/system-connections/%i.nmconnection
Description=Import wireguard configuration at %I to NetworkManager
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=nmcli connection import type wireguard file /etc/wireguard/%i.conf
[Install]
WantedBy=multi-user.target
----

NOTE: FCOS uses https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/[predictable interface names] by https://lists.fedoraproject.org/archives/list/[email protected]/thread/6IPTZL57Z5NLBMPYMXNVSYAGLRFZBLIP/[default]. Please take care to use the correct interface name for your hardware in the above PostUp and PostDown commands!
Expand Down