The first VPN post got me up and running. This one dives into DNS and more of the Wireguard specifics such as allowedip’s and a more custom configuration.
Wireguard Config
~/.wg-conf/client.conf
[Interface]
Address = 192.168.2.2/32
PrivateKey = ['CLIENT_PRIVATE_KEY']
DNS = 192.168.2.1
[Peer]
PublicKey = ['SERVER_PUBLIC_KEY']
Endpoint = ['SERVER_IP_ADDRESS']:54321
AllowedIPs = 192.168.2.1/32, 192.168.2.0/24
Additions between the last version and this one:
DNS = 192.168.2.1AllowedIPs = 192.168.2.1/32, 192.168.2.0/24
DNS
Right now I have a bind server running on the the same server I am runnign the wireguard server from. With the line DNS = 192.168.2.1, This means I can currently make nslookup calls from any client and the server is able to return the DNS request for the server.
I have the client configuration setup to use the VPN server as the clients DNS server. The server is able to lookup both internal and external requests as the DNS Server has forwarding configured.
AllowedIPs
I was quite confused at the AllowIPs line at first, but after reading some basic documentation, the meaning became quite clear..
From the documentation:
The keyword allowed-ips is a list of addresses that peer A will be able to send traffic to; allowed-ips 0.0.0.0/0 would allow sending traffic to any IPv4 address, ::/0 allows sending traffic to any IPv6 address.
Also, I completeley forgot my networking basics and forgot /32 was an address, and using /24 would allow me to point to a network.. This now means I am able to ping any address on the 192.168.2.0 that is connected to the vpn.
I addressed out a /24 (256 addresses) network because I don’t see myself using any more than that.. Even with family and friend servers connected to the network there’s no way I hit the 256 limit.
MacOS LaunchCTL
I had an earlier post using launchctl, related to OSXFuse. This uses a similar process of launchctl, but this time we need root user to run the script.
~/Library/LaunchAgents is run as the user, whereas /Library/LaunchAgents directory is run as root.
sudo chown root /Library/LaunchAgents/vpn-connection.plist
sudo chown root /Library/LaunchAgents/vpn-connection.sh
sudo launchctl load /Library/LaunchAgents/vpn-connection.plist
vpn-connection.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>local.vpn-connection.plist</string>
<key>Program</key>
<string>/Library/LaunchAgents/vpn-connection.sh</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
vpn-connection.sh
/usr/local/bin/wg-quick up /Users/Jack/.wg-conf/client.conf
Linux Workstation Configuration
Little did I realize I would have to install wireguard from source on my linux workstation.
apt is broken for me, but that is besides the point.
# Install the toolchain
sudo apt-get install libelf-dev linux-headers-$(uname -r) build-essential pkg-config
# Grab the Code
git clone https://git.zx2c4.com/wireguard-linux-compat
git clone https://git.zx2c4.com/wireguard-tools
# Compile and Install
make -C wireguard-linux-compat/src -j$(nproc)
sudo make -C wireguard-linux-compat/src install
# Compile and Install wg(8) tool
make -C wireguard-tools/src -j$(nproc)
sudo make -C wireguard-tools/src install
Linux Startup Scripts
/etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
xmodmap /home/jack/.xmodmap
/usr/bin/wg-quick up /home/jack/.wg-conf/client.conf
Last line is the most important one.