The first VPN post got me up and running. This one dives into DNS and more of the Wireguard specifics such as allowedip’s and a more custom configuration.
[Interface] Address = 192.168.2.2/32 PrivateKey = ['CLIENT_PRIVATE_KEY'] DNS = 192.168.2.1 [Peer] PublicKey = ['SERVER_PUBLIC_KEY'] Endpoint = ['SERVER_IP_ADDRESS']:54321 AllowedIPs = 192.168.2.1/32, 192.168.2.0/24
Additions between the last version and this one:
DNS = 192.168.2.1
AllowedIPs = 192.168.2.1/32, 192.168.2.0/24
Right now I have a bind server running on the the same server I am runnign the wireguard server from. With the line
DNS = 192.168.2.1, This means I can currently make
nslookup calls from any client and the server is able to return the DNS request for the server.
I have the client configuration setup to use the VPN server as the clients DNS server. The server is able to lookup both internal and external requests as the DNS Server has forwarding configured.
I was quite confused at the AllowIPs line at first, but after reading some basic documentation, the meaning became quite clear..
From the documentation:
The keyword allowed-ips is a list of addresses that peer A will be able to send traffic to; allowed-ips 0.0.0.0/0 would allow sending traffic to any IPv4 address, ::/0 allows sending traffic to any IPv6 address.
Also, I completeley forgot my networking basics and forgot
/32 was an address, and using
/24 would allow me to point to a network.. This now means I am able to ping any address on the
192.168.2.0 that is connected to the vpn.
I addressed out a
/24 (256 addresses) network because I don’t see myself using any more than that.. Even with family and friend servers connected to the network there’s no way I hit the 256 limit.
I had an earlier post using launchctl, related to OSXFuse. This uses a similar process of launchctl, but this time we need root user to run the script.
~/Library/LaunchAgents is run as the user, whereas
/Library/LaunchAgents directory is run as root.
sudo chown root /Library/LaunchAgents/vpn-connection.plist sudo chown root /Library/LaunchAgents/vpn-connection.sh sudo launchctl load /Library/LaunchAgents/vpn-connection.plist
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>local.vpn-connection.plist</string> <key>Program</key> <string>/Library/LaunchAgents/vpn-connection.sh</string> <key>RunAtLoad</key> <true/> </dict> </plist>
/usr/local/bin/wg-quick up /Users/Jack/.wg-conf/client.conf
Linux Workstation Configuration
Little did I realize I would have to install wireguard from source on my linux workstation.
apt is broken for me, but that is besides the point.
# Install the toolchain sudo apt-get install libelf-dev linux-headers-$(uname -r) build-essential pkg-config # Grab the Code git clone https://git.zx2c4.com/wireguard-linux-compat git clone https://git.zx2c4.com/wireguard-tools # Compile and Install make -C wireguard-linux-compat/src -j$(nproc) sudo make -C wireguard-linux-compat/src install # Compile and Install wg(8) tool make -C wireguard-tools/src -j$(nproc) sudo make -C wireguard-tools/src install
Linux Startup Scripts
#!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. xmodmap /home/jack/.xmodmap /usr/bin/wg-quick up /home/jack/.wg-conf/client.conf
Last line is the most important one.