I recently re-started my BGP shenanigans, and with that, re-setup some VPNs using WireGuard for my personal machines.
I basically use those to whitelist connections to certain applications to only the prefix used by my machines.
The host machine runs Debian and BIRD1, and the end devices are diverse from standard Linux machines, to Windows desktops, to iOS devices.
First, the BIRD configuration is pretty trivial, just adding a route for the prefix via lo
:
route 2a12:4946:9900:dead::/64 via "lo";
I'm aware my subnet configurations can be sub-optimal, but I'm just running this for fun, not for it to be perfect¨.
Then, generating WireGuard keys on the host (the package wireguard-tools
will need to be installed):
$ umask 077 $ wg genkey > privatekey $ wg pubkey < privatekey > publickey
Now, the WireGuard host configuration is pretty trivial:
[Interface] Address = 2a12:4946:9900:dead::1/128 ListenPort = 1337 PrivateKey = myVeryPrivateKey=
The key generation on the client follows the same procedure, if not easier via a GUI. The configuration itself looks like this:
[Interface] PrivateKey = myVerySecretKey= Address = 2a12:4946:9900:dead::1337/128 [Peer] PublicKey = serverPubKey= AllowedIPs = ::/1, 8000::/1 Endpoint = [2a12:4946:9900:dead::1]:1337 PersistentKeepalive = 30
Note that I'm using ::/1
and 8000::/1
in AllowedIPs
on Windows as setting it to ::/0
kills IPv4 connectivity (that is sadly still needed) and local connectivity to stuff like my storage array. On Linux, ::/0
works as expected, letting IPv4 through correctly.
Now, we can add a Peer
section into the server's configuration:
[Peer] # PC Client PublicKey = clientPubKey= AllowedIPs = 2a12:4946:9900:dead::1337/128
Now you should be all set and ready to bring up the tunnel on both ends.
On the server (assuming your configuration file is named tunnels.conf
):
$ systemctl enable wg-quick@tunnels $ systemctl start wg-quick@tunnels
And on the client using the same procedure, or just clicking the "Connect" button on the GUI client.
I've had some cases where this all of this alone isn't enough, and had to add the prefixes to lo
.
For instance:
$ ip -6 add 2a12:4946:9900:dead::/64 dev lo
And in /etc/network/interfaces
:
iface lo inet6 static
address 2a12:4946:9900:dead::/64
Tho I will admit, I had more issues setting this up than I should have, and most configs would benefit from being re-written. Admittedly, I executed and documented this procedure while being extremely tired, which of course causes some issues.
But at least, this works, and can be very useful when I'm connected to networks not offering IPv6 connectivity as well.
-
BIRD Internet Routing Daemon, https://bird.network.cz/ ↩