this post was submitted on 04 Jun 2024
64 points (100.0% liked)

Linux

1258 readers
100 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
64
Wireguard self hosting - Some tricks I don't see mentioned in too many tutorials (feddit.de)
submitted 5 months ago by harry315@feddit.de to c/linux@lemmy.ml
6 comments fedilink hide all child comments
 

I just finished setting up my Wireguard VPN "server". In this post I want to spread some information, I could've found useful but which didn't come up in most of the Wireguard tutorials.

If you aren't interested in VPN or self hosting, this post is not for you. If you haven't gotten around yet to try it out, I can only recommend doing it. Feels great being able to "phone home" from all over the world.

Alright, tricks and tips:

tcpdump

Wireguard will definitely not work first try. As Wireguard is a silent protocol, you won't see too many error messages. Dropped packets are how you know that something's off. tcpdump is a great command line tool, that, despite it's name, can also dump the precious UDP Wireguard packets. The tool will make you see how far your wireguard connection gets before the packets are dropped. Great for running on "server" and on clients.

ping

A classic tool. Helped me debugging some issues with DNS and Maximum Transfer Unit (MTU) size.

AllowedIPs

In a classic server-client situation, your clients should have AllowedIPs set to 0.0.0.0/0, ::/0 in their repecive configuration file. I found this pretty counterintuitive, but that seemingly is how it works.

IP Forwarding in sysctl

This one was by far the nastiest one to find out. Mainly because I'm not a linux or Debian expert. You need to tell sysctl to forward IP traffic, which ususally tutorials around the web will tell you to do like this: sysctl -w net.ipv4.ip_forward=1; sysctl -w net.ipv6.conf.all.forwarding=1. What I foolishly assumed, that this write operation was permanent. It's not. You need to edit /etc/sysctl.conf for making it permanent. Else, after a reboot you won't be able to connect to the internet. This took me a good amount of reconfigurations from scratch before I eventually found out these vars will reset on boot.

--

Maybe this helps some of you fellow Lemmings. If I stumble across further tips and tricks, I might update this post in the future. For now though, I think I'm done with my setup (philosophical question: are you ever done with setting up things?).

top 6 comments
sorted by: hot top controversial new old
[–] MangoPenguin@lemmy.blahaj.zone 23 points 5 months ago

In a classic server-client situation, your clients should have AllowedIPs set to 0.0.0.0/0, ::/0 in their repecive configuration file.

Only if you want the VPN to be your default route! Many may not want this.

[–] fratermus@lemmy.sdf.org 3 points 5 months ago

Wireguard self hosting

I parsed this as Wireguard self-loathing and thought "that's a little harsh". :-)

[–] 2xsaiko@discuss.tchncs.de 2 points 5 months ago

Another tip: take a look at systemd-networkd for managing your network connections! It has builtin support for creating wireguard tunnels and it's very nice.

[–] Swarfega@lemm.ee 2 points 5 months ago

Wireguard works out of the box for me. I use a docker image.

[–] dino@discuss.tchncs.de 2 points 5 months ago

I mean...all this and much more is part of the wireguard archwiki. And whoever wants to setup a wireguard server but doesn't know what ping is... Interesting would be an example on how to use tcpdump and how to read it.

[–] ReversalHatchery 1 points 5 months ago* (last edited 5 months ago)

In a classic server-client situation, your clients should have AllowedIPs set to 0.0.0.0/0, ::/0 in their repecive configuration file. I found this pretty counterintuitive, but that seemingly is how it works.

The reason is that AllowedIPs also affects your routing table.
IP ranges you list there for a peer doesn't only allow traffic with those source addresses to come from that peer, but, at least when using wq-quick, that peer also gets set up as the default route for that IP range.

AllowedIPs basically means these 3 things, if I remember correctly:

  • wg core: allow incoming traffic with this source address to arrive from this peer
  • wg core: pass any outgoing traffic with this destination address to this peer when the traffic is processed by the current wireguard network interface (current: in the interface section of the config file)
  • wg-quick: set the current wireguard network interface up as the default route for all the IP addresses and address ranges that is listed for any peer in the current config file

The 3rd is important because that's how the outgoing traffic will get to wireguard, for it to be encrypted and routed to the right peer.
You may also think of it as a 2 layer routing system. Part of it is done by Linux, but when the outgoing packet arrives in wg0 (still in your machine), it's wireguard code that decides the peer where the packet will go.

If you are on windows, and you use the wireguard GUI client, that's like wg-quick in that regard that it not only starts the tunnel up, but also configures your system to use that tunnel for the ranges you wanted.