https://wiki.archlinux.org/api.php?action=feedcontributions&user=Rfraile&feedformat=atomArchWiki - User contributions [en]2024-03-29T15:50:37ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=WireGuard&diff=590718WireGuard2019-12-01T18:51:46Z<p>Rfraile: Add good documentation resource</p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[ja:WireGuard]]<br />
[[zh-hans:WireGuard]]<br />
From the [https://www.wireguard.com/ WireGuard] project homepage: <br />
:Wireguard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable.<br />
<br />
{{Warning|WireGuard has not undergone proper degrees of security auditing and the protocol is still subject to change [https://www.wireguard.com/#work-in-progress].}}<br />
<br />
== Installation ==<br />
<br />
# [[Install]] {{Pkg|wireguard-tools}}.<br />
# Install the appropriate kernel module:<br />
#* {{Pkg|wireguard-arch}} for the default {{Pkg|linux}} kernel.<br />
#* {{Pkg|wireguard-lts}} for the LTS {{Pkg|linux-lts}} kernel.<br />
#* {{Pkg|wireguard-dkms}} for the DKMS variant for other [[kernel]]s.<br />
<br />
{{Note|1=As of November 2019, it is looking like Wireguard could be [https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-RFC-Looking-Like-5.6 mainlined] as soon as kernel version 5.6.}}<br />
<br />
{{Tip|[[systemd-networkd]] has native support for setting up Wireguard interfaces since version 237. See [[#Using systemd-networkd]] for details.}}<br />
<br />
== Usage ==<br />
<br />
The below commands demonstrate how to setup a basic tunnel between two peers with the following settings:<br />
<br />
{{Expansion|Add Peer C to better demonstrate routing and PSK, and add IPv6.}}<br />
<br />
{| class="wikitable"<br />
! <br />
! Peer A<br />
! Peer B<br />
|-<br />
! External IP address<br />
| 198.51.100.101<br />
| 203.0.113.102<br />
|-<br />
! Internal IP address<br />
| 10.0.0.1/24<br />
| 10.0.0.2/24<br />
|-<br />
! Wireguard listening port<br />
| UDP/51871<br />
| UDP/51902<br />
|}<br />
<br />
The external addresses should already exist. For example, peer A should be able to ping peer B via {{ic|ping 203.0.113.102}}, and vice versa. The internal addresses will be new addresses created by the {{man|8|ip}} commands below and will be shared internally within the new WireGuard network using {{man|8|wg}}. The {{ic|/24}} in the IP addresses is the [[wikipedia:Classless_Inter-Domain_Routing#CIDR_notation|CIDR]].<br />
<br />
=== Key generation ===<br />
<br />
To create a private key:<br />
<br />
$ wg genkey > privatekey<br />
<br />
{{Note|It is recommended to only allow reading and writing access for the owner:<br />
<br />
$ chmod 600 privatekey<br />
<br />
}}<br />
<br />
To create a public key:<br />
<br />
$ wg pubkey < privatekey > publickey<br />
<br />
Alternatively, do this all at once:<br />
<br />
$ wg genkey | tee privatekey | wg pubkey > publickey<br />
<br />
One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.<br />
<br />
{{Expansion|A pre-shared key should be created for each peer pair. E.g. with peers A, B and C, there should be three pre-shared keys, {{ic|peer_A-peer_B-psk}} for the connection between Peer A and Peer B, {{ic|peer_A-peer_C-psk}} for the connection between Peer A and Peer C and {{ic|peer_B-peer_C-psk}} for the connection between Peer B and Peer C.}}<br />
<br />
# wg genpsk > preshared<br />
<br />
=== Peer A setup ===<br />
<br />
This peer will listen on UDP port 51871 and will accept connection from peer B by linking its public key with both its inner and outer IPs addresses.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.1/24 dev wg0<br />
# wg set wg0 listen-port 51871 private-key ./privatekey<br />
# wg set wg0 peer ''PEER_B_PUBLIC_KEY'' persistent-keepalive 25 allowed-ips 10.0.0.2/32 endpoint 203.0.113.102:51902<br />
# ip link set wg0 up<br />
<br />
{{ic|[Peer B public key]}} should have the same format as {{ic|1=EsnHH9m6RthHSs+sd9uM6eCHe/mMVFaRh93GYadDDnM=}}. The keyword {{ic|allowed-ips}} is a list of addresses that peer A will be able to send traffic to; {{ic|allowed-ips 0.0.0.0/0}} would allow sending traffic to any IPv4 address, {{ic|::/0}} allows sending traffic to any IPv6 address.<br />
<br />
=== Peer B setup ===<br />
<br />
As with peer A, whereas the wireguard daemon is listening on the UDP port 51902 and accept connection from peer A only.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.2/24 dev wg0<br />
# wg set wg0 listen-port 51902 private-key ./privatekey<br />
# wg set wg0 peer ''PEER_A_PUBLIC_KEY'' persistent-keepalive 25 allowed-ips 10.0.0.1/32 endpoint 198.51.100.101:51871<br />
# ip link set wg0 up<br />
<br />
=== Basic checkups ===<br />
<br />
Invoking the {{man|8|wg}} command without parameter will give a quick overview of the current configuration.<br />
<br />
As an example, when Peer A has been configured we are able to see its identity and its associated peers:<br />
<br />
{{hc|[user@peer-a]# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 51871<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
endpoint: 203.0.113.102:51902<br />
allowed ips: 10.0.0.2/32<br />
}}<br />
<br />
At this point one could reach the end of the tunnel:<br />
<br />
[user@peer-a]$ ping 10.0.0.2<br />
<br />
=== Persistent configuration ===<br />
<br />
The configuration can be saved by utilizing {{ic|showconf}}:<br />
<br />
# wg showconf wg0 > /etc/wireguard/wg0.conf<br />
# wg setconf wg0 /etc/wireguard/wg0.conf<br />
<br />
=== Example peer configuration ===<br />
<br />
{{hc|1=/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.0.0.1/32<br />
PrivateKey = ''CLIENT_PRIVATE_KEY''<br />
<br />
[Peer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
AllowedIPs = 10.0.0.0/24, 10.123.45.0/24, 1234:4567:89ab::/48<br />
Endpoint = ''SERVER_ENDPOINT'':51871<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
=== Example configuration for systemd-networkd ===<br />
<br />
See [[#Using systemd-networkd]].<br />
<br />
== Specific use-case: VPN server ==<br />
{{Note|Usage of the terms "server" and "client" are used here specifically for newcomers to WireGuard and for current users of OpenVPN to help familiarize with the construction of configuration files. WireGuard documentation simply refers to both of these concepts as "peers."}}<br />
<br />
The purpose of this section is to setup a WireGuard "server" and generic "clients" to enable access to the server/network resources through an encrypted and secured tunnel like [[OpenVPN]] and others. The server runs on Linux and the clients can run any number of platforms (the WireGuard Project offers apps on both iOS and Android platforms in addition to Linux, Windows and MacOS). See the official project [https://www.wireguard.com/install/ install link] for more.<br />
<br />
{{Tip|Instead of using {{pkg|wireguard-tools}} for server/client configuration, one may want to use [[#Using systemd-networkd|systemd-networkd]] native WireGuard support.}}<br />
<br />
=== Server ===<br />
<br />
On the peer that will act as the "server", first enable IPv4 forwarding using [[sysctl]]:<br />
<br />
# sysctl -w net.ipv4.ip_forward=1<br />
<br />
To make the change permanent, add {{ic|1=net.ipv4.ip_forward = 1}} to {{ic|/etc/sysctl.d/99-sysctl.conf}}.<br />
<br />
A properly configured [[firewall]] is ''HIGHLY recommended'' for any Internet-facing device.<br />
<br />
If the server have the public IP configured, be sure to:<br />
<br />
* Allow UDP traffic on the specified port(s) on which WireGuard will be running (for example allowing traffic on 51820/udp).<br />
* Setup the forwarding policy for the firewall if it is not included in the WireGuard config for the interface itself {{ic|/etc/wireguard/wg0.conf}}. The example below should have the iptables rules and work as-is.<br />
<br />
If the server is behind NAT, be sure to forward the specified port(s) on which WireGuard will be running (for example, 51820/UDP) from the router to the WireGuard server.<br />
<br />
=== Key generation ===<br />
<br />
Generate key pairs for the server and for each client as explained in [[#Key generation]].<br />
<br />
=== Server config ===<br />
<br />
Create the "server" config file:<br />
<br />
{{hc|/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.200.200.1/24<br />
ListenPort = 51820<br />
PrivateKey = ''SERVER_PRIVATE_KEY''<br />
<br />
# note - substitute ''eth0'' in the following lines to match the Internet-facing interface<br />
# if the server is behind a router and receive traffic via NAT, this iptables rules are not needed<br />
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE<br />
<br />
[Peer]<br />
# foo<br />
PublicKey = ''PEER_FOO_PUBLIC_KEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[Peer]<br />
# bar<br />
PublicKey = ''PEER_BAR_PUBLIC_KEY''<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
Additional peers ("clients") can be listed in the same format as needed. Each peer requires the {{ic|PublicKey}} to be set. However, specifying {{ic|PresharedKey}} is optional.<br />
<br />
Notice that the {{ic|Address}} have mask "/24" and the clients on {{ic|AllowedIPs}} "/32". The client only use their IP and the server only send back their respective address.<br />
<br />
The interface can be managed manually using {{man|8|wg-quick}} or using a [[systemd]] service managed via {{man|1|systemctl}}.<br />
<br />
The interface may be brought up using {{ic|wg-quick up wg0}} respectively by [[start|starting]] and potentially [[enable|enabling]] the interface via {{ic|wg-quick@''interface''.service}}, e.g. {{ic|wg-quick@wg0.service}}. To close the interface use {{ic|wg-quick down wg0}} respectively [[stop]] {{ic|wg-quick@''interface''.service}}.<br />
<br />
=== Client config ===<br />
<br />
Create the corresponding "client" config file(s):<br />
<br />
{{hc|foo.conf|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
PrivateKey = ''PEER_FOO_PRIVATE_KEY''<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.example.com:51820<br />
}}<br />
<br />
{{hc|bar.conf|2=<br />
[Interface]<br />
Address = 10.200.200.3/24<br />
PrivateKey = ''PEER_BAR_PRIVATE_KEY''<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
PresharedKey = ''PRE-SHARED KEY''<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.example.com:51820<br />
}}<br />
<br />
Using the catch-all {{ic|1=AllowedIPs = 0.0.0.0/0, ::/0}} will forward all IPv4 ({{ic|0.0.0.0/0}}) and IPv6 ({{ic|::/0}}) traffic over the VPN.<br />
<br />
{{Note|Users of [[NetworkManager]], may need to [[enable]] the {{ic|NetworkManager-wait-online.service}} and users of [[systemd-networkd]] may need to [[enable]] the {{ic|systemd-networkd-wait-online.service}} to wait until devices are network ready before attempting wireguard connection.}}<br />
<br />
== Testing the tunnel ==<br />
<br />
Once a tunnel has been established, one can use {{Pkg|gnu-netcat}} to send traffic through it to test out throughput, CPU usage, etc.<br />
On one side of the tunnel, run {{ic|nc}} in listen mode and on the other side, pipe some data from {{ic|/dev/zero}} into {{ic|nc}} in sending mode.<br />
<br />
In the example below, port 2222 is used for the traffic (be sure to allow traffic on port 2222 if using a firewall).<br />
<br />
On one side of the tunnel listen for traffic:<br />
<br />
$ nc -vvlnp 2222<br />
<br />
On the other side of the tunnel, send some traffic:<br />
<br />
$ dd if=/dev/zero bs=1024K count=1024 | nc -v 10.0.0.203 2222<br />
<br />
Status can be monitored using {{ic|wg}} directly.<br />
<br />
{{hc|# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
preshared key: (hidden)<br />
endpoint: 192.168.1.216:53207<br />
allowed ips: 10.0.0.0/0<br />
latest handshake: 1 minutes, 17 seconds ago<br />
transfer: 56.43 GiB received, 1.06 TiB sent<br />
}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Routes are periodically reset ===<br />
<br />
If you are not configuring WireGuard from [[NetworkManager]], make sure that NetworkManager is not managing the WireGuard interface(s):<br />
<br />
{{hc|/etc/NetworkManager/conf.d/unmanaged.conf|2=<br />
[keyfile]<br />
unmanaged-devices=interface-name:wg*<br />
}}<br />
<br />
=== Connection loss with NetworkManager ===<br />
<br />
On desktop, connection loss can be experienced when all the traffic is tunneled through a Wireguard interface: typically, the connection is seemingly lost after a while or upon new connection to an access point.<br />
<br />
By default ''wg-quick'' uses a resolvconf provider such as [[openresolv]] to register new [[DNS]] entries (i.e. {{ic|DNS}} keyword in the configuration file). However [[NetworkManager]] does not use resolvconf by default: every time a new [[DHCP]] lease is acquired, [[NetworkManager]] overwrites the global DNS addresses with the DHCP-provided ones which might not be available through the tunnel.<br />
<br />
==== Using resolvconf ====<br />
<br />
If resolvconf is already used by the system and connection losses persist, make sure NetworkManager is configured to use it: [[NetworkManager#Use openresolv]].<br />
<br />
==== Using dnsmasq ====<br />
<br />
See [[Dnsmasq#openresolv]] for configuration.<br />
<br />
=== Low MTU ===<br />
<br />
Due to too low MTU (lower than 1280), wg-quick may have failed to create the Wireguard interface. This can be solved by setting the MTU value in Wireguard configuration in Interface section on client.<br />
{{hc|/foo.config|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
MTU = 1500<br />
PrivateKey = ''PEER_FOO_PRIVATE_KEY''<br />
DNS = 10.200.200.1<br />
}} <br />
<br />
== Tips and tricks ==<br />
<br />
=== Using systemd-networkd ===<br />
<br />
[[systemd-networkd]] has native support for WireGuard protocols and therefore does not require the {{Pkg|wireguard-tools}} package.<br />
<br />
In order to prevent leak of private keys, it is recommended to set the permissions of the ''.netdev'' file:<br />
<br />
# chown root:systemd-network /etc/systemd/network/99-*.netdev<br />
# chmod 0640 /etc/systemd/network/99-*.netdev<br />
<br />
==== Server ====<br />
<br />
{{hc|/etc/systemd/network/99-server.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
ListenPort = 51820<br />
PrivateKey = ''SERVER_PRIVATE_KEY''<br />
<br />
[WireGuardPeer]<br />
PublicKey = PEER_FOO_PUBLIC_KEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[WireGuardPeer]<br />
PublicKey = ''PEER_BAR_PUBLIC_KEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-server.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.1/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
}}<br />
<br />
==== Client foo ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
PrivateKey = ''FOO_PRIVATE_KEY''<br />
<br />
[WireGuardPeer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.example.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.2/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnlink=true<br />
}}<br />
<br />
==== Client bar ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
PrivateKey = ''PEER_BAR_PRIVATE_KEY''<br />
<br />
[WireGuardPeer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.example.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.3/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnLink=true<br />
}}<br />
<br />
=== Store private keys in encrypted form ===<br />
<br />
It may be desirable to store private keys in encrypted form, such as through use of {{pkg|pass}}. Just replace the PrivateKey line under [Interface] in the configuration file with:<br />
<br />
PostUp = wg set %i private-key <(su user -c "export PASSWORD_STORE_DIR=/path/to/your/store/; pass WireGuard/private-keys/%i")<br />
<br />
where ''user'' is the Linux username of interest. See the {{man|8|wg-quick}} man page for more details.<br />
<br />
=== Endpoint with changing IP ===<br />
<br />
After resolving a server's domain, WireGuard [https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html will not check for changes in DNS again].<br />
<br />
If the WireGuard server is frequently changing its IP-address due DHCP, Dyndns, IPv6, ..., any WireGuard client is going to lose its connection, until its endpoint is updated via something like {{ic|wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"}}.<br />
<br />
Also be aware, if the endpoint is ever going to change its address (for example when moving to a new provider/datacenter), just updating DNS will not be enough, so periodically running reresolve-dns might make sense on any DNS-based setup.<br />
<br />
Luckily, {{Pkg|wireguard-tools}} provides an example script {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh}}, that parses WG configuration files and automatically resets the endpoint address.<br />
<br />
One needs to run the {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh /etc/wireguard/wg.conf}} periodically to recover from an endpoint that has changed its IP.<br />
<br />
One way of doing so is by updating all WireGuard endpoints once every thirty seconds[https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns/README] via a systemd timer:<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.timer|2=<br />
[Unit]<br />
Description=Periodically reresolve DNS of all WireGuard endpoints<br />
<br />
[Timer]<br />
OnCalendar=*:*:0/30<br />
<br />
[Install]<br />
WantedBy=timers.target<br />
}}<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.service|2=<br />
[Unit]<br />
Description=Reresolve DNS of all WireGuard endpoints<br />
Wants=network-online.target<br />
After=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf; do /usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh "$i"; done'<br />
}}<br />
<br />
Afterwards [[enable]] and [[start]] {{ic|wireguard_reresolve-dns.timer}}<br />
<br />
=== Generate QR code ===<br />
<br />
If the client is a mobile device such as a phone, {{Pkg|qrencode}} can be used to generate client's configuration QR code and display it in terminal:<br />
<br />
$ qrencode -t ansiutf8 < client.conf<br />
<br />
== See also ==<br />
<br />
* [https://www.wireguard.com/presentations/ Presentations by Jason Donenfeld].<br />
* [https://lists.zx2c4.com/mailman/listinfo/wireguard Mailing list]<br />
* [https://github.com/pirate/wireguard-docs Unofficial WireGuard Documentation]</div>Rfrailehttps://wiki.archlinux.org/index.php?title=WireGuard&diff=590587WireGuard2019-11-30T15:06:55Z<p>Rfraile: Update NAT description</p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[ja:WireGuard]]<br />
[[zh-hans:WireGuard]]<br />
From the [https://www.wireguard.com/ WireGuard] project homepage: <br />
:Wireguard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable.<br />
<br />
{{Warning|WireGuard has not undergone proper degrees of security auditing and the protocol is still subject to change [https://www.wireguard.com/#work-in-progress].}}<br />
<br />
== Installation ==<br />
<br />
# [[Install]] {{Pkg|wireguard-tools}}.<br />
# Install the appropriate kernel module:<br />
#* {{Pkg|wireguard-arch}} for the default {{Pkg|linux}} kernel.<br />
#* {{Pkg|wireguard-lts}} for the LTS {{Pkg|linux-lts}} kernel.<br />
#* {{Pkg|wireguard-dkms}} for the DKMS variant for other [[kernel]]s.<br />
<br />
{{Note|As of November 2019, it is looking like Wireguard could be [[https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-RFC-Looking-Like-5.6 mainlined]] as soon as kernel version 5.6.}}<br />
{{Tip|[[systemd-networkd]] has native support for setting up Wireguard interfaces since version 237. See [[#Using systemd-networkd]] for details.}}<br />
<br />
== Usage ==<br />
<br />
The below commands demonstrate how to setup a basic tunnel between two peers with the following settings:<br />
<br />
{| class="wikitable"<br />
! <br />
! Peer A<br />
! Peer B<br />
|-<br />
! External IP address<br />
| 198.51.100.101<br />
| 203.0.113.102<br />
|-<br />
! Internal IP address<br />
| 10.0.0.1/24<br />
| 10.0.0.2/24<br />
|-<br />
! Wireguard listening port<br />
| UDP/48574<br />
| UDP/39814<br />
|}<br />
<br />
The external addresses should already exist. For example, peer A should be able to ping peer B via {{ic|ping 203.0.113.102}}, and vice versa. The internal addresses will be new addresses created by the {{man|8|ip}} commands below and will be shared internally within the new WireGuard network using {{man|8|wg}}. The {{ic|/24}} in the IP addresses is the [[wikipedia:Classless_Inter-Domain_Routing#CIDR_notation|CIDR]].<br />
<br />
=== Key generation ===<br />
<br />
To create a private key:<br />
<br />
$ wg genkey > privatekey<br />
<br />
{{Note|It is recommended to only allow reading and writing access for the owner:<br />
<br />
$ chmod 600 privatekey<br />
<br />
}}<br />
<br />
To create a public key:<br />
<br />
$ wg pubkey < privatekey > publickey<br />
<br />
Alternatively, do this all at once:<br />
<br />
$ wg genkey | tee privatekey | wg pubkey > publickey<br />
<br />
One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.<br />
<br />
# wg genpsk > preshared<br />
<br />
=== Peer A setup ===<br />
<br />
This peer will listen on UDP port 48574 and will accept connection from peer B by linking its public key with both its inner and outer IPs addresses.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.1/24 dev wg0<br />
# wg set wg0 listen-port 48574 private-key ./privatekey<br />
# wg set wg0 peer [Peer B public key] persistent-keepalive 25 allowed-ips 10.0.0.2/32 endpoint 203.0.113.102:39814<br />
# ip link set wg0 up<br />
<br />
{{ic|[Peer B public key]}} should have the same format as {{ic|1=EsnHH9m6RthHSs+sd9uM6eCHe/mMVFaRh93GYadDDnM=}}. The keyword {{ic|allowed-ips}} is a list of addresses that peer A will be able to send traffic to; {{ic|allowed-ips 0.0.0.0/0}} would allow sending traffic to any IPv4 address, {{ic|::/0}} allows sending traffic to any IPv6 address.<br />
<br />
=== Peer B setup ===<br />
<br />
As with peer A, whereas the wireguard daemon is listening on the UDP port 39814 and accept connection from peer A only.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.2/24 dev wg0<br />
# wg set wg0 listen-port 39814 private-key ./privatekey<br />
# wg set wg0 peer [Peer A public key] persistent-keepalive 25 allowed-ips 10.0.0.1/32 endpoint 198.51.100.101:48574<br />
# ip link set wg0 up<br />
<br />
=== Basic checkups ===<br />
<br />
Invoking the {{man|8|wg}} command without parameter will give a quick overview of the current configuration.<br />
<br />
As an example, when Peer A has been configured we are able to see its identity and its associated peers:<br />
<br />
{{hc|[user@peer-a]# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 48574<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
endpoint: 203.0.113.102:39814<br />
allowed ips: 10.0.0.2/32<br />
}}<br />
<br />
At this point one could reach the end of the tunnel:<br />
<br />
[user@peer-a]$ ping 10.0.0.2<br />
<br />
=== Persistent configuration ===<br />
<br />
The configuration can be saved by utilizing {{ic|showconf}}:<br />
<br />
# wg showconf wg0 > /etc/wireguard/wg0.conf<br />
# wg setconf wg0 /etc/wireguard/wg0.conf<br />
<br />
=== Example peer configuration ===<br />
<br />
{{hc|1=/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.0.0.1/32<br />
PrivateKey = [CLIENT PRIVATE KEY]<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
AllowedIPs = 10.0.0.0/24, 10.123.45.0/24, 1234:4567:89ab::/48<br />
Endpoint = [SERVER ENDPOINT]:48574<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
=== Example configuration for systemd-networkd ===<br />
<br />
See [[#Using systemd-networkd]].<br />
<br />
== Specific use-case: VPN server ==<br />
{{Note|Usage of the terms "server" and "client" are used here specifically for newcomers to WireGuard and for current users of OpenVPN to help familiarize with the construction of configuration files. WireGuard documentation simply refers to both of these concepts as "peers."}}<br />
<br />
The purpose of this section is to setup a WireGuard "server" and generic "clients" to enable access to the server/network resources through an encrypted and secured tunnel like [[OpenVPN]] and others. The server runs on Linux and the clients can run any number of platforms (the WireGuard Project offers apps on both iOS and Android platforms in addition to Linux, Windows and MacOS). See the official project [https://www.wireguard.com/install/ install link] for more.<br />
<br />
{{Tip|Instead of using {{pkg|wireguard-tools}} for server/client configuration, one may want to use [[#Using systemd-networkd|systemd-networkd]] native WireGuard support.}}<br />
<br />
=== Server ===<br />
<br />
On the peer that will act as the "server", first enable IPv4 forwarding using [[sysctl]]:<br />
<br />
# sysctl -w net.ipv4.ip_forward=1<br />
<br />
To make the change permanent, add {{ic|1=net.ipv4.ip_forward = 1}} to {{ic|/etc/sysctl.d/99-sysctl.conf}}.<br />
<br />
A properly configured [[firewall]] is ''HIGHLY recommended'' for any Internet-facing device.<br />
<br />
If the server have the public IP configured, be sure to:<br />
<br />
* Allow UDP traffic on the specified port(s) on which WireGuard will be running (for example allowing traffic on 51820/udp).<br />
* Setup the forwarding policy for the firewall if it is not included in the WireGuard config for the interface itself {{ic|/etc/wireguard/wg0.conf}}. The example below should have the iptables rules and work as-is.<br />
<br />
<br />
If the server is behind NAT, be sure to:<br />
<br />
* NAT from the router the UDP traffic on the specified port(s) on which WireGuard will be running (for example allowing traffic on 51820/udp) to the WireGuard server.<br />
<br />
=== Key generation ===<br />
<br />
Generate key pairs for the server and for each client as explained in [[#Key generation]].<br />
<br />
=== Server config ===<br />
<br />
Create the "server" config file:<br />
<br />
{{hc|/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.200.200.1/24<br />
ListenPort = 51820<br />
PrivateKey = [SERVER PRIVATE KEY]<br />
<br />
# note - substitute ''eth0'' in the following lines to match the Internet-facing interface<br />
# if the server is behind a router and receive traffic via NAT, this iptables rules aren't needed<br />
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE<br />
<br />
[Peer]<br />
# foo<br />
PublicKey = [FOO'S PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[Peer]<br />
# bar<br />
PublicKey = [BAR'S PUBLIC KEY]<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
Additional peers ("clients") can be listed in the same format as needed. Each peer requires the {{ic|PublicKey}} to be set. However, specifying {{ic|PresharedKey}} is optional.<br />
<br />
Notice that the {{ic|Address}} have mask "/24" and the clients on {{ic|AllowedIPs}} "/32". The client only use their IP and the server only send back their respective address.<br />
<br />
The interface can be managed manually using {{man|8|wg-quick}} or using a [[systemd]] service managed via {{man|1|systemctl}}.<br />
<br />
The interface may be brought up using {{ic|wg-quick up wg0}} respectively by [[start|starting]] and potentially [[enable|enabling]] the interface via {{ic|wg-quick@''interface''.service}}, e.g. {{ic|wg-quick@wg0.service}}. To close the interface use {{ic|wg-quick down wg0}} respectively [[stop]] {{ic|wg-quick@''interface''.service}}.<br />
<br />
=== Client config ===<br />
<br />
Create the corresponding "client" config file(s):<br />
<br />
{{hc|foo.conf|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
PrivateKey = [FOO'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.address.com:51820<br />
}}<br />
<br />
{{hc|bar.conf|2=<br />
[Interface]<br />
Address = 10.200.200.3/24<br />
PrivateKey = [BAR'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.address.com:51820<br />
}}<br />
<br />
Using the catch-all {{ic|1=AllowedIPs = 0.0.0.0/0, ::/0}} will forward all IPv4 ({{ic|0.0.0.0/0}}) and IPv6 ({{ic|::/0}}) traffic over the VPN.<br />
<br />
{{Note|Users of [[NetworkManager]], may need to [[enable]] the {{ic|NetworkManager-wait-online.service}} and users of [[systemd-networkd]] may need to [[enable]] the {{ic|systemd-networkd-wait-online.service}} to wait until devices are network ready before attempting wireguard connection.}}<br />
<br />
== Testing the tunnel ==<br />
<br />
Once a tunnel has been established, one can use {{Pkg|gnu-netcat}} to send traffic through it to test out throughput, CPU usage, etc.<br />
On one side of the tunnel, run {{ic|nc}} in listen mode and on the other side, pipe some data from {{ic|/dev/zero}} into {{ic|nc}} in sending mode.<br />
<br />
In the example below, port 2222 is used for the traffic (be sure to allow traffic on port 2222 if using a firewall).<br />
<br />
On one side of the tunnel listen for traffic:<br />
<br />
$ nc -vvlnp 2222<br />
<br />
On the other side of the tunnel, send some traffic:<br />
<br />
$ dd if=/dev/zero bs=1024K count=1024 | nc -v 10.0.0.203 2222<br />
<br />
Status can be monitored using {{ic|wg}} directly.<br />
{{hc|# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
preshared key: (hidden)<br />
endpoint: 192.168.1.216:53207<br />
allowed ips: 10.0.0.0/0<br />
latest handshake: 1 minutes, 17 seconds ago<br />
transfer: 56.43 GiB received, 1.06 TiB sent<br />
}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Routes are periodically reset ===<br />
<br />
If you are not configuring Wireguard from [[NetworkManager]], make sure that NetworkManager is not managing the Wireguard interface:<br />
<br />
{{hc|/etc/NetworkManager/conf.d/unmanaged.conf|2=<br />
[keyfile]<br />
unmanaged-devices=interface-name:wg0<br />
}}<br />
<br />
=== Connection loss with NetworkManager ===<br />
<br />
On desktop, connection loss can be experienced when all the traffic is tunneled through a Wireguard interface: typically, the connection is seemingly lost after a while or upon new connection to an access point.<br />
<br />
By default ''wg-quick'' uses a resolvconf provider such as [[openresolv]] to register new [[DNS]] entries (i.e. {{ic|DNS}} keyword in the configuration file). However [[NetworkManager]] does not use resolvconf by default: every time a new [[DHCP]] lease is acquired, [[NetworkManager]] overwrites the global DNS addresses with the DHCP-provided ones which might not be available through the tunnel.<br />
<br />
==== Using resolvconf ====<br />
<br />
If resolvconf is already used by the system and connection losses persist, make sure NetworkManager is configured to use it: [[NetworkManager#Use openresolv]].<br />
<br />
==== Using dnsmasq ====<br />
<br />
See [[Dnsmasq#openresolv]] for configuration.<br />
<br />
=== Low MTU ===<br />
<br />
Due to too low MTU (lower than 1280), wg-quick may have failed to create the Wireguard interface. This can be solved by setting the MTU value in Wireguard configuration in Interface section on client.<br />
{{hc|/foo.config|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
MTU = 1500<br />
PrivateKey = [FOO'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
}} <br />
<br />
== Tips and tricks ==<br />
<br />
=== Using systemd-networkd ===<br />
<br />
[[systemd-networkd]] has native support for WireGuard protocols and therefore does not require the {{Pkg|wireguard-tools}} package.<br />
<br />
In order to prevent leak of private keys, it is recommended to set the permissions of the ''.netdev'' file:<br />
<br />
# chown root:systemd-network /etc/systemd/network/99-*.netdev<br />
# chmod 0640 /etc/systemd/network/99-*.netdev<br />
<br />
==== Server ====<br />
<br />
{{hc|/etc/systemd/network/99-server.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
ListenPort = 51820<br />
PrivateKey = [SERVER PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [FOO's PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[WireGuardPeer]<br />
PublicKey = [BAR's PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-server.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.1/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
}}<br />
<br />
==== Client foo ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
PrivateKey = [FOO's PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.address.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.2/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnlink=true<br />
}}<br />
<br />
==== Client bar ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
PrivateKey = [BAR's PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.address.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.3/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnLink=true<br />
}}<br />
<br />
=== Store private keys in encrypted form ===<br />
<br />
It may be desirable to store private keys in encrypted form, such as through use of {{pkg|pass}}. Just replace the PrivateKey line under [Interface] in the configuration file with:<br />
<br />
PostUp = wg set %i private-key <(su user -c "export PASSWORD_STORE_DIR=/path/to/your/store/; pass WireGuard/private-keys/%i")<br />
<br />
where ''user'' is the Linux username of interest. See the {{man|8|wg-quick}} man page for more details.<br />
<br />
=== Endpoint with changing IP ===<br />
<br />
After resolving a server's domain, WireGuard [https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html will not check for changes in DNS again].<br />
<br />
If the WireGuard server is frequently changing its IP-address due DHCP, Dyndns, IPv6, ..., any WireGuard client is going to lose its connection, until its endpoint is updated via something like {{ic|wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"}}.<br />
<br />
Also be aware, if the endpoint is ever going to change its address (for example when moving to a new provider/datacenter), just updating DNS will not be enough, so periodically running reresolve-dns might make sense on any DNS-based setup.<br />
<br />
Luckily, {{Pkg|wireguard-tools}} provides an example script {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh}}, that parses WG configuration files and automatically resets the endpoint address.<br />
<br />
One needs to run the {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh /etc/wireguard/wg.conf}} periodically to recover from an endpoint that has changed its IP.<br />
<br />
One way of doing so is by updating all WireGuard endpoints once every thirty seconds[https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns/README] via a systemd timer:<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.timer|2=<br />
[Unit]<br />
Description=Periodically reresolve DNS of all WireGuard endpoints<br />
<br />
[Timer]<br />
OnCalendar=*:*:0/30<br />
<br />
[Install]<br />
WantedBy=timers.target<br />
}}<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.service|2=<br />
[Unit]<br />
Description=Reresolve DNS of all WireGuard endpoints<br />
Wants=network-online.target<br />
After=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf; do /usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh "$i"; done'<br />
}}<br />
<br />
Afterwards [[enable]] and [[start]] {{ic|wireguard_reresolve-dns.timer}}<br />
<br />
=== Generate QR code ===<br />
<br />
If the client is a mobile device such as a phone, {{Pkg|qrencode}} can be used to generate client's configuration QR code and display it in terminal:<br />
<br />
$ qrencode -t ansiutf8 < client.conf<br />
<br />
== See also ==<br />
<br />
* [https://www.wireguard.com/presentations/ Presentations by Jason Donenfeld].<br />
* [https://lists.zx2c4.com/mailman/listinfo/wireguard Mailing list]</div>Rfrailehttps://wiki.archlinux.org/index.php?title=WireGuard&diff=590586WireGuard2019-11-30T15:05:57Z<p>Rfraile: Update info about network mask on server and clients</p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[ja:WireGuard]]<br />
[[zh-hans:WireGuard]]<br />
From the [https://www.wireguard.com/ WireGuard] project homepage: <br />
:Wireguard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable.<br />
<br />
{{Warning|WireGuard has not undergone proper degrees of security auditing and the protocol is still subject to change [https://www.wireguard.com/#work-in-progress].}}<br />
<br />
== Installation ==<br />
<br />
# [[Install]] {{Pkg|wireguard-tools}}.<br />
# Install the appropriate kernel module:<br />
#* {{Pkg|wireguard-arch}} for the default {{Pkg|linux}} kernel.<br />
#* {{Pkg|wireguard-lts}} for the LTS {{Pkg|linux-lts}} kernel.<br />
#* {{Pkg|wireguard-dkms}} for the DKMS variant for other [[kernel]]s.<br />
<br />
{{Note|As of November 2019, it is looking like Wireguard could be [[https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-RFC-Looking-Like-5.6 mainlined]] as soon as kernel version 5.6.}}<br />
{{Tip|[[systemd-networkd]] has native support for setting up Wireguard interfaces since version 237. See [[#Using systemd-networkd]] for details.}}<br />
<br />
== Usage ==<br />
<br />
The below commands demonstrate how to setup a basic tunnel between two peers with the following settings:<br />
<br />
{| class="wikitable"<br />
! <br />
! Peer A<br />
! Peer B<br />
|-<br />
! External IP address<br />
| 198.51.100.101<br />
| 203.0.113.102<br />
|-<br />
! Internal IP address<br />
| 10.0.0.1/24<br />
| 10.0.0.2/24<br />
|-<br />
! Wireguard listening port<br />
| UDP/48574<br />
| UDP/39814<br />
|}<br />
<br />
The external addresses should already exist. For example, peer A should be able to ping peer B via {{ic|ping 203.0.113.102}}, and vice versa. The internal addresses will be new addresses created by the {{man|8|ip}} commands below and will be shared internally within the new WireGuard network using {{man|8|wg}}. The {{ic|/24}} in the IP addresses is the [[wikipedia:Classless_Inter-Domain_Routing#CIDR_notation|CIDR]].<br />
<br />
=== Key generation ===<br />
<br />
To create a private key:<br />
<br />
$ wg genkey > privatekey<br />
<br />
{{Note|It is recommended to only allow reading and writing access for the owner:<br />
<br />
$ chmod 600 privatekey<br />
<br />
}}<br />
<br />
To create a public key:<br />
<br />
$ wg pubkey < privatekey > publickey<br />
<br />
Alternatively, do this all at once:<br />
<br />
$ wg genkey | tee privatekey | wg pubkey > publickey<br />
<br />
One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.<br />
<br />
# wg genpsk > preshared<br />
<br />
=== Peer A setup ===<br />
<br />
This peer will listen on UDP port 48574 and will accept connection from peer B by linking its public key with both its inner and outer IPs addresses.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.1/24 dev wg0<br />
# wg set wg0 listen-port 48574 private-key ./privatekey<br />
# wg set wg0 peer [Peer B public key] persistent-keepalive 25 allowed-ips 10.0.0.2/32 endpoint 203.0.113.102:39814<br />
# ip link set wg0 up<br />
<br />
{{ic|[Peer B public key]}} should have the same format as {{ic|1=EsnHH9m6RthHSs+sd9uM6eCHe/mMVFaRh93GYadDDnM=}}. The keyword {{ic|allowed-ips}} is a list of addresses that peer A will be able to send traffic to; {{ic|allowed-ips 0.0.0.0/0}} would allow sending traffic to any IPv4 address, {{ic|::/0}} allows sending traffic to any IPv6 address.<br />
<br />
=== Peer B setup ===<br />
<br />
As with peer A, whereas the wireguard daemon is listening on the UDP port 39814 and accept connection from peer A only.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.2/24 dev wg0<br />
# wg set wg0 listen-port 39814 private-key ./privatekey<br />
# wg set wg0 peer [Peer A public key] persistent-keepalive 25 allowed-ips 10.0.0.1/32 endpoint 198.51.100.101:48574<br />
# ip link set wg0 up<br />
<br />
=== Basic checkups ===<br />
<br />
Invoking the {{man|8|wg}} command without parameter will give a quick overview of the current configuration.<br />
<br />
As an example, when Peer A has been configured we are able to see its identity and its associated peers:<br />
<br />
{{hc|[user@peer-a]# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 48574<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
endpoint: 203.0.113.102:39814<br />
allowed ips: 10.0.0.2/32<br />
}}<br />
<br />
At this point one could reach the end of the tunnel:<br />
<br />
[user@peer-a]$ ping 10.0.0.2<br />
<br />
=== Persistent configuration ===<br />
<br />
The configuration can be saved by utilizing {{ic|showconf}}:<br />
<br />
# wg showconf wg0 > /etc/wireguard/wg0.conf<br />
# wg setconf wg0 /etc/wireguard/wg0.conf<br />
<br />
=== Example peer configuration ===<br />
<br />
{{hc|1=/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.0.0.1/32<br />
PrivateKey = [CLIENT PRIVATE KEY]<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
AllowedIPs = 10.0.0.0/24, 10.123.45.0/24, 1234:4567:89ab::/48<br />
Endpoint = [SERVER ENDPOINT]:48574<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
=== Example configuration for systemd-networkd ===<br />
<br />
See [[#Using systemd-networkd]].<br />
<br />
== Specific use-case: VPN server ==<br />
{{Note|Usage of the terms "server" and "client" are used here specifically for newcomers to WireGuard and for current users of OpenVPN to help familiarize with the construction of configuration files. WireGuard documentation simply refers to both of these concepts as "peers."}}<br />
<br />
The purpose of this section is to setup a WireGuard "server" and generic "clients" to enable access to the server/network resources through an encrypted and secured tunnel like [[OpenVPN]] and others. The server runs on Linux and the clients can run any number of platforms (the WireGuard Project offers apps on both iOS and Android platforms in addition to Linux, Windows and MacOS). See the official project [https://www.wireguard.com/install/ install link] for more.<br />
<br />
{{Tip|Instead of using {{pkg|wireguard-tools}} for server/client configuration, one may want to use [[#Using systemd-networkd|systemd-networkd]] native WireGuard support.}}<br />
<br />
=== Server ===<br />
<br />
On the peer that will act as the "server", first enable IPv4 forwarding using [[sysctl]]:<br />
<br />
# sysctl -w net.ipv4.ip_forward=1<br />
<br />
To make the change permanent, add {{ic|1=net.ipv4.ip_forward = 1}} to {{ic|/etc/sysctl.d/99-sysctl.conf}}.<br />
<br />
A properly configured [[firewall]] is ''HIGHLY recommended'' for any Internet-facing device.<br />
<br />
If the server have the public IP configured, be sure to:<br />
<br />
* Allow UDP traffic on the specified port(s) on which WireGuard will be running (for example allowing traffic on 51820/udp).<br />
* Setup the forwarding policy for the firewall if it is not included in the WireGuard config for the interface itself {{ic|/etc/wireguard/wg0.conf}}. The example below should have the iptables rules and work as-is.<br />
<br />
<br />
If the server is behind NAT, be sure to:<br />
<br />
* NAT from the router the UDP traffic on the specified port(s) on which WireGuard will be running (for example allowing traffic on 51820/udp) to the WireGuard server.<br />
<br />
=== Key generation ===<br />
<br />
Generate key pairs for the server and for each client as explained in [[#Key generation]].<br />
<br />
=== Server config ===<br />
<br />
Create the "server" config file:<br />
<br />
{{hc|/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.200.200.1/24<br />
ListenPort = 51820<br />
PrivateKey = [SERVER PRIVATE KEY]<br />
<br />
# note - substitute ''eth0'' in the following lines to match the Internet-facing interface<br />
# if the server is behind a nat, this iptables rules aren't needed<br />
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE<br />
<br />
[Peer]<br />
# foo<br />
PublicKey = [FOO'S PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[Peer]<br />
# bar<br />
PublicKey = [BAR'S PUBLIC KEY]<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
Additional peers ("clients") can be listed in the same format as needed. Each peer requires the {{ic|PublicKey}} to be set. However, specifying {{ic|PresharedKey}} is optional.<br />
<br />
Notice that the {{ic|Address}} have mask "/24" and the clients on {{ic|AllowedIPs}} "/32". The client only use their IP and the server only send back their respective address.<br />
<br />
The interface can be managed manually using {{man|8|wg-quick}} or using a [[systemd]] service managed via {{man|1|systemctl}}.<br />
<br />
The interface may be brought up using {{ic|wg-quick up wg0}} respectively by [[start|starting]] and potentially [[enable|enabling]] the interface via {{ic|wg-quick@''interface''.service}}, e.g. {{ic|wg-quick@wg0.service}}. To close the interface use {{ic|wg-quick down wg0}} respectively [[stop]] {{ic|wg-quick@''interface''.service}}.<br />
<br />
=== Client config ===<br />
<br />
Create the corresponding "client" config file(s):<br />
<br />
{{hc|foo.conf|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
PrivateKey = [FOO'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.address.com:51820<br />
}}<br />
<br />
{{hc|bar.conf|2=<br />
[Interface]<br />
Address = 10.200.200.3/24<br />
PrivateKey = [BAR'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.address.com:51820<br />
}}<br />
<br />
Using the catch-all {{ic|1=AllowedIPs = 0.0.0.0/0, ::/0}} will forward all IPv4 ({{ic|0.0.0.0/0}}) and IPv6 ({{ic|::/0}}) traffic over the VPN.<br />
<br />
{{Note|Users of [[NetworkManager]], may need to [[enable]] the {{ic|NetworkManager-wait-online.service}} and users of [[systemd-networkd]] may need to [[enable]] the {{ic|systemd-networkd-wait-online.service}} to wait until devices are network ready before attempting wireguard connection.}}<br />
<br />
== Testing the tunnel ==<br />
<br />
Once a tunnel has been established, one can use {{Pkg|gnu-netcat}} to send traffic through it to test out throughput, CPU usage, etc.<br />
On one side of the tunnel, run {{ic|nc}} in listen mode and on the other side, pipe some data from {{ic|/dev/zero}} into {{ic|nc}} in sending mode.<br />
<br />
In the example below, port 2222 is used for the traffic (be sure to allow traffic on port 2222 if using a firewall).<br />
<br />
On one side of the tunnel listen for traffic:<br />
<br />
$ nc -vvlnp 2222<br />
<br />
On the other side of the tunnel, send some traffic:<br />
<br />
$ dd if=/dev/zero bs=1024K count=1024 | nc -v 10.0.0.203 2222<br />
<br />
Status can be monitored using {{ic|wg}} directly.<br />
{{hc|# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
preshared key: (hidden)<br />
endpoint: 192.168.1.216:53207<br />
allowed ips: 10.0.0.0/0<br />
latest handshake: 1 minutes, 17 seconds ago<br />
transfer: 56.43 GiB received, 1.06 TiB sent<br />
}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Routes are periodically reset ===<br />
<br />
If you are not configuring Wireguard from [[NetworkManager]], make sure that NetworkManager is not managing the Wireguard interface:<br />
<br />
{{hc|/etc/NetworkManager/conf.d/unmanaged.conf|2=<br />
[keyfile]<br />
unmanaged-devices=interface-name:wg0<br />
}}<br />
<br />
=== Connection loss with NetworkManager ===<br />
<br />
On desktop, connection loss can be experienced when all the traffic is tunneled through a Wireguard interface: typically, the connection is seemingly lost after a while or upon new connection to an access point.<br />
<br />
By default ''wg-quick'' uses a resolvconf provider such as [[openresolv]] to register new [[DNS]] entries (i.e. {{ic|DNS}} keyword in the configuration file). However [[NetworkManager]] does not use resolvconf by default: every time a new [[DHCP]] lease is acquired, [[NetworkManager]] overwrites the global DNS addresses with the DHCP-provided ones which might not be available through the tunnel.<br />
<br />
==== Using resolvconf ====<br />
<br />
If resolvconf is already used by the system and connection losses persist, make sure NetworkManager is configured to use it: [[NetworkManager#Use openresolv]].<br />
<br />
==== Using dnsmasq ====<br />
<br />
See [[Dnsmasq#openresolv]] for configuration.<br />
<br />
=== Low MTU ===<br />
<br />
Due to too low MTU (lower than 1280), wg-quick may have failed to create the Wireguard interface. This can be solved by setting the MTU value in Wireguard configuration in Interface section on client.<br />
{{hc|/foo.config|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
MTU = 1500<br />
PrivateKey = [FOO'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
}} <br />
<br />
== Tips and tricks ==<br />
<br />
=== Using systemd-networkd ===<br />
<br />
[[systemd-networkd]] has native support for WireGuard protocols and therefore does not require the {{Pkg|wireguard-tools}} package.<br />
<br />
In order to prevent leak of private keys, it is recommended to set the permissions of the ''.netdev'' file:<br />
<br />
# chown root:systemd-network /etc/systemd/network/99-*.netdev<br />
# chmod 0640 /etc/systemd/network/99-*.netdev<br />
<br />
==== Server ====<br />
<br />
{{hc|/etc/systemd/network/99-server.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
ListenPort = 51820<br />
PrivateKey = [SERVER PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [FOO's PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[WireGuardPeer]<br />
PublicKey = [BAR's PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-server.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.1/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
}}<br />
<br />
==== Client foo ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
PrivateKey = [FOO's PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.address.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.2/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnlink=true<br />
}}<br />
<br />
==== Client bar ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
PrivateKey = [BAR's PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.address.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.3/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnLink=true<br />
}}<br />
<br />
=== Store private keys in encrypted form ===<br />
<br />
It may be desirable to store private keys in encrypted form, such as through use of {{pkg|pass}}. Just replace the PrivateKey line under [Interface] in the configuration file with:<br />
<br />
PostUp = wg set %i private-key <(su user -c "export PASSWORD_STORE_DIR=/path/to/your/store/; pass WireGuard/private-keys/%i")<br />
<br />
where ''user'' is the Linux username of interest. See the {{man|8|wg-quick}} man page for more details.<br />
<br />
=== Endpoint with changing IP ===<br />
<br />
After resolving a server's domain, WireGuard [https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html will not check for changes in DNS again].<br />
<br />
If the WireGuard server is frequently changing its IP-address due DHCP, Dyndns, IPv6, ..., any WireGuard client is going to lose its connection, until its endpoint is updated via something like {{ic|wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"}}.<br />
<br />
Also be aware, if the endpoint is ever going to change its address (for example when moving to a new provider/datacenter), just updating DNS will not be enough, so periodically running reresolve-dns might make sense on any DNS-based setup.<br />
<br />
Luckily, {{Pkg|wireguard-tools}} provides an example script {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh}}, that parses WG configuration files and automatically resets the endpoint address.<br />
<br />
One needs to run the {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh /etc/wireguard/wg.conf}} periodically to recover from an endpoint that has changed its IP.<br />
<br />
One way of doing so is by updating all WireGuard endpoints once every thirty seconds[https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns/README] via a systemd timer:<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.timer|2=<br />
[Unit]<br />
Description=Periodically reresolve DNS of all WireGuard endpoints<br />
<br />
[Timer]<br />
OnCalendar=*:*:0/30<br />
<br />
[Install]<br />
WantedBy=timers.target<br />
}}<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.service|2=<br />
[Unit]<br />
Description=Reresolve DNS of all WireGuard endpoints<br />
Wants=network-online.target<br />
After=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf; do /usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh "$i"; done'<br />
}}<br />
<br />
Afterwards [[enable]] and [[start]] {{ic|wireguard_reresolve-dns.timer}}<br />
<br />
=== Generate QR code ===<br />
<br />
If the client is a mobile device such as a phone, {{Pkg|qrencode}} can be used to generate client's configuration QR code and display it in terminal:<br />
<br />
$ qrencode -t ansiutf8 < client.conf<br />
<br />
== See also ==<br />
<br />
* [https://www.wireguard.com/presentations/ Presentations by Jason Donenfeld].<br />
* [https://lists.zx2c4.com/mailman/listinfo/wireguard Mailing list]</div>Rfrailehttps://wiki.archlinux.org/index.php?title=WireGuard&diff=590585WireGuard2019-11-30T15:01:22Z<p>Rfraile: Add line break</p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[ja:WireGuard]]<br />
[[zh-hans:WireGuard]]<br />
From the [https://www.wireguard.com/ WireGuard] project homepage: <br />
:Wireguard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable.<br />
<br />
{{Warning|WireGuard has not undergone proper degrees of security auditing and the protocol is still subject to change [https://www.wireguard.com/#work-in-progress].}}<br />
<br />
== Installation ==<br />
<br />
# [[Install]] {{Pkg|wireguard-tools}}.<br />
# Install the appropriate kernel module:<br />
#* {{Pkg|wireguard-arch}} for the default {{Pkg|linux}} kernel.<br />
#* {{Pkg|wireguard-lts}} for the LTS {{Pkg|linux-lts}} kernel.<br />
#* {{Pkg|wireguard-dkms}} for the DKMS variant for other [[kernel]]s.<br />
<br />
{{Note|As of November 2019, it is looking like Wireguard could be [[https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-RFC-Looking-Like-5.6 mainlined]] as soon as kernel version 5.6.}}<br />
{{Tip|[[systemd-networkd]] has native support for setting up Wireguard interfaces since version 237. See [[#Using systemd-networkd]] for details.}}<br />
<br />
== Usage ==<br />
<br />
The below commands demonstrate how to setup a basic tunnel between two peers with the following settings:<br />
<br />
{| class="wikitable"<br />
! <br />
! Peer A<br />
! Peer B<br />
|-<br />
! External IP address<br />
| 198.51.100.101<br />
| 203.0.113.102<br />
|-<br />
! Internal IP address<br />
| 10.0.0.1/24<br />
| 10.0.0.2/24<br />
|-<br />
! Wireguard listening port<br />
| UDP/48574<br />
| UDP/39814<br />
|}<br />
<br />
The external addresses should already exist. For example, peer A should be able to ping peer B via {{ic|ping 203.0.113.102}}, and vice versa. The internal addresses will be new addresses created by the {{man|8|ip}} commands below and will be shared internally within the new WireGuard network using {{man|8|wg}}. The {{ic|/24}} in the IP addresses is the [[wikipedia:Classless_Inter-Domain_Routing#CIDR_notation|CIDR]].<br />
<br />
=== Key generation ===<br />
<br />
To create a private key:<br />
<br />
$ wg genkey > privatekey<br />
<br />
{{Note|It is recommended to only allow reading and writing access for the owner:<br />
<br />
$ chmod 600 privatekey<br />
<br />
}}<br />
<br />
To create a public key:<br />
<br />
$ wg pubkey < privatekey > publickey<br />
<br />
Alternatively, do this all at once:<br />
<br />
$ wg genkey | tee privatekey | wg pubkey > publickey<br />
<br />
One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.<br />
<br />
# wg genpsk > preshared<br />
<br />
=== Peer A setup ===<br />
<br />
This peer will listen on UDP port 48574 and will accept connection from peer B by linking its public key with both its inner and outer IPs addresses.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.1/24 dev wg0<br />
# wg set wg0 listen-port 48574 private-key ./privatekey<br />
# wg set wg0 peer [Peer B public key] persistent-keepalive 25 allowed-ips 10.0.0.2/32 endpoint 203.0.113.102:39814<br />
# ip link set wg0 up<br />
<br />
{{ic|[Peer B public key]}} should have the same format as {{ic|1=EsnHH9m6RthHSs+sd9uM6eCHe/mMVFaRh93GYadDDnM=}}. The keyword {{ic|allowed-ips}} is a list of addresses that peer A will be able to send traffic to; {{ic|allowed-ips 0.0.0.0/0}} would allow sending traffic to any IPv4 address, {{ic|::/0}} allows sending traffic to any IPv6 address.<br />
<br />
=== Peer B setup ===<br />
<br />
As with peer A, whereas the wireguard daemon is listening on the UDP port 39814 and accept connection from peer A only.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.2/24 dev wg0<br />
# wg set wg0 listen-port 39814 private-key ./privatekey<br />
# wg set wg0 peer [Peer A public key] persistent-keepalive 25 allowed-ips 10.0.0.1/32 endpoint 198.51.100.101:48574<br />
# ip link set wg0 up<br />
<br />
=== Basic checkups ===<br />
<br />
Invoking the {{man|8|wg}} command without parameter will give a quick overview of the current configuration.<br />
<br />
As an example, when Peer A has been configured we are able to see its identity and its associated peers:<br />
<br />
{{hc|[user@peer-a]# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 48574<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
endpoint: 203.0.113.102:39814<br />
allowed ips: 10.0.0.2/32<br />
}}<br />
<br />
At this point one could reach the end of the tunnel:<br />
<br />
[user@peer-a]$ ping 10.0.0.2<br />
<br />
=== Persistent configuration ===<br />
<br />
The configuration can be saved by utilizing {{ic|showconf}}:<br />
<br />
# wg showconf wg0 > /etc/wireguard/wg0.conf<br />
# wg setconf wg0 /etc/wireguard/wg0.conf<br />
<br />
=== Example peer configuration ===<br />
<br />
{{hc|1=/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.0.0.1/32<br />
PrivateKey = [CLIENT PRIVATE KEY]<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
AllowedIPs = 10.0.0.0/24, 10.123.45.0/24, 1234:4567:89ab::/48<br />
Endpoint = [SERVER ENDPOINT]:48574<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
=== Example configuration for systemd-networkd ===<br />
<br />
See [[#Using systemd-networkd]].<br />
<br />
== Specific use-case: VPN server ==<br />
{{Note|Usage of the terms "server" and "client" are used here specifically for newcomers to WireGuard and for current users of OpenVPN to help familiarize with the construction of configuration files. WireGuard documentation simply refers to both of these concepts as "peers."}}<br />
<br />
The purpose of this section is to setup a WireGuard "server" and generic "clients" to enable access to the server/network resources through an encrypted and secured tunnel like [[OpenVPN]] and others. The server runs on Linux and the clients can run any number of platforms (the WireGuard Project offers apps on both iOS and Android platforms in addition to Linux, Windows and MacOS). See the official project [https://www.wireguard.com/install/ install link] for more.<br />
<br />
{{Tip|Instead of using {{pkg|wireguard-tools}} for server/client configuration, one may want to use [[#Using systemd-networkd|systemd-networkd]] native WireGuard support.}}<br />
<br />
=== Server ===<br />
<br />
On the peer that will act as the "server", first enable IPv4 forwarding using [[sysctl]]:<br />
<br />
# sysctl -w net.ipv4.ip_forward=1<br />
<br />
To make the change permanent, add {{ic|1=net.ipv4.ip_forward = 1}} to {{ic|/etc/sysctl.d/99-sysctl.conf}}.<br />
<br />
A properly configured [[firewall]] is ''HIGHLY recommended'' for any Internet-facing device.<br />
<br />
If the server have the public IP configured, be sure to:<br />
<br />
* Allow UDP traffic on the specified port(s) on which WireGuard will be running (for example allowing traffic on 51820/udp).<br />
* Setup the forwarding policy for the firewall if it is not included in the WireGuard config for the interface itself {{ic|/etc/wireguard/wg0.conf}}. The example below should have the iptables rules and work as-is.<br />
<br />
<br />
If the server is behind NAT, be sure to:<br />
<br />
* NAT from the router the UDP traffic on the specified port(s) on which WireGuard will be running (for example allowing traffic on 51820/udp) to the WireGuard server.<br />
<br />
=== Key generation ===<br />
<br />
Generate key pairs for the server and for each client as explained in [[#Key generation]].<br />
<br />
=== Server config ===<br />
<br />
Create the "server" config file:<br />
<br />
{{hc|/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.200.200.1/24<br />
ListenPort = 51820<br />
PrivateKey = [SERVER PRIVATE KEY]<br />
<br />
# note - substitute ''eth0'' in the following lines to match the Internet-facing interface<br />
# if the server is behind a nat, this iptables rules aren't needed<br />
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE<br />
<br />
[Peer]<br />
# foo<br />
PublicKey = [FOO'S PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[Peer]<br />
# bar<br />
PublicKey = [BAR'S PUBLIC KEY]<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
Additional peers ("clients") can be listed in the same format as needed. Each peer requires the {{ic|PublicKey}} to be set. However, specifying {{ic|PresharedKey}} is optional.<br />
<br />
The interface can be managed manually using {{man|8|wg-quick}} or using a [[systemd]] service managed via {{man|1|systemctl}}.<br />
<br />
The interface may be brought up using {{ic|wg-quick up wg0}} respectively by [[start|starting]] and potentially [[enable|enabling]] the interface via {{ic|wg-quick@''interface''.service}}, e.g. {{ic|wg-quick@wg0.service}}. To close the interface use {{ic|wg-quick down wg0}} respectively [[stop]] {{ic|wg-quick@''interface''.service}}.<br />
<br />
=== Client config ===<br />
<br />
Create the corresponding "client" config file(s):<br />
<br />
{{hc|foo.conf|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
PrivateKey = [FOO'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.address.com:51820<br />
}}<br />
<br />
{{hc|bar.conf|2=<br />
[Interface]<br />
Address = 10.200.200.3/24<br />
PrivateKey = [BAR'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.address.com:51820<br />
}}<br />
<br />
Using the catch-all {{ic|1=AllowedIPs = 0.0.0.0/0, ::/0}} will forward all IPv4 ({{ic|0.0.0.0/0}}) and IPv6 ({{ic|::/0}}) traffic over the VPN.<br />
<br />
{{Note|Users of [[NetworkManager]], may need to [[enable]] the {{ic|NetworkManager-wait-online.service}} and users of [[systemd-networkd]] may need to [[enable]] the {{ic|systemd-networkd-wait-online.service}} to wait until devices are network ready before attempting wireguard connection.}}<br />
<br />
== Testing the tunnel ==<br />
<br />
Once a tunnel has been established, one can use {{Pkg|gnu-netcat}} to send traffic through it to test out throughput, CPU usage, etc.<br />
On one side of the tunnel, run {{ic|nc}} in listen mode and on the other side, pipe some data from {{ic|/dev/zero}} into {{ic|nc}} in sending mode.<br />
<br />
In the example below, port 2222 is used for the traffic (be sure to allow traffic on port 2222 if using a firewall).<br />
<br />
On one side of the tunnel listen for traffic:<br />
<br />
$ nc -vvlnp 2222<br />
<br />
On the other side of the tunnel, send some traffic:<br />
<br />
$ dd if=/dev/zero bs=1024K count=1024 | nc -v 10.0.0.203 2222<br />
<br />
Status can be monitored using {{ic|wg}} directly.<br />
{{hc|# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
preshared key: (hidden)<br />
endpoint: 192.168.1.216:53207<br />
allowed ips: 10.0.0.0/0<br />
latest handshake: 1 minutes, 17 seconds ago<br />
transfer: 56.43 GiB received, 1.06 TiB sent<br />
}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Routes are periodically reset ===<br />
<br />
If you are not configuring Wireguard from [[NetworkManager]], make sure that NetworkManager is not managing the Wireguard interface:<br />
<br />
{{hc|/etc/NetworkManager/conf.d/unmanaged.conf|2=<br />
[keyfile]<br />
unmanaged-devices=interface-name:wg0<br />
}}<br />
<br />
=== Connection loss with NetworkManager ===<br />
<br />
On desktop, connection loss can be experienced when all the traffic is tunneled through a Wireguard interface: typically, the connection is seemingly lost after a while or upon new connection to an access point.<br />
<br />
By default ''wg-quick'' uses a resolvconf provider such as [[openresolv]] to register new [[DNS]] entries (i.e. {{ic|DNS}} keyword in the configuration file). However [[NetworkManager]] does not use resolvconf by default: every time a new [[DHCP]] lease is acquired, [[NetworkManager]] overwrites the global DNS addresses with the DHCP-provided ones which might not be available through the tunnel.<br />
<br />
==== Using resolvconf ====<br />
<br />
If resolvconf is already used by the system and connection losses persist, make sure NetworkManager is configured to use it: [[NetworkManager#Use openresolv]].<br />
<br />
==== Using dnsmasq ====<br />
<br />
See [[Dnsmasq#openresolv]] for configuration.<br />
<br />
=== Low MTU ===<br />
<br />
Due to too low MTU (lower than 1280), wg-quick may have failed to create the Wireguard interface. This can be solved by setting the MTU value in Wireguard configuration in Interface section on client.<br />
{{hc|/foo.config|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
MTU = 1500<br />
PrivateKey = [FOO'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
}} <br />
<br />
== Tips and tricks ==<br />
<br />
=== Using systemd-networkd ===<br />
<br />
[[systemd-networkd]] has native support for WireGuard protocols and therefore does not require the {{Pkg|wireguard-tools}} package.<br />
<br />
In order to prevent leak of private keys, it is recommended to set the permissions of the ''.netdev'' file:<br />
<br />
# chown root:systemd-network /etc/systemd/network/99-*.netdev<br />
# chmod 0640 /etc/systemd/network/99-*.netdev<br />
<br />
==== Server ====<br />
<br />
{{hc|/etc/systemd/network/99-server.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
ListenPort = 51820<br />
PrivateKey = [SERVER PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [FOO's PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[WireGuardPeer]<br />
PublicKey = [BAR's PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-server.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.1/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
}}<br />
<br />
==== Client foo ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
PrivateKey = [FOO's PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.address.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.2/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnlink=true<br />
}}<br />
<br />
==== Client bar ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
PrivateKey = [BAR's PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.address.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.3/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnLink=true<br />
}}<br />
<br />
=== Store private keys in encrypted form ===<br />
<br />
It may be desirable to store private keys in encrypted form, such as through use of {{pkg|pass}}. Just replace the PrivateKey line under [Interface] in the configuration file with:<br />
<br />
PostUp = wg set %i private-key <(su user -c "export PASSWORD_STORE_DIR=/path/to/your/store/; pass WireGuard/private-keys/%i")<br />
<br />
where ''user'' is the Linux username of interest. See the {{man|8|wg-quick}} man page for more details.<br />
<br />
=== Endpoint with changing IP ===<br />
<br />
After resolving a server's domain, WireGuard [https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html will not check for changes in DNS again].<br />
<br />
If the WireGuard server is frequently changing its IP-address due DHCP, Dyndns, IPv6, ..., any WireGuard client is going to lose its connection, until its endpoint is updated via something like {{ic|wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"}}.<br />
<br />
Also be aware, if the endpoint is ever going to change its address (for example when moving to a new provider/datacenter), just updating DNS will not be enough, so periodically running reresolve-dns might make sense on any DNS-based setup.<br />
<br />
Luckily, {{Pkg|wireguard-tools}} provides an example script {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh}}, that parses WG configuration files and automatically resets the endpoint address.<br />
<br />
One needs to run the {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh /etc/wireguard/wg.conf}} periodically to recover from an endpoint that has changed its IP.<br />
<br />
One way of doing so is by updating all WireGuard endpoints once every thirty seconds[https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns/README] via a systemd timer:<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.timer|2=<br />
[Unit]<br />
Description=Periodically reresolve DNS of all WireGuard endpoints<br />
<br />
[Timer]<br />
OnCalendar=*:*:0/30<br />
<br />
[Install]<br />
WantedBy=timers.target<br />
}}<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.service|2=<br />
[Unit]<br />
Description=Reresolve DNS of all WireGuard endpoints<br />
Wants=network-online.target<br />
After=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf; do /usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh "$i"; done'<br />
}}<br />
<br />
Afterwards [[enable]] and [[start]] {{ic|wireguard_reresolve-dns.timer}}<br />
<br />
=== Generate QR code ===<br />
<br />
If the client is a mobile device such as a phone, {{Pkg|qrencode}} can be used to generate client's configuration QR code and display it in terminal:<br />
<br />
$ qrencode -t ansiutf8 < client.conf<br />
<br />
== See also ==<br />
<br />
* [https://www.wireguard.com/presentations/ Presentations by Jason Donenfeld].<br />
* [https://lists.zx2c4.com/mailman/listinfo/wireguard Mailing list]</div>Rfrailehttps://wiki.archlinux.org/index.php?title=WireGuard&diff=590584WireGuard2019-11-30T15:00:45Z<p>Rfraile: Add info about NAT</p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[ja:WireGuard]]<br />
[[zh-hans:WireGuard]]<br />
From the [https://www.wireguard.com/ WireGuard] project homepage: <br />
:Wireguard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable.<br />
<br />
{{Warning|WireGuard has not undergone proper degrees of security auditing and the protocol is still subject to change [https://www.wireguard.com/#work-in-progress].}}<br />
<br />
== Installation ==<br />
<br />
# [[Install]] {{Pkg|wireguard-tools}}.<br />
# Install the appropriate kernel module:<br />
#* {{Pkg|wireguard-arch}} for the default {{Pkg|linux}} kernel.<br />
#* {{Pkg|wireguard-lts}} for the LTS {{Pkg|linux-lts}} kernel.<br />
#* {{Pkg|wireguard-dkms}} for the DKMS variant for other [[kernel]]s.<br />
<br />
{{Note|As of November 2019, it is looking like Wireguard could be [[https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-RFC-Looking-Like-5.6 mainlined]] as soon as kernel version 5.6.}}<br />
{{Tip|[[systemd-networkd]] has native support for setting up Wireguard interfaces since version 237. See [[#Using systemd-networkd]] for details.}}<br />
<br />
== Usage ==<br />
<br />
The below commands demonstrate how to setup a basic tunnel between two peers with the following settings:<br />
<br />
{| class="wikitable"<br />
! <br />
! Peer A<br />
! Peer B<br />
|-<br />
! External IP address<br />
| 198.51.100.101<br />
| 203.0.113.102<br />
|-<br />
! Internal IP address<br />
| 10.0.0.1/24<br />
| 10.0.0.2/24<br />
|-<br />
! Wireguard listening port<br />
| UDP/48574<br />
| UDP/39814<br />
|}<br />
<br />
The external addresses should already exist. For example, peer A should be able to ping peer B via {{ic|ping 203.0.113.102}}, and vice versa. The internal addresses will be new addresses created by the {{man|8|ip}} commands below and will be shared internally within the new WireGuard network using {{man|8|wg}}. The {{ic|/24}} in the IP addresses is the [[wikipedia:Classless_Inter-Domain_Routing#CIDR_notation|CIDR]].<br />
<br />
=== Key generation ===<br />
<br />
To create a private key:<br />
<br />
$ wg genkey > privatekey<br />
<br />
{{Note|It is recommended to only allow reading and writing access for the owner:<br />
<br />
$ chmod 600 privatekey<br />
<br />
}}<br />
<br />
To create a public key:<br />
<br />
$ wg pubkey < privatekey > publickey<br />
<br />
Alternatively, do this all at once:<br />
<br />
$ wg genkey | tee privatekey | wg pubkey > publickey<br />
<br />
One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.<br />
<br />
# wg genpsk > preshared<br />
<br />
=== Peer A setup ===<br />
<br />
This peer will listen on UDP port 48574 and will accept connection from peer B by linking its public key with both its inner and outer IPs addresses.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.1/24 dev wg0<br />
# wg set wg0 listen-port 48574 private-key ./privatekey<br />
# wg set wg0 peer [Peer B public key] persistent-keepalive 25 allowed-ips 10.0.0.2/32 endpoint 203.0.113.102:39814<br />
# ip link set wg0 up<br />
<br />
{{ic|[Peer B public key]}} should have the same format as {{ic|1=EsnHH9m6RthHSs+sd9uM6eCHe/mMVFaRh93GYadDDnM=}}. The keyword {{ic|allowed-ips}} is a list of addresses that peer A will be able to send traffic to; {{ic|allowed-ips 0.0.0.0/0}} would allow sending traffic to any IPv4 address, {{ic|::/0}} allows sending traffic to any IPv6 address.<br />
<br />
=== Peer B setup ===<br />
<br />
As with peer A, whereas the wireguard daemon is listening on the UDP port 39814 and accept connection from peer A only.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.2/24 dev wg0<br />
# wg set wg0 listen-port 39814 private-key ./privatekey<br />
# wg set wg0 peer [Peer A public key] persistent-keepalive 25 allowed-ips 10.0.0.1/32 endpoint 198.51.100.101:48574<br />
# ip link set wg0 up<br />
<br />
=== Basic checkups ===<br />
<br />
Invoking the {{man|8|wg}} command without parameter will give a quick overview of the current configuration.<br />
<br />
As an example, when Peer A has been configured we are able to see its identity and its associated peers:<br />
<br />
{{hc|[user@peer-a]# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 48574<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
endpoint: 203.0.113.102:39814<br />
allowed ips: 10.0.0.2/32<br />
}}<br />
<br />
At this point one could reach the end of the tunnel:<br />
<br />
[user@peer-a]$ ping 10.0.0.2<br />
<br />
=== Persistent configuration ===<br />
<br />
The configuration can be saved by utilizing {{ic|showconf}}:<br />
<br />
# wg showconf wg0 > /etc/wireguard/wg0.conf<br />
# wg setconf wg0 /etc/wireguard/wg0.conf<br />
<br />
=== Example peer configuration ===<br />
<br />
{{hc|1=/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.0.0.1/32<br />
PrivateKey = [CLIENT PRIVATE KEY]<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
AllowedIPs = 10.0.0.0/24, 10.123.45.0/24, 1234:4567:89ab::/48<br />
Endpoint = [SERVER ENDPOINT]:48574<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
=== Example configuration for systemd-networkd ===<br />
<br />
See [[#Using systemd-networkd]].<br />
<br />
== Specific use-case: VPN server ==<br />
{{Note|Usage of the terms "server" and "client" are used here specifically for newcomers to WireGuard and for current users of OpenVPN to help familiarize with the construction of configuration files. WireGuard documentation simply refers to both of these concepts as "peers."}}<br />
<br />
The purpose of this section is to setup a WireGuard "server" and generic "clients" to enable access to the server/network resources through an encrypted and secured tunnel like [[OpenVPN]] and others. The server runs on Linux and the clients can run any number of platforms (the WireGuard Project offers apps on both iOS and Android platforms in addition to Linux, Windows and MacOS). See the official project [https://www.wireguard.com/install/ install link] for more.<br />
<br />
{{Tip|Instead of using {{pkg|wireguard-tools}} for server/client configuration, one may want to use [[#Using systemd-networkd|systemd-networkd]] native WireGuard support.}}<br />
<br />
=== Server ===<br />
<br />
On the peer that will act as the "server", first enable IPv4 forwarding using [[sysctl]]:<br />
<br />
# sysctl -w net.ipv4.ip_forward=1<br />
<br />
To make the change permanent, add {{ic|1=net.ipv4.ip_forward = 1}} to {{ic|/etc/sysctl.d/99-sysctl.conf}}.<br />
<br />
A properly configured [[firewall]] is ''HIGHLY recommended'' for any Internet-facing device.<br />
If the server have the public IP configured, be sure to:<br />
<br />
* Allow UDP traffic on the specified port(s) on which WireGuard will be running (for example allowing traffic on 51820/udp).<br />
* Setup the forwarding policy for the firewall if it is not included in the WireGuard config for the interface itself {{ic|/etc/wireguard/wg0.conf}}. The example below should have the iptables rules and work as-is.<br />
<br />
<br />
If the server is behind NAT, be sure to:<br />
<br />
* NAT from the router the UDP traffic on the specified port(s) on which WireGuard will be running (for example allowing traffic on 51820/udp) to the WireGuard server.<br />
<br />
=== Key generation ===<br />
<br />
Generate key pairs for the server and for each client as explained in [[#Key generation]].<br />
<br />
=== Server config ===<br />
<br />
Create the "server" config file:<br />
<br />
{{hc|/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.200.200.1/24<br />
ListenPort = 51820<br />
PrivateKey = [SERVER PRIVATE KEY]<br />
<br />
# note - substitute ''eth0'' in the following lines to match the Internet-facing interface<br />
# if the server is behind a nat, this iptables rules aren't needed<br />
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE<br />
<br />
[Peer]<br />
# foo<br />
PublicKey = [FOO'S PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[Peer]<br />
# bar<br />
PublicKey = [BAR'S PUBLIC KEY]<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
Additional peers ("clients") can be listed in the same format as needed. Each peer requires the {{ic|PublicKey}} to be set. However, specifying {{ic|PresharedKey}} is optional.<br />
<br />
The interface can be managed manually using {{man|8|wg-quick}} or using a [[systemd]] service managed via {{man|1|systemctl}}.<br />
<br />
The interface may be brought up using {{ic|wg-quick up wg0}} respectively by [[start|starting]] and potentially [[enable|enabling]] the interface via {{ic|wg-quick@''interface''.service}}, e.g. {{ic|wg-quick@wg0.service}}. To close the interface use {{ic|wg-quick down wg0}} respectively [[stop]] {{ic|wg-quick@''interface''.service}}.<br />
<br />
=== Client config ===<br />
<br />
Create the corresponding "client" config file(s):<br />
<br />
{{hc|foo.conf|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
PrivateKey = [FOO'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.address.com:51820<br />
}}<br />
<br />
{{hc|bar.conf|2=<br />
[Interface]<br />
Address = 10.200.200.3/24<br />
PrivateKey = [BAR'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.address.com:51820<br />
}}<br />
<br />
Using the catch-all {{ic|1=AllowedIPs = 0.0.0.0/0, ::/0}} will forward all IPv4 ({{ic|0.0.0.0/0}}) and IPv6 ({{ic|::/0}}) traffic over the VPN.<br />
<br />
{{Note|Users of [[NetworkManager]], may need to [[enable]] the {{ic|NetworkManager-wait-online.service}} and users of [[systemd-networkd]] may need to [[enable]] the {{ic|systemd-networkd-wait-online.service}} to wait until devices are network ready before attempting wireguard connection.}}<br />
<br />
== Testing the tunnel ==<br />
<br />
Once a tunnel has been established, one can use {{Pkg|gnu-netcat}} to send traffic through it to test out throughput, CPU usage, etc.<br />
On one side of the tunnel, run {{ic|nc}} in listen mode and on the other side, pipe some data from {{ic|/dev/zero}} into {{ic|nc}} in sending mode.<br />
<br />
In the example below, port 2222 is used for the traffic (be sure to allow traffic on port 2222 if using a firewall).<br />
<br />
On one side of the tunnel listen for traffic:<br />
<br />
$ nc -vvlnp 2222<br />
<br />
On the other side of the tunnel, send some traffic:<br />
<br />
$ dd if=/dev/zero bs=1024K count=1024 | nc -v 10.0.0.203 2222<br />
<br />
Status can be monitored using {{ic|wg}} directly.<br />
{{hc|# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
preshared key: (hidden)<br />
endpoint: 192.168.1.216:53207<br />
allowed ips: 10.0.0.0/0<br />
latest handshake: 1 minutes, 17 seconds ago<br />
transfer: 56.43 GiB received, 1.06 TiB sent<br />
}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Routes are periodically reset ===<br />
<br />
If you are not configuring Wireguard from [[NetworkManager]], make sure that NetworkManager is not managing the Wireguard interface:<br />
<br />
{{hc|/etc/NetworkManager/conf.d/unmanaged.conf|2=<br />
[keyfile]<br />
unmanaged-devices=interface-name:wg0<br />
}}<br />
<br />
=== Connection loss with NetworkManager ===<br />
<br />
On desktop, connection loss can be experienced when all the traffic is tunneled through a Wireguard interface: typically, the connection is seemingly lost after a while or upon new connection to an access point.<br />
<br />
By default ''wg-quick'' uses a resolvconf provider such as [[openresolv]] to register new [[DNS]] entries (i.e. {{ic|DNS}} keyword in the configuration file). However [[NetworkManager]] does not use resolvconf by default: every time a new [[DHCP]] lease is acquired, [[NetworkManager]] overwrites the global DNS addresses with the DHCP-provided ones which might not be available through the tunnel.<br />
<br />
==== Using resolvconf ====<br />
<br />
If resolvconf is already used by the system and connection losses persist, make sure NetworkManager is configured to use it: [[NetworkManager#Use openresolv]].<br />
<br />
==== Using dnsmasq ====<br />
<br />
See [[Dnsmasq#openresolv]] for configuration.<br />
<br />
=== Low MTU ===<br />
<br />
Due to too low MTU (lower than 1280), wg-quick may have failed to create the Wireguard interface. This can be solved by setting the MTU value in Wireguard configuration in Interface section on client.<br />
{{hc|/foo.config|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
MTU = 1500<br />
PrivateKey = [FOO'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
}} <br />
<br />
== Tips and tricks ==<br />
<br />
=== Using systemd-networkd ===<br />
<br />
[[systemd-networkd]] has native support for WireGuard protocols and therefore does not require the {{Pkg|wireguard-tools}} package.<br />
<br />
In order to prevent leak of private keys, it is recommended to set the permissions of the ''.netdev'' file:<br />
<br />
# chown root:systemd-network /etc/systemd/network/99-*.netdev<br />
# chmod 0640 /etc/systemd/network/99-*.netdev<br />
<br />
==== Server ====<br />
<br />
{{hc|/etc/systemd/network/99-server.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
ListenPort = 51820<br />
PrivateKey = [SERVER PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [FOO's PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[WireGuardPeer]<br />
PublicKey = [BAR's PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-server.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.1/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
}}<br />
<br />
==== Client foo ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
PrivateKey = [FOO's PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.address.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.2/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnlink=true<br />
}}<br />
<br />
==== Client bar ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
PrivateKey = [BAR's PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.address.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.3/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnLink=true<br />
}}<br />
<br />
=== Store private keys in encrypted form ===<br />
<br />
It may be desirable to store private keys in encrypted form, such as through use of {{pkg|pass}}. Just replace the PrivateKey line under [Interface] in the configuration file with:<br />
<br />
PostUp = wg set %i private-key <(su user -c "export PASSWORD_STORE_DIR=/path/to/your/store/; pass WireGuard/private-keys/%i")<br />
<br />
where ''user'' is the Linux username of interest. See the {{man|8|wg-quick}} man page for more details.<br />
<br />
=== Endpoint with changing IP ===<br />
<br />
After resolving a server's domain, WireGuard [https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html will not check for changes in DNS again].<br />
<br />
If the WireGuard server is frequently changing its IP-address due DHCP, Dyndns, IPv6, ..., any WireGuard client is going to lose its connection, until its endpoint is updated via something like {{ic|wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"}}.<br />
<br />
Also be aware, if the endpoint is ever going to change its address (for example when moving to a new provider/datacenter), just updating DNS will not be enough, so periodically running reresolve-dns might make sense on any DNS-based setup.<br />
<br />
Luckily, {{Pkg|wireguard-tools}} provides an example script {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh}}, that parses WG configuration files and automatically resets the endpoint address.<br />
<br />
One needs to run the {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh /etc/wireguard/wg.conf}} periodically to recover from an endpoint that has changed its IP.<br />
<br />
One way of doing so is by updating all WireGuard endpoints once every thirty seconds[https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns/README] via a systemd timer:<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.timer|2=<br />
[Unit]<br />
Description=Periodically reresolve DNS of all WireGuard endpoints<br />
<br />
[Timer]<br />
OnCalendar=*:*:0/30<br />
<br />
[Install]<br />
WantedBy=timers.target<br />
}}<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.service|2=<br />
[Unit]<br />
Description=Reresolve DNS of all WireGuard endpoints<br />
Wants=network-online.target<br />
After=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf; do /usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh "$i"; done'<br />
}}<br />
<br />
Afterwards [[enable]] and [[start]] {{ic|wireguard_reresolve-dns.timer}}<br />
<br />
=== Generate QR code ===<br />
<br />
If the client is a mobile device such as a phone, {{Pkg|qrencode}} can be used to generate client's configuration QR code and display it in terminal:<br />
<br />
$ qrencode -t ansiutf8 < client.conf<br />
<br />
== See also ==<br />
<br />
* [https://www.wireguard.com/presentations/ Presentations by Jason Donenfeld].<br />
* [https://lists.zx2c4.com/mailman/listinfo/wireguard Mailing list]</div>Rfrailehttps://wiki.archlinux.org/index.php?title=WireGuard&diff=590583WireGuard2019-11-30T14:49:19Z<p>Rfraile: Add info about server behind nat</p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[ja:WireGuard]]<br />
[[zh-hans:WireGuard]]<br />
From the [https://www.wireguard.com/ WireGuard] project homepage: <br />
:Wireguard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable.<br />
<br />
{{Warning|WireGuard has not undergone proper degrees of security auditing and the protocol is still subject to change [https://www.wireguard.com/#work-in-progress].}}<br />
<br />
== Installation ==<br />
<br />
# [[Install]] {{Pkg|wireguard-tools}}.<br />
# Install the appropriate kernel module:<br />
#* {{Pkg|wireguard-arch}} for the default {{Pkg|linux}} kernel.<br />
#* {{Pkg|wireguard-lts}} for the LTS {{Pkg|linux-lts}} kernel.<br />
#* {{Pkg|wireguard-dkms}} for the DKMS variant for other [[kernel]]s.<br />
<br />
{{Note|As of November 2019, it is looking like Wireguard could be [[https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-RFC-Looking-Like-5.6 mainlined]] as soon as kernel version 5.6.}}<br />
{{Tip|[[systemd-networkd]] has native support for setting up Wireguard interfaces since version 237. See [[#Using systemd-networkd]] for details.}}<br />
<br />
== Usage ==<br />
<br />
The below commands demonstrate how to setup a basic tunnel between two peers with the following settings:<br />
<br />
{| class="wikitable"<br />
! <br />
! Peer A<br />
! Peer B<br />
|-<br />
! External IP address<br />
| 198.51.100.101<br />
| 203.0.113.102<br />
|-<br />
! Internal IP address<br />
| 10.0.0.1/24<br />
| 10.0.0.2/24<br />
|-<br />
! Wireguard listening port<br />
| UDP/48574<br />
| UDP/39814<br />
|}<br />
<br />
The external addresses should already exist. For example, peer A should be able to ping peer B via {{ic|ping 203.0.113.102}}, and vice versa. The internal addresses will be new addresses created by the {{man|8|ip}} commands below and will be shared internally within the new WireGuard network using {{man|8|wg}}. The {{ic|/24}} in the IP addresses is the [[wikipedia:Classless_Inter-Domain_Routing#CIDR_notation|CIDR]].<br />
<br />
=== Key generation ===<br />
<br />
To create a private key:<br />
<br />
$ wg genkey > privatekey<br />
<br />
{{Note|It is recommended to only allow reading and writing access for the owner:<br />
<br />
$ chmod 600 privatekey<br />
<br />
}}<br />
<br />
To create a public key:<br />
<br />
$ wg pubkey < privatekey > publickey<br />
<br />
Alternatively, do this all at once:<br />
<br />
$ wg genkey | tee privatekey | wg pubkey > publickey<br />
<br />
One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.<br />
<br />
# wg genpsk > preshared<br />
<br />
=== Peer A setup ===<br />
<br />
This peer will listen on UDP port 48574 and will accept connection from peer B by linking its public key with both its inner and outer IPs addresses.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.1/24 dev wg0<br />
# wg set wg0 listen-port 48574 private-key ./privatekey<br />
# wg set wg0 peer [Peer B public key] persistent-keepalive 25 allowed-ips 10.0.0.2/32 endpoint 203.0.113.102:39814<br />
# ip link set wg0 up<br />
<br />
{{ic|[Peer B public key]}} should have the same format as {{ic|1=EsnHH9m6RthHSs+sd9uM6eCHe/mMVFaRh93GYadDDnM=}}. The keyword {{ic|allowed-ips}} is a list of addresses that peer A will be able to send traffic to; {{ic|allowed-ips 0.0.0.0/0}} would allow sending traffic to any IPv4 address, {{ic|::/0}} allows sending traffic to any IPv6 address.<br />
<br />
=== Peer B setup ===<br />
<br />
As with peer A, whereas the wireguard daemon is listening on the UDP port 39814 and accept connection from peer A only.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.2/24 dev wg0<br />
# wg set wg0 listen-port 39814 private-key ./privatekey<br />
# wg set wg0 peer [Peer A public key] persistent-keepalive 25 allowed-ips 10.0.0.1/32 endpoint 198.51.100.101:48574<br />
# ip link set wg0 up<br />
<br />
=== Basic checkups ===<br />
<br />
Invoking the {{man|8|wg}} command without parameter will give a quick overview of the current configuration.<br />
<br />
As an example, when Peer A has been configured we are able to see its identity and its associated peers:<br />
<br />
{{hc|[user@peer-a]# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 48574<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
endpoint: 203.0.113.102:39814<br />
allowed ips: 10.0.0.2/32<br />
}}<br />
<br />
At this point one could reach the end of the tunnel:<br />
<br />
[user@peer-a]$ ping 10.0.0.2<br />
<br />
=== Persistent configuration ===<br />
<br />
The configuration can be saved by utilizing {{ic|showconf}}:<br />
<br />
# wg showconf wg0 > /etc/wireguard/wg0.conf<br />
# wg setconf wg0 /etc/wireguard/wg0.conf<br />
<br />
=== Example peer configuration ===<br />
<br />
{{hc|1=/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.0.0.1/32<br />
PrivateKey = [CLIENT PRIVATE KEY]<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
AllowedIPs = 10.0.0.0/24, 10.123.45.0/24, 1234:4567:89ab::/48<br />
Endpoint = [SERVER ENDPOINT]:48574<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
=== Example configuration for systemd-networkd ===<br />
<br />
See [[#Using systemd-networkd]].<br />
<br />
== Specific use-case: VPN server ==<br />
{{Note|Usage of the terms "server" and "client" are used here specifically for newcomers to WireGuard and for current users of OpenVPN to help familiarize with the construction of configuration files. WireGuard documentation simply refers to both of these concepts as "peers."}}<br />
<br />
The purpose of this section is to setup a WireGuard "server" and generic "clients" to enable access to the server/network resources through an encrypted and secured tunnel like [[OpenVPN]] and others. The server runs on Linux and the clients can run any number of platforms (the WireGuard Project offers apps on both iOS and Android platforms in addition to Linux, Windows and MacOS). See the official project [https://www.wireguard.com/install/ install link] for more.<br />
<br />
{{Tip|Instead of using {{pkg|wireguard-tools}} for server/client configuration, one may want to use [[#Using systemd-networkd|systemd-networkd]] native WireGuard support.}}<br />
<br />
=== Server ===<br />
<br />
On the peer that will act as the "server", first enable IPv4 forwarding using [[sysctl]]:<br />
<br />
# sysctl -w net.ipv4.ip_forward=1<br />
<br />
To make the change permanent, add {{ic|1=net.ipv4.ip_forward = 1}} to {{ic|/etc/sysctl.d/99-sysctl.conf}}.<br />
<br />
A properly configured [[firewall]] is ''HIGHLY recommended'' for any Internet-facing device.<br />
Be sure to:<br />
<br />
* Allow UDP traffic on the specified port(s) on which WireGuard will be running (for example allowing traffic on 51820/udp).<br />
* Setup the forwarding policy for the firewall if it is not included in the WireGuard config for the interface itself {{ic|/etc/wireguard/wg0.conf}}. The example below should work as-is.<br />
<br />
Finally, WireGuard port(s) need to be forwarded to the server's LAN IP from the router so they can be accessed from the WAN (ie router port forwarding).<br />
<br />
=== Key generation ===<br />
<br />
Generate key pairs for the server and for each client as explained in [[#Key generation]].<br />
<br />
=== Server config ===<br />
<br />
Create the "server" config file:<br />
<br />
{{hc|/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.200.200.1/24<br />
ListenPort = 51820<br />
PrivateKey = [SERVER PRIVATE KEY]<br />
<br />
# note - substitute ''eth0'' in the following lines to match the Internet-facing interface<br />
# if the server is behind a nat, this iptables rules aren't needed<br />
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE<br />
<br />
[Peer]<br />
# foo<br />
PublicKey = [FOO'S PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[Peer]<br />
# bar<br />
PublicKey = [BAR'S PUBLIC KEY]<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
Additional peers ("clients") can be listed in the same format as needed. Each peer requires the {{ic|PublicKey}} to be set. However, specifying {{ic|PresharedKey}} is optional.<br />
<br />
The interface can be managed manually using {{man|8|wg-quick}} or using a [[systemd]] service managed via {{man|1|systemctl}}.<br />
<br />
The interface may be brought up using {{ic|wg-quick up wg0}} respectively by [[start|starting]] and potentially [[enable|enabling]] the interface via {{ic|wg-quick@''interface''.service}}, e.g. {{ic|wg-quick@wg0.service}}. To close the interface use {{ic|wg-quick down wg0}} respectively [[stop]] {{ic|wg-quick@''interface''.service}}.<br />
<br />
=== Client config ===<br />
<br />
Create the corresponding "client" config file(s):<br />
<br />
{{hc|foo.conf|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
PrivateKey = [FOO'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.address.com:51820<br />
}}<br />
<br />
{{hc|bar.conf|2=<br />
[Interface]<br />
Address = 10.200.200.3/24<br />
PrivateKey = [BAR'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.address.com:51820<br />
}}<br />
<br />
Using the catch-all {{ic|1=AllowedIPs = 0.0.0.0/0, ::/0}} will forward all IPv4 ({{ic|0.0.0.0/0}}) and IPv6 ({{ic|::/0}}) traffic over the VPN.<br />
<br />
{{Note|Users of [[NetworkManager]], may need to [[enable]] the {{ic|NetworkManager-wait-online.service}} and users of [[systemd-networkd]] may need to [[enable]] the {{ic|systemd-networkd-wait-online.service}} to wait until devices are network ready before attempting wireguard connection.}}<br />
<br />
== Testing the tunnel ==<br />
<br />
Once a tunnel has been established, one can use {{Pkg|gnu-netcat}} to send traffic through it to test out throughput, CPU usage, etc.<br />
On one side of the tunnel, run {{ic|nc}} in listen mode and on the other side, pipe some data from {{ic|/dev/zero}} into {{ic|nc}} in sending mode.<br />
<br />
In the example below, port 2222 is used for the traffic (be sure to allow traffic on port 2222 if using a firewall).<br />
<br />
On one side of the tunnel listen for traffic:<br />
<br />
$ nc -vvlnp 2222<br />
<br />
On the other side of the tunnel, send some traffic:<br />
<br />
$ dd if=/dev/zero bs=1024K count=1024 | nc -v 10.0.0.203 2222<br />
<br />
Status can be monitored using {{ic|wg}} directly.<br />
{{hc|# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
preshared key: (hidden)<br />
endpoint: 192.168.1.216:53207<br />
allowed ips: 10.0.0.0/0<br />
latest handshake: 1 minutes, 17 seconds ago<br />
transfer: 56.43 GiB received, 1.06 TiB sent<br />
}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Routes are periodically reset ===<br />
<br />
If you are not configuring Wireguard from [[NetworkManager]], make sure that NetworkManager is not managing the Wireguard interface:<br />
<br />
{{hc|/etc/NetworkManager/conf.d/unmanaged.conf|2=<br />
[keyfile]<br />
unmanaged-devices=interface-name:wg0<br />
}}<br />
<br />
=== Connection loss with NetworkManager ===<br />
<br />
On desktop, connection loss can be experienced when all the traffic is tunneled through a Wireguard interface: typically, the connection is seemingly lost after a while or upon new connection to an access point.<br />
<br />
By default ''wg-quick'' uses a resolvconf provider such as [[openresolv]] to register new [[DNS]] entries (i.e. {{ic|DNS}} keyword in the configuration file). However [[NetworkManager]] does not use resolvconf by default: every time a new [[DHCP]] lease is acquired, [[NetworkManager]] overwrites the global DNS addresses with the DHCP-provided ones which might not be available through the tunnel.<br />
<br />
==== Using resolvconf ====<br />
<br />
If resolvconf is already used by the system and connection losses persist, make sure NetworkManager is configured to use it: [[NetworkManager#Use openresolv]].<br />
<br />
==== Using dnsmasq ====<br />
<br />
See [[Dnsmasq#openresolv]] for configuration.<br />
<br />
=== Low MTU ===<br />
<br />
Due to too low MTU (lower than 1280), wg-quick may have failed to create the Wireguard interface. This can be solved by setting the MTU value in Wireguard configuration in Interface section on client.<br />
{{hc|/foo.config|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
MTU = 1500<br />
PrivateKey = [FOO'S PRIVATE KEY]<br />
DNS = 10.200.200.1<br />
}} <br />
<br />
== Tips and tricks ==<br />
<br />
=== Using systemd-networkd ===<br />
<br />
[[systemd-networkd]] has native support for WireGuard protocols and therefore does not require the {{Pkg|wireguard-tools}} package.<br />
<br />
In order to prevent leak of private keys, it is recommended to set the permissions of the ''.netdev'' file:<br />
<br />
# chown root:systemd-network /etc/systemd/network/99-*.netdev<br />
# chmod 0640 /etc/systemd/network/99-*.netdev<br />
<br />
==== Server ====<br />
<br />
{{hc|/etc/systemd/network/99-server.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
ListenPort = 51820<br />
PrivateKey = [SERVER PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [FOO's PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[WireGuardPeer]<br />
PublicKey = [BAR's PUBLIC KEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-server.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.1/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
}}<br />
<br />
==== Client foo ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
PrivateKey = [FOO's PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.address.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.2/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnlink=true<br />
}}<br />
<br />
==== Client bar ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = Wireguard<br />
<br />
[WireGuard]<br />
PrivateKey = [BAR's PRIVATE KEY]<br />
<br />
[WireGuardPeer]<br />
PublicKey = [SERVER PUBLICKEY]<br />
PresharedKey = [PRE-SHARED KEY]<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.address.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.3/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnLink=true<br />
}}<br />
<br />
=== Store private keys in encrypted form ===<br />
<br />
It may be desirable to store private keys in encrypted form, such as through use of {{pkg|pass}}. Just replace the PrivateKey line under [Interface] in the configuration file with:<br />
<br />
PostUp = wg set %i private-key <(su user -c "export PASSWORD_STORE_DIR=/path/to/your/store/; pass WireGuard/private-keys/%i")<br />
<br />
where ''user'' is the Linux username of interest. See the {{man|8|wg-quick}} man page for more details.<br />
<br />
=== Endpoint with changing IP ===<br />
<br />
After resolving a server's domain, WireGuard [https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html will not check for changes in DNS again].<br />
<br />
If the WireGuard server is frequently changing its IP-address due DHCP, Dyndns, IPv6, ..., any WireGuard client is going to lose its connection, until its endpoint is updated via something like {{ic|wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"}}.<br />
<br />
Also be aware, if the endpoint is ever going to change its address (for example when moving to a new provider/datacenter), just updating DNS will not be enough, so periodically running reresolve-dns might make sense on any DNS-based setup.<br />
<br />
Luckily, {{Pkg|wireguard-tools}} provides an example script {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh}}, that parses WG configuration files and automatically resets the endpoint address.<br />
<br />
One needs to run the {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh /etc/wireguard/wg.conf}} periodically to recover from an endpoint that has changed its IP.<br />
<br />
One way of doing so is by updating all WireGuard endpoints once every thirty seconds[https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns/README] via a systemd timer:<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.timer|2=<br />
[Unit]<br />
Description=Periodically reresolve DNS of all WireGuard endpoints<br />
<br />
[Timer]<br />
OnCalendar=*:*:0/30<br />
<br />
[Install]<br />
WantedBy=timers.target<br />
}}<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.service|2=<br />
[Unit]<br />
Description=Reresolve DNS of all WireGuard endpoints<br />
Wants=network-online.target<br />
After=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf; do /usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh "$i"; done'<br />
}}<br />
<br />
Afterwards [[enable]] and [[start]] {{ic|wireguard_reresolve-dns.timer}}<br />
<br />
=== Generate QR code ===<br />
<br />
If the client is a mobile device such as a phone, {{Pkg|qrencode}} can be used to generate client's configuration QR code and display it in terminal:<br />
<br />
$ qrencode -t ansiutf8 < client.conf<br />
<br />
== See also ==<br />
<br />
* [https://www.wireguard.com/presentations/ Presentations by Jason Donenfeld].<br />
* [https://lists.zx2c4.com/mailman/listinfo/wireguard Mailing list]</div>Rfrailehttps://wiki.archlinux.org/index.php?title=Synchronization_and_backup_programs&diff=379451Synchronization and backup programs2015-06-19T08:23:41Z<p>Rfraile: </p>
<hr />
<div>[[Category:Data compression and archiving]]<br />
[[Category:System recovery]]<br />
[[de:Backups]]<br />
[[ja:バックアッププログラム]]<br />
[[ru:Backup programs]]<br />
{{Related articles start}}<br />
{{Related|Full system backup with rsync}}<br />
{{Related|Full System Backup with tar}}<br />
{{Related|Disk cloning}}<br />
{{Related|Snapper}}<br />
{{Related articles end}}<br />
This wiki page contains information about various backup programs. It's a good idea to ''have'' regular backups of important data, most notably configuration files ({{Ic|/etc/*}}) and the local pacman database (usually {{Ic|/var/lib/pacman/local/*}}).<br />
<br />
== Introduction ==<br />
Before you start trying various programs out, try to think about your needs, e.g. consider the following questions:<br />
* What backup medium do I have available? (CD, DVD, remote server, external hard drive, etc.)<br />
* How often do I plan to backup? (daily, weekly, monthly, etc.)<br />
* What features do I expect from the backup solution? (compression, encryption, handles renames, etc.)<br />
* How do I plan to restore backups if needed?<br />
<br />
== Incremental backups ==<br />
Applications that can do incremental backups remember and take into account what data has been backed up during the last run and eliminate the need to have duplicates of unchanged data. Restoring the data to a certain point in time would require locating the last full backup and all the incremental backups from then to the moment when it is supposed to be restored. This sort of backup is useful for those who do it very often.<br />
<br />
=== Rsync-type backups ===<br />
The main characteristic of this type of backups is that they maintain a copy of the directory you want to keep a backup of, in a traditional "mirror" fashion.<br />
<br />
Certain rsync-type packages also do snapshot backups by storing files which describe how the contents of files and folders changed from the last backup (so-called 'diffs'). Hence, they are inherently incremental, but usually they do not have compression or encryption. On the other hand, a working copy of everything is immediately available, no decompression/decryption needed. A downside to rsync-type programs is that they cannot be easily burned and restored from a CD or DVD.<br />
<br />
==== Console ====<br />
* {{App|[[rsync]]|A file transfer program to keep remote files in sync.<br />
** rsync almost always makes a mirror of the source.<br />
** It is possible to restore a full backup before the most recent backup if hardlinks are allowed in the backup file system. See [http://www.ibm.com/developerworks/aix/library/au-spunix_rsync/index.html#backup Back up your data with rsync] for more information.<br />
** If hard links are not allowed, it is impossible to restore a full backup before the most recent backup (but you can use --backup to keep old versions of the files).<br />
** Standard install on all distros.<br />
** Can run over SSH (port 22) or native rsync protocol (port 873).<br />
** Win32 version available.<br />
|http://rsync.samba.org/|{{Pkg|rsync}}}}<br />
<br />
* {{App|[[Wikipedia:Rsync#Variations|rdiff-backup]]|A utility for local/remote mirroring and incremental backups.<br />
** Stores the most recent backup as regular files.<br />
** To revert to older versions, you apply the diff files to recreate the older versions.<br />
** It is granularly incremental (delta backup), it only stores changes to a file; will not create a new copy of a file upon change.<br />
** Win32 version available.<br />
|http://www.nongnu.org/rdiff-backup/|{{Pkg|rdiff-backup}}}}<br />
<br />
* {{App|[[rsnapshot]]|A remote filesystem snapshot utility.<br />
** Does not store diffs, instead it copies entire files if they have changed.<br />
** Creates hard links between a series of backed-up trees (snapshots).<br />
** It is differential in that the size of the backup is only the original backup size plus the size of all files that have changed since the last backup.<br />
** Destination filesystem must support hard links.<br />
** Win32 version available.<br />
|http://www.rsnapshot.org/|{{Pkg|rsnapshot}}}}<br />
<br />
* {{App|SafeKeep|A client/server backup system which uses rdiff-backup.<br />
** Integrates with Linux LVM and databases to create consistent backups.<br />
** Bandwidth throttling.<br />
|http://safekeep.sourceforge.net/|{{AUR|safekeep}}}}<br />
<br />
* {{App|Link-Backup|A tool similar to rsync based scripts, but which does not use rsync. NOTE: no upstream activity since 2008. <br />
** Creates hard links between a series of backed-up trees (snapshots).<br />
** Intelligently handles renames, moves, and duplicate files without additional storage or transfer.<br />
** The backup directory contains {{ic|.catalog}}, a catalog of all unique file instances; backup trees hard-link to this catalog.<br />
** Transfer occurs over standard I/O locally or remotely between a client and server instance of this script.<br />
** It copies itself to the server; it does not need to be installed on the server.<br />
** Requires SSH for remote backups.<br />
** It resumes stopped backups; it can even be told to run for an arbitrary number of minutes.<br />
|http://www.scottlu.com/Content/Link-Backup.html|{{AUR|link-backup}}}}<br />
<br />
* {{App|[[Wikipedia:Unison (file synchronizer)|Unison]]|A program that synchronizes files between two machines over network (LAN or Inet) using a smart diff method + rsync. Allows the user to interactively choose which changes to push, pull, or merge.|http://www.cis.upenn.edu/~bcpierce/unison/|{{Pkg|unison}}}}<br />
<br />
* {{App|rsync-snapshot.sh|Another rsync shellscript with smart rotation (non-linear distribution) of backups. Integrity protection, Quotas, Rules and many more features.|http://blog.pointsoftware.ch/index.php/howto-local-and-remote-snapshot-backup-using-rsync-with-hard-links/}}<br />
<br />
* {{App|osync.sh|Osync is a robust bidirectional file synchronization tool written in bash and based on rsync. It works on local and / or remote directories via ssh tunnels. It's mainly targeted to be launched as cron task, with features turned towards automation among:<br />
** Execution time control<br />
** Fault tolerance with possibility to resume on error<br />
** Soft deletion, on-conflict backups with automatic cleanup<br />
** Alert notifications via email<br />
** Before and /or after time controlled local and / or remote command execution<br />
** File monitor mode<br />
|http://www.netpower.fr/osync}}<br />
<br />
* {{App|gutbackup|The simplest rsync wrapper for backup Linux system.|https://github.com/gutenye/gutbackup|{{AUR|gutbackup}}}}<br />
<br />
* {{App|trinkup|A 60-lines bash script which holds specified amount of incremental backups using rsync and "cp -al" to minimize amount of disk operations.|https://gist.github.com/ei-grad/7610406/raw/trinkup|{{AUR|trinkup}}}}<br />
<br />
* {{App|keepconf|Is a wrapper over rsync and git, easy and simple to use|https://github.com/rfrail3/keepconf}}<br />
<br />
==== Graphical ====<br />
* {{App|[[Wikipedia:Areca Backup|Areca Backup]]|An easy to use and reliable backup solution for Linux and Windows.<br />
** Written in Java.<br />
** Primarily archive-based (zip), but will do file-based backup as well.<br />
** Delta backup supported (stores only changes).<br />
|http://areca.sourceforge.net/|{{AUR|areca}}}}<br />
<br />
* {{App|[[BackupPC]]|A high-performance, enterprise-grade system for backing up Unix, Linux, Windows, and Mac OS X desktops and laptops to a remote server.<br />
** Deduplication: Identical files across multiple backups of the same or different PCs are stored only once resulting in substantial savings in disk storage and disk I/O.<br />
** Optional compression support further reducing disk storage.<br />
** No client-side software is needed.<br />
** Simple but powerful web-based UI.<br />
|http://backuppc.sourceforge.net/index.html|{{Pkg|backuppc}}}}<br />
<br />
* {{App|[[Back In Time]]|A simple backup tool for Linux inspired by the [[Wikipedia:FlyBack|FlyBack]] and [https://wiki.ubuntu.com/TimeVault/ TimeVault] projects.<br />
** Creates hard links between a series of backed-up trees (snapshots).<br />
** Really is just a front-end to {{ic|rsync}}, {{ic|diff}}, {{ic|cp}}.<br />
** A new snapshot is created only if something changed since the last snapshot.<br />
|http://backintime.le-web.org/|{{AUR|backintime}} or as a prebuild package from [http://arch.coderkun.de/ coderkun's repo]}}<br />
<br />
* {{App|[[Wikipedia:FlyBack|FlyBack]]|A clone of Apple's [[Wikipedia:Time Machine (Mac OS)|Time Machine]], a backup utility for Mac OS X.|http://www.flyback-project.org/|{{AUR|flyback}}}}<br />
<br />
* {{App|Free File Sync|Free File Sync helps you synchronize files and synchronize folders for Windows, Linux and Mac OS X. It is designed to save your time setting up and running backup jobs while having nice visual feedback along the way.<br />
|http://freefilesync.sourceforge.net/|{{AUR|freefilesync}}}}<br />
<br />
* {{App|Grsync|GTK+ interface to rsync|http://www.opbyte.it/grsync/|{{Pkg|grsync}}}}<br />
<br />
* {{App|[[Wikipedia:LuckyBackup|luckyBackup]]|An easy program to backup and sync your files.<br />
** It is written in Qt and C++.<br />
** It has sync, backup (with include and exclude options) and restore capabilities.<br />
** It can do remote connection backups, scheduled backups.<br />
** A command line mode.<br />
|http://luckybackup.sourceforge.net/index.html|{{AUR|luckybackup}}}}<br />
<br />
* {{App|syncBackup|A front-end for rsync that provides a fast and extraordinary copying tool. It offers the most common options that control its behavior and permit very flexible specification of the set of files to be copied.<br />
|http://www.darhon.com/syncbackup|{{AUR|syncbackup}}}}<br />
<br />
* {{App|TimeShift|TimeShift is a system restore utility which takes incremental snapshots of the system using rsync and hard-links. These snapshots can be restored at a later date to undo all changes that were made to the system after the snapshot was taken. Snapshots can be taken manually or at regular intervals using scheduled jobs.<br />
|https://launchpad.net/timeshift|{{AUR|timeshift}}}}<br />
<br />
=== Other backups ===<br />
Most other backup applications tend to create (big) archive files and (of course) keep track of what's been archived. Creating {{ic|.tar.bz2}} or {{ic|.tar.gz}} archives has the advantage that you can extract the backups with just tar/bzip2/gzip, so you do not need to have the backup program around.<br />
<br />
==== Console ====<br />
* {{App|Arch Backup|A trivial backup script with simple configuration.<br />
** Configurable compression method.<br />
** Multiple backup targets.<br />
|http://code.google.com/p/archlinux-stuff/|{{Pkg|arch-backup}}{{Broken package link|package not found}}}}<br />
<br />
* {{App|[[Backup with hdup|hdup]]|A very simple command line backup tool.<br />
** Creates tar.gz or tar.bz2 archives.<br />
** Supports gpg encryption.<br />
** Supports pushing over SSH.<br />
** Multiple backup targets.<br />
|http://miek.nl/projects/hdup2/|{{AUR|hdup}}}}<br />
<br />
* {{App|rdup|A platform for backups that provides scripts to facilitate backups and delegates the encryption, compression, transfer and packaging to other utilities in a true Unix-way.<br />
** Creates tar.gz archives or rsync-type copy.<br />
** Encryption (gpg, blowfish and others); also applies for rsync-type copy.<br />
** Compression (also for rsync-type copy).<br />
|http://miek.nl/projects/rdup|{{AUR|rdup}}}}<br />
<br />
* {{App|[[Duplicity]]|A simple command-line utility which allows encrypted compressed incremental backup to nearly any storage.<br />
** Supports gpg encryption and signing.<br />
** Supports gzip compression.<br />
** Supports full or incremental backups, incremental backup stores only difference between new and old file.<br />
** Supports pushing over FTP, SSH, rsync, WebDAV, WebDAVs, HSi and Amazon S3 or local filesystem.<br />
|http://www.nongnu.org/duplicity/|{{Pkg|duplicity}}}}<br />
<br />
* {{App|[[Wikipedia:DAR (Disk Archiver)|DAR]]|A full-featured command-line backup tool, short for Disk ARchive.<br />
** It uses its own format for archives (so you need to have it around when you want to restore).<br />
** Supports splitting backups into more files by size.<br />
** Makefile-type config files, some custom scripts are available along with it.<br />
** Supports basic encryption.<br />
** Automatic backup using [[cron]] is possible with {{AUR|sarab}}.<br />
|http://dar.linux.free.fr/|{{AUR|dar}} {{AUR|kdar}} (fontend)}}<br />
<br />
* {{App|Manent|An algorithmically strong backup and archival program. NOTE: no upstream activity since 2009.<br />
** Efficient backup to anything that looks like a storage.<br />
** Works well over a slow and unreliable network.<br />
** Offers online access to the contents of the backup.<br />
** Backed up storage is completely encrypted.<br />
** Several computers can use the same storage for backup, automatically sharing data.<br />
** Not reliant on timestamps of the remote system to detect changes.<br />
** Cross-platform support for Unicode file names.<br />
|http://code.google.com/p/manent/|{{AUR|manent}}}}<br />
<br />
* {{App|btar|tar-compatible archiver<br />
** Fast archive creation (multicore compression or ciphering)<br />
** Arbitrary chain of compression/ciphers (calls any compression/ciphering programs)<br />
** Indexed archive retrieval or listing<br />
** Redundancy<br />
** Serialization through pipes (and only one file per backup)<br />
** Can be extracted or checked with gnutar<br />
** Differential backups of multiple levels<br />
** Optional encoding of big files with rsync-differences<br />
|http://viric.name/cgi-bin/btar|{{AUR|btar}}}}<br />
<br />
* {{App|burp|Burp is a network backup and restore program<br />
** Uses librsync in order to save network traffic and to save on the amount of space that is used by each backup. <br />
** It also uses VSS (Volume Shadow Copy Service) to make snapshots when backing up Windows computers.<br />
** deduplication<br />
** SSL/TLS connections<br />
** automation the process of generating SSL certificates<br />
** data encryption<br />
** security models [http://burp.grke.org/txt/security-models.txt]<br />
|http://burp.grke.org|{{AUR|burp-backup}}}}<br />
<br />
* {{App|obnam|Easy, secure backup program<br />
** Snapshot backups. Every generation looks like a complete snapshot.<br />
** Data chunk de-duplication, across files, and backup generations. This results in incremental backups.<br />
** Optionally encrypted backups, using GnuPG.<br />
** FUSE mountable backup repository.<br />
|http://liw.fi/obnam/|{{AUR|obnam}}}}<br />
<br />
* {{App|System Tar & Restore|Backup and Restore your system using tar or Transfer it with rsync<br />
** CLI and Dialog interfaces<br />
** Easy backup and restore wizards<br />
** Creates ''.tar.gz'', ''.tar.bz2'', ''.tar.xz'' or ''.tar'' archives<br />
** Supports openssl / gpg encryption<br />
** Uses rsync to transfer a running system<br />
** Supports Grub2 and Syslinux<br />
|https://github.com/tritonas00/system-tar-and-restore|{{AUR|system-tar-and-restore}}}}<br />
<br />
* {{App|Packrat|A simple, modular backup system using [[Wikipedia:DAR (Disk Archiver)|DAR]]<br />
** Full or incremental backups stored locally, on a remote system via SSH, or on Amazon S3<br />
|http://www.zeroflux.org/projects|{{AUR|packrat}}}}<br />
<br />
* {{App|Attic|A deduplicating backup program for efficient and secure backups.<br />
** Space efficient storage: Variable block size deduplication is used to reduce the number of bytes stored by detecting redundant data.<br />
** Optional data encryption: All data can be protected using 256-bit AES encryption and data integrity and authenticity is verified using HMAC-SHA256.<br />
** Off-site backups: Any data can be stored on any remote host accessible over SSH (as long as Attic is installed).<br />
** Backups mountable as filesystems: Backup archives are mountable as userspace filesystems for easy backup verification and restores.<br />
|https://github.com/jborg/attic/|{{AUR|attic}}}}<br />
<br />
* {{App|Snebu|File-level deduplicating snapshot backup with SQLite3 catalog db.<br />
** Functionally similar to rsync/snapshot style backups, however doesn't use hardlinks in the filesystem.<br />
** Backed up files are stored in lzop-compatible files, in the designated "vault" directory.<br />
** Metadata stored in SQLite3 db, linking backup sets to file metadata to compressed files in the vault.<br />
** Supports arbitrary retention schedules (such as daily/weekly/monthly) which can be individually expired<br />
|http://www.snebu.com|{{AUR|snebu}}}}<br />
<br />
* {{App|ZBackup|A globally-deduplicating backup tool, based on the ideas found in rsync.<br />
** Parallel LZMA or LZO compression of the stored data<br />
** Built-in AES encryption of the stored data<br />
** Possibility to delete old backup data<br />
** Use of a 64-bit rolling hash, keeping the amount of soft collisions to zero<br />
** Repository consists of immutable files. No existing files are ever modified<br />
** Possibility to exchange data between repos without recompression<br />
|http://zbackup.org/|{{AUR|zbackup}}}}<br />
<br />
==== Graphical ====<br />
* {{App|Backerupper|A simple program for backing up selected directories over a local network. Its main intended purpose is backing up a user's personal data.<br />
** Creates {{ic|.tar.gz}} archives.<br />
** Configurable backup frequency, backup time and max copies.<br />
|http://sourceforge.net/projects/backerupper/|{{AUR|backerupper}}}}<br />
<br />
* {{App|[[Duplicity|Déjà Dup]]|A simple GTK+ backup program. It hides the complexity of doing backups the 'right way' (encrypted, off-site, and regular) and uses duplicity as the backend.<br />
** Automatic, timed backup configurable in GUI.<br />
** Restore wizard.<br />
** Integrated into the GNOME Files file manager.<br />
** Inherits several features of duplicity.<br />
|https://launchpad.net/deja-dup|{{Pkg|deja-dup}}}}<br />
<br />
* {{App|Synkron|A folder synchronization tool.<br />
** Syncs multiple folders.<br />
** Can exclude files from sync based on wildcards.<br />
** Restores files.<br />
** Cross-platform support.<br />
|http://synkron.sourceforge.net/|{{AUR|synkron}}}}<br />
<br />
==== Console and graphical ====<br />
<br />
* {{App|[[Wikipedia:Bacula|Bacula]]|A client-server enterprise level computer backup system for heterogeneous networks.<br />
** This is the Swiss army knife of backup solutions.<br />
** Can be run on a single machine or used to back up an entire network.<br />
** Supports Linux, UNIX, Windows, and Mac OS X backup clients.<br />
** Supports a variety of backup devices, including tape libraries.<br />
** Can be used to backup to multiple removable storage devices.<br />
** Provides or supports command line console, GUI, and web interfaces.<br />
** The back-end is a catalog stored in MySQL, PostgreSQL, or SQLite.<br />
** Provides extensive documentation.<br />
** Appears to be the most downloaded open source backup solution<br />
|http://www.bacula.org|{{AUR|bacula-common}}}}<br />
<br />
== Cloud backups ==<br />
<br />
See also [[Wikipedia:Comparison of online backup services]].<br />
<br />
* {{App|[[Wikipedia:Barracuda_Networks#Products|Copy]]|A fair solution to shared folders.<br />
** 15GB free.<br />
** Shared folders size are split between people.<br />
** Daemon to sync files between the cloud and the computer.<br />
** Almost any platform supported.<br />
** Offers AES-256 encryption.<br />
|https://www.copy.com/home/|{{AUR|copy-agent}}}}<br />
<br />
* {{App|[[CrashPlan]]|An online/offsite backup solution.<br />
** Unlimited online space for very reasonable pricing.<br />
** Automatic and incremental backups to multiple destinations.<br />
** Intuitive GUI.<br />
** Offers encryption and de-duplication.<br />
** Software is free for local use.<br />
** Restore prevents simultaneous backing up<br />
|http://www.crashplan.com/|{{AUR|crashplan}}}}<br />
<br />
* {{App|[[Dropbox]]|A popular file-sharing service.<br />
** A daemon monitors a specified directory, and uploads incremental changes to dropbox.com. <br />
** Changes automatically show up on your other computers. <br />
** Includes file sharing and a public directory. <br />
** You can recover deleted files. <br />
** Community written add-ons. <br />
** Free accounts have 2GB storage.<br />
|http://www.dropbox.com|{{AUR|dropbox}} {{AUR|nautilus-dropbox}}}}<br />
<br />
* {{App|[[Wikipedia:Google Drive|Google Drive]]|A file storage and synchronization service provided by Google.<br />
** Provides cloud storage, file sharing and collaborative editing.<br />
** Multiple clients are available.<br />
|https://drive.google.com|{{AUR|google-drive-ocamlfuse}} (free), {{AUR|drive}} (free), {{AUR|insync}} (non-free)}}<br />
<br />
* {{App|[[Wikipedia:Jungle Disk|Jungle Disk]]|An online backup tool that stores its data in Amazon S3 or Rackspace Cloud Files.<br />
** A GNOME Files extension.<br />
** Only paid plans available.<br />
|http://www.jungledisk.com/|{{AUR|nautilus-jungledisk}}}}<br />
<br />
* {{App|[[Wikipedia:Mega (website)|MEGA]]|Successor to the MegaUpload file-sharing service.<br />
** Free accounts are 50GB with paid plans available for more space.<br />
** Offers encryption and de-duplication.<br />
** Usualy accessed through its web interface but other tools exist.<br />
|https://mega.co.nz|{{AUR|megatools}}, {{AUR|megasync}}, {{AUR|megafuse}}}}<br />
<br />
* {{App|Nutstore|A cloud service that lets you sync and share files anywhere.<br />
** Multiple file folders sync.<br />
** Service for Chinese users.<br />
|http://jianguoyun.com/|{{AUR|nutstore}}}}<br />
<br />
* {{App|[[Wikipedia:SpiderOak|SpiderOak]]|An online backup tool for Windows, Mac and Linux users to back up, share, sync, access and store their data.<br />
** Free and paid version available.<br />
** Free account holds 2GB.<br />
** Includes file sharing and a public directory.<br />
** Incremental backup and sync are both supported.<br />
|https://spideroak.com/|{{AUR|spideroak}}}}<br />
<br />
* {{App|[[Wikipedia:Storage Made Easy|Storage Made Easy]]|Provides unified access to numerous cloud storage services, as well as its own storage.<br />
** Free and paid version available.<br />
** Free account holds 5GB and allows access to up to three other cloud storage providers.<br />
** Supports local directory via fuse, as well as web access.<br />
** Supports many cloud storage services, such as Box, Dropbox, Google Drive, Onedrive, and others.<br />
|http://storagemadeeasy.com/|{{AUR|smestorage}}}}<br />
<br />
* {{App|[[Wikipedia:Tahoe-LAFS|Tahoe-LAFS]]|Tahoe Least-Authority Filesystem is a free and open, secure, decentralized, fault-tolerant, peer-to-peer distributed data store and distributed file system.<br />
|https://tahoe-lafs.org/|{{AUR|tahoe-lafs}}}}<br />
<br />
* {{App|[[Wikipedia:Tarsnap|Tarsnap]]|A secure online backup service for BSD, Linux, OS X, Solaris and Windows (through Cygwin).<br />
** Compressed encrypted backups to Amazon S3 Servers.<br />
** Automate via [[cron]].<br />
** Incremental backups.<br />
** Backup any files or directories.<br />
** Command line only client.<br />
** Pay only for usage (bandwidth and storage). <br />
|http://www.tarsnap.com|{{Pkg|tarsnap}}}}<br />
<br />
* {{App|[[Wikipedia:Wuala|Wuala]]|A secure online storage, file synchronization, versioning and backup service.<br />
** Closed source.<br />
** Includes file sharing and a public directory.<br />
** Incremental backup and sync are both supported.<br />
** Social networking features.<br />
** All files in the cloud are first encrypted locally.<br />
|http://www.wuala.com/|{{AUR|wuala}}, {{AUR|wuala-daemon}} &ndash; to run as daemon}}<br />
<br />
* {{App|[[Wikipedia:IDrive_Inc.|iDrive]]|Universal Online Backup.<br />
** Multiple Device Backup.<br />
** Online File Sync. <br />
** Real-Time Backup. <br />
** Backup and Access from Mobile Devices. <br />
** Remote Manage. <br />
** No GUI Front end for Linux, command line based. A wrapper script is available to make it easier to use.<br />
|https://www.idrive.com/|{{AUR|idevsutil}}, {{AUR|idrive-wrapper}}}}<br />
<br />
* {{App|CloudBacko|Enterprise-grade cloud backup tool for Linux, Mac and Windows.<br />
** Closed source. Free, Lite and Pro versions available.<br />
** Written in Java.<br />
** Encrypted backup to multiple cloud destinations. <br />
** Supports multiple cloud destinations combined as one storage pool.<br />
** No installation required in Free version.<br />
** GUI frontend for Linux in Pro version.<br />
** Virtual machine backup available in Pro version.<br />
|http://www.cloudbacko.com/}}<br />
<br />
== Cooperative storage cloud backups ==<br />
<br />
A [[Wikipedia:Cooperative_storage_cloud|cooperative storage cloud]] is a decentralized model of networked online storage where data is stored on multiple computers, hosted by the participants cooperating in the cloud. <br />
<br />
* {{App|[http://www.symform.com Symform]| A peer-to-peer cloud backup service.<br />
** Unlimited free backup in exchange for 2:1 storage space contribution with an always-connected device (at least 80% uptime).<br />
** [http://www.symform.com/our-solutions/pricing/ Payment options exist].<br />
** First 10GB of backup storage is free (no contribution needed).<br />
** In addition to paid support, support plans in exchange for extended contribution (300GB+) exist.<br />
** Automatic and incremental backups.<br />
** Data is encrypted before leaving the computer, though keys are also stored on the Symform's servers.[http://virtualserverguy.com/blog/2012/12/19/symform-security-analysis]<br />
** Customizable limits for bandwidth consumption.<br />
** Ability to have a local copy ("Hot Copy") of the backed up data on a different disk or computer.<br />
** Ability to have synchronized folders between nodes (Dropbox-like).<br />
** Closed source, using mono. Windows clients available.<br />
|http://www.symform.com/|{{AUR|symform}}}}<br />
<br />
== Non-incremental backups ==<br />
Another type of backups are those used in case of a disaster. These include application that allow easy backup of entire filesystems and recovery in case of failure, usually in the form of a Live CD or USB drive. The contains complete system images from one or more specific points in time and are frequently used by to record known good configurations.<br />
<br />
* {{App|Q7Z|P7Zip GUI for Linux, which attempts to simplify data compression and backup. It can create the following archive types: 7z, BZip2, Zip, GZip, Tar.<br />
** Updates existing archives quickly.<br />
** Backup multiple folders to a storage location.<br />
** Create or extract protected archives.<br />
** Lessen effort by using archiving profiles and lists.<br />
|http://k7z.sourceforge.net/|{{AUR|q7z}}}}<br />
<br />
* {{App|[[Partclone]]|A tool that can be used to back up and restore a partition while considering only used blocks.<br />
** Supports ext2, ext3, hfs+, reiser3.5, reiser3.6, reiser4, ext4 and btrfs.<br />
** Supports compression.<br />
|http://partclone.nchc.org.tw/trac/|{{Pkg|partclone}}}}<br />
<br />
* {{App|[[Wikipedia:Redo Backup and Recovery|Redo Backup and Recovery]]|A backup and disaster recovery application that runs from a bootable Linux CD image.<br />
** Is capable of bare-metal backup and recovery of disk partitions.<br />
** Uses [http://www.xpud.org/ xPUD] and [[Partclone]] for the backend.<br />
|http://www.redobackup.org/}}<br />
<br />
* {{App|[[Wikipedia:Clonezilla|Clonezilla]]|A disaster recovery, disk cloning, disk imaging and deployment solution.<br />
** Boots from live CD, USB flash drive, or PXE server.<br />
** Supports ext2, ext3, ext4, reiserfs, reiser4, xfs, jfs, btrfs FAT32, NTFS, HFS+ and others.<br />
** Uses Partclone (default), Partimage (optional), ntfsclone (optional), or dd to image or clone a partition.<br />
** Multicasting server to restore to many machines at once.<br />
|http://clonezilla.org/|{{Pkg|clonezilla}}}}<br />
<br />
* {{App|[[Wikipedia:Partimage|Partimage]]|A disk cloning utility for Linux/UNIX environments.<br />
** Has a Live CD.<br />
** Supports the most popular filesystems on Linux, Windows and Mac OS.<br />
** Compression.<br />
** Saving to multiple CDs or DVDs or across a network using Samba/NFS.<br />
|http://www.partimage.org/Main_Page|{{Pkg|partimage}}}}<br />
<br />
* {{App|FSArchiver|A safe and flexible file-system backup and deployment tool<br />
** Support for basic file attributes (permissions, owner, ...).<br />
** Support for multiple file-systems per archive.<br />
** Support for extended attributes (they are used by SELinux).<br />
** Support the basic file-system attributes (label, uuid, block-size) for all linux file-systems.<br />
** Support for [http://www.fsarchiver.org/Cloning-ntfs ntfs filesystems] (ability to create flexible clones of a Windows partitions).<br />
** Checksumming of everything which is written in the archive (headers, data blocks, whole files).<br />
** Ability to restore an archive which is corrupt (it will just skip the current file).<br />
** Multi-threaded lzo, gzip, bzip2, lzma compression.<br />
** Support for splitting large archives into several files with a fixed maximum size.<br />
** Encryption of the archive using a password. Based on blowfish from libcrypto from [[OpenSSL]].<br />
** Support backup of a mounted root filesystem (-A option).<br />
|http://www.fsarchiver.org/Main_Page|{{Pkg|fsarchiver}}}}<br />
<br />
* {{App|[[Wikipedia:Mondo Rescue|Mondo Rescue]]|A disaster recovery solution to create backup media that can be used to redeploy the damaged system.<br />
** Image-based backups, supporting Linux/Windows.<br />
** Compression rate is adjustable.<br />
** Can backup live systems (without having to halt it).<br />
** Can split image over many files.<br />
** Supports booting to a Live CD to perform a full restore.<br />
** Can backup/restore over NFS, from CDs, tape drives and and other media.<br />
** Can verify backups.<br />
|http://www.mondorescue.org/|{{AUR|mondo}}}}<br />
<br />
== Versioning systems ==<br />
These are traditionally used for keeping track of software development; but if you want to have a simple way to manage your config files in one directory, it might be a good solution.<br />
<br />
=== Version control systems ===<br />
<br />
See also [[Wikipedia:Comparison of revision control software]].<br />
<br />
* {{App|[[Git]]|A distributed revision control and source code management system with an emphasis on speed.<br />
** Very easy creation, merging, and deletion of branches.<br />
** Nearly all operations are performed locally, giving it a huge speed advantage on centralized systems.<br />
** Has a "staging area" or "index", this is an intermediate area where commits can be formatted and reviewed before completing the commit.<br />
** Does not handle binary files very well.<br />
|http://git-scm.com/|{{Pkg|git}}}}<br />
<br />
* {{App|[[Subversion]]|A full-featured centralized version control system originally designed to be a better CVS.<br />
** Renamed/copied/moved/removed files retain full revision history.<br />
** Native support for binary files, with space-efficient binary-diff storage.<br />
** Costs proportional to change size, not to data size.<br />
** Allows arbitrary metadata ("properties") to be attached to any file or directory. <br />
|http://subversion.apache.org/|{{Pkg|subversion}}}}<br />
<br />
* {{App|[[Mercurial]]|A distributed version control system written in Python and similar in many ways to Git.<br />
** Platform independent.<br />
** Support for [http://mercurial.selenic.com/wiki/UsingExtensions extensions].<br />
** A set of commands consistent with Subversion.<br />
** Supports tags.<br />
|http://mercurial.selenic.com/|{{Pkg|mercurial}}}}<br />
<br />
* {{App|[[Wikipedia:Bazaar (software)|Bazaar]]|A distributed version control system that helps you track project history over time and to collaborate easily with others.<br />
** Similar commands to Subversion.<br />
** Supports working with or without a central server.<br />
** Support for working with some other revision control systems<br />
** Complete Unicode support.<br />
|http://bazaar.canonical.com/en/|{{Pkg|bzr}}}}<br />
<br />
* {{App|[[Wikipedia:Darcs|Darcs]]|A distributed revision control system that was designed to replace traditional, centralized source control systems such as CVS and Subversion.<br />
** Offline mode.<br />
** Easy branching and merging.<br />
** Written in Haskell.<br />
** Not very fast.<br />
|http://darcs.net/|{{AUR|darcs}}}}<br />
<br />
=== VCS-based backups ===<br />
<br />
* {{App|Gibak|A backup system based on [[Git]].<br />
** Supports binary diffs.<br />
** Uses all of Git's features (such as {{ic|.gitignore}} for filtering files).<br />
** Uses Git's hook system to save information that Git does not (permissions, mtime, empty directories, etc).<br />
|https://github.com/pangloss/gibak|{{AUR|gibak}}}}<br />
* {{App|bup|A fledgling Git-based backup solution written in Python and C.<br />
** Uses a rolling checksum algorithm (similar to rsync) to split large files into chunks.<br />
** Can back up directly to a remote bup server.<br />
** Has an improved index format to allow you to track many files.<br />
|https://github.com/bup/bup|{{Pkg|bup}} {{AUR|bup-git}}}}<br />
* {{App|ColdStorage|Another backup tool using Git at its core, written in [[Qt]].|http://gitorious.org/coldstorage|{{AUR|coldstorage-git}}}}<br />
<br />
== See also ==<br />
<br />
* [http://www.halfgaar.net/backing-up-unix Backing up Linux and other Unix(-like) systems]<br />
* [http://www.askapache.com/security/mirror-using-rsync-ssh.html Mirroring an Entire Site using Rsync over SSH]<br />
* [http://www.si-journal.org/index.php/JSI/article/view/205 Performance comparison of five remote incremental backup tools: Rsync, Rdiff-backup, Duplicity, Areca and Link-Backup]</div>Rfraile