HomeNotesNetwork › WireGuard

WireGuard

WireGuard

  • Debugging
    • Had to lower MTU to 1200 
    echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
# seems to turn it off
echo module wireguard -p > /sys/kernel/debug/dynamic_debug/control

sudo LOG_LEVEL=verbose wg show
  • Reload without stopping
    # Reloads config without disrupting current peer sessions,
# but does not re-run PostUp commands
wg syncconf wg0 <(wg-quick strip wg0)
  • DNS
    systemd-resolve == resolvectl # in old documents
    • Configure Wireguard with dnsmasq
      # systemctl edit dnsmasq
[Unit]
After=wg-quick@wg0.service
Wants=wg-quick@wg0.service
      • debugging 
      ubus call system board;
uci show network;
uci show firewall;
uci show dhcp;
ip address show;
ip route show table all;
ip rule show; iptables-save;
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*;
netstat -l -n -p | grep -e dnsmasq
  • Utility
    • ncat server
      #!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

set -e
[[ $UID == 0 ]] || { echo "You must be root to run this."; exit 1; }
exec 3<>/dev/tcp/demo.wireguard.com/42912
privatekey="$(wg genkey)"
wg pubkey <<<"$privatekey" >&3
IFS=: read -r status server_pubkey server_port internal_ip <&3
[[ $status == OK ]]
ip link del dev wg0 2>/dev/null || true
ip link add dev wg0 type wireguard
wg set wg0 private-key <(echo "$privatekey") peer "$server_pubkey" allowed-ips 0.0.0.0/0 endpoint "demo.wireguard.com:$server_port" persistent-keepalive 25
ip address add "$internal_ip"/24 dev wg0
ip link set up dev wg0
if [ "$1" == "default-route" ]; then
	host="$(wg show wg0 endpoints | sed -n 's/.*\t\(.*\):.*/\1/p')"
	ip route add $(ip route get $host | sed '/ via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/{s/^\(.* via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*/\1/}' | head -n 1) 2>/dev/null || true
	ip route add 0/1 dev wg0
	ip route add 128/1 dev wg0
fi
  • Troubleshoot
    sudo tcpdump -nn -i wg0
sudo tcpdump -nn -i eth0 udp and port 51820
tcpdump -nn 'udp and (port 51888 or 51840 or 51811)'
  • Scrubbed copy of config
    # Notes
# reload
wg syncconf wg0 <(wg-quick strip wg0)

systemctl stop wg-quick@wg0.service; wg-quick up wg0
wg-quick down wg0; sleep 2; wg-quick up wg0

service dnsmasq start;
killall -1 dnsmasq

systemctl status dnsmasq.service
systemctl stop dnsmasq.service
systemctl start dnsmasq.service

# wg0.conf
root@x-bastion:/etc/wireguard# cat wg0.conf
[Interface]
PrivateKey = 4GhOOKu3UOnMp+xxxx=
Address = 10.88.88.1/24
ListenPort = 51888
MTU = 1420
DNS = 127.0.0.1

# IP forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
# IP masquerading
PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE


# --- Myron mac14
[Peer]
PublicKey = xx=
AllowedIPs = 10.88.88.4/32
PersistentKeepalive = 9
...