Note

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "Funtoo:User Services/VPN Setup"

From Funtoo
Jump to navigation Jump to search
 
(12 intermediate revisions by 3 users not shown)
Line 17: Line 17:


{{console|body=
{{console|body=
# ##i##wg genkey | tee private.key | wg pubkey > public.key
# ##i##wg genkey {{!}} tee private.key {{!}} wg pubkey > public.key
}}
}}


Line 26: Line 26:
{{file|name=/etc/wireguard/wg0.conf|body=
{{file|name=/etc/wireguard/wg0.conf|body=
[Interface]
[Interface]
Address = [IPv4/netmask I provide to you]
Address = 172.30.0.x/16 [IPv4/netmask I provide to you]
ListenPort = 56875
ListenPort = 56875
PrivateKey = [Your Private Key]
PrivateKey = [Your Private Key]
DNS = 172.19.0.3,1.1.1.1
DNS = 172.19.0.3,1.1.1.1
MTU = 1280


[Peer]
[Peer]
Line 36: Line 37:
Endpoint = [Endpoint I Provide to you]
Endpoint = [Endpoint I Provide to you]
}}
}}
{{Important|1=The recent addition of {{c|1=MTU = 1280}} will ensure that your connection to the VPN will work over mobile/5G networks. WireGuard uses UDP, and this MTU avoids fragmentation which can essentially prevent non-trivial network traffic from flowing to/from the VPN. See [https://support.google.com/fi/thread/159775634?hl=en this Google Fi Help thread] for more details.}}


Make this file non-readable by anyone but root:
Make this file non-readable by anyone but root:
Line 56: Line 59:


{{console|body=
{{console|body=
# ##i##wg-quick wg0 up
# ##i##wg-quick up wg0
}}
}}


Line 63: Line 66:
{{console|body=
{{console|body=
# ##i##wg show
# ##i##wg show
##g##interface: wg0
\##g##interface: wg0
   public key: MTwAQ60ecjiN3H6PCBbq+u7+RLbsVWRw3HCZHTmgtBQ=
   public key: MTwAQ60ecjiN3H6PCBbq+u7+RLbsVWRw3HCZHTmgtBQ=
   private key: (hidden)
   private key: (hidden)
   listening port: 56875
   listening port: 56875


##y##peer: ct6WFz1ZaIPfsyRSw4NNq7cosE6pMldkP3y0B9fTh0U=
\##y##peer: ct6WFz1ZaIPfsyRSw4NNq7cosE6pMldkP3y0B9fTh0U=
   endpoint: [VPN endpoint]
   endpoint: [VPN endpoint]
   allowed ips: 172.16.0.0/12
   allowed ips: 172.16.0.0/12
   latest handshake: 11 seconds ago
   latest handshake: 11 seconds ago
   transfer: 9.05 MiB received, 1.73 MiB sent
   transfer: 9.05 MiB received, 1.73 MiB sent
#
}}
You can also bring down the VPN by typing {{c|wg-quick down wg0}}.
=== Cool Things About WireGuard ===
Here are some cool things you should know about WireGuard. When WireGuard is 'up', you can happily connect and reconnect to various Wi-Fi networks,
and WireGuard will automatically and transparently re-establish connection to the VPN, generally with no apparent disruption to your connections.
This is super handy on laptops and makes working with WireGuard a very pleasant experience.
=== Funtoo DNS ===
Funtoo is running an internal DNS server and all addresses ending in {{c|.funtoo}} are handled by this DNS server.
Also note that sometimes you may have an issue where DNS resolution fails on your local system, either for Funtoo addresses or for Internet addresses.
When you experience this, try changing the order of nameservers in {{f|/etc/resolv.conf}}. I am still trying to track down the source of this issue.
=== Reloading Server-Side Changes ===
{{Note|This should be moved to the future [[WireGuard]] wiki page.}}
One handy way to reload services on the main system running WireGuard, if you have added new clients, is via the following snippet:
{{console|body=
# ##i##wg syncconf wg0 <(wg-quick strip wg0)
}}
=== OpenRC Startup ===
Create an {{f|/etc/conf.d/netif.wg0}} file with the following contents:


{{file|name=/etc/conf.d/netif.wg0|body=
template=wireguard
}}
Now enable the interface:
To bring up the interface now:
{{console|body=
# ##i##cd /etc/init.d
# ##i##ln -s netif.tmpl netif.wg0
# ##i##rc-update add netif.wg0
# ##i##/etc/init.d/netif.wg0 start
}}
}}

Latest revision as of 19:36, October 27, 2022

We use WireGuard for our internal VPN. These steps will help you to connect to our VPN. WireGuard is really quite simple to use but does have a learning curve. Once you're up and running, you'll appreciate the fast, reliable experience. Let's get started!

Initial Setup

Your first step is to emerge net-vpn/wireguard-tools:

root # emerge -av wireguard-tools

If you're using our sys-kernel/debian-sources kernel like a good, upstanding funtoo citizen, then you already have wireguard kernel modules available to load.

Before I can get you set up on the VPN, I need you to generate a public and private key. You will send the public key to me, and you'll keep the private key private. This can be done by running the following command:

root # wg genkey | tee private.key | wg pubkey > public.key

After running this command, please send me the contents of your public.key file.

Now, create an /etc/wireguard/wg0.conf file with the following contents:

   /etc/wireguard/wg0.conf
[Interface]
Address = 172.30.0.x/16 [IPv4/netmask I provide to you]
ListenPort = 56875
PrivateKey = [Your Private Key]
DNS = 172.19.0.3,1.1.1.1
MTU = 1280

[Peer]
PublicKey = ct6WFz1ZaIPfsyRSw4NNq7cosE6pMldkP3y0B9fTh0U=
AllowedIPs = 172.16.0.0/12
Endpoint = [Endpoint I Provide to you]
   Important

The recent addition of MTU = 1280 will ensure that your connection to the VPN will work over mobile/5G networks. WireGuard uses UDP, and this MTU avoids fragmentation which can essentially prevent non-trivial network traffic from flowing to/from the VPN. See this Google Fi Help thread for more details.

Make this file non-readable by anyone but root:

root #  chmod go-rwx /etc/wireguard/wg0.conf

Really, you're now pretty much set up!

About the Funtoo Internal Network

Up above in wg0.conf, you'll see the line AllowedIPs = 172.16.0.0/12. This specifies the network that Funtoo has mapped for its VPN. This is a special non-routeable range of addresses sort of close to the localhost address of 172.0.0.1, which consists of IP addresses from 172.16.0.1 to 172.31.255.254. All traffic for these addresses will be routed to the VPN.

Starting the VPN

To start the VPN, you'll want to run this command after every boot:

root # wg-quick up wg0

You can then view network status by typing:

root # wg show
interface: wg0
  public key: MTwAQ60ecjiN3H6PCBbq+u7+RLbsVWRw3HCZHTmgtBQ=
  private key: (hidden)
  listening port: 56875

peer: ct6WFz1ZaIPfsyRSw4NNq7cosE6pMldkP3y0B9fTh0U=
  endpoint: [VPN endpoint]
  allowed ips: 172.16.0.0/12
  latest handshake: 11 seconds ago
  transfer: 9.05 MiB received, 1.73 MiB sent
root #

You can also bring down the VPN by typing wg-quick down wg0.

Cool Things About WireGuard

Here are some cool things you should know about WireGuard. When WireGuard is 'up', you can happily connect and reconnect to various Wi-Fi networks, and WireGuard will automatically and transparently re-establish connection to the VPN, generally with no apparent disruption to your connections. This is super handy on laptops and makes working with WireGuard a very pleasant experience.

Funtoo DNS

Funtoo is running an internal DNS server and all addresses ending in .funtoo are handled by this DNS server.

Also note that sometimes you may have an issue where DNS resolution fails on your local system, either for Funtoo addresses or for Internet addresses. When you experience this, try changing the order of nameservers in /etc/resolv.conf. I am still trying to track down the source of this issue.

Reloading Server-Side Changes

   Note

This should be moved to the future WireGuard wiki page.

One handy way to reload services on the main system running WireGuard, if you have added new clients, is via the following snippet:

root # wg syncconf wg0 <(wg-quick strip wg0)

OpenRC Startup

Create an /etc/conf.d/netif.wg0 file with the following contents:

   /etc/conf.d/netif.wg0
template=wireguard

Now enable the interface:

To bring up the interface now:

root # cd /etc/init.d
root # ln -s netif.tmpl netif.wg0
root # rc-update add netif.wg0
root # /etc/init.d/netif.wg0 start