Wireguard client set up

From Wildsong
Revision as of 04:26, 12 March 2022 by Brian Wilson (talk | contribs) (Created page with "''This is part of the Repeater linking project I am working on.'' I assume you have the latest version of the Raspberry Pi OS installed and set up. You should have an ss...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

This is part of the Repeater linking project I am working on.

I assume you have the latest version of the Raspberry Pi OS installed and set up.

You should have an ssh server installed and enabled. You can do that in raspi-config You can change the name of the client in there too if you want (I would.)

The client has to be able to connect to the Internet but it can be on either a static or DHCP dynamic link, it won't matter.

CHANGE THE PASSWORD ON THE CLIENT BEFORE EXPOSING IT TO THE INTERNET.

Install wireguard

Working on the client, 

sudo apt-get install wireguard -y

Some comments. You don't have to enable packet forwarding, because this is a client node and won't be doing any packet forwarding. You don't have to set up a firewall, that will be handled on tarra. We might decide to set up a firewall later but for now it's just extra complexity. It would not hurt to install iptables and fail2ban just so its there for later. 

sudo apt-get install fail2ban

Generate a pair of keys

The keys will be called "privatekey" and "publickey", in the folder /etc/wireguard. First make sure the folder is secured (the chmod command).

Still on the client, 

sudo -s
chmod 700 /etc/wireguard
cd /etc/wireguard/
wg genkey | tee privatekey | wg pubkey > publickey

Copy the public key to the server. An easy way is to dump it to the screen and then cut and paste. 

cat publickey

On the server now you could paste it, using the name of the host which in the case is "ren-1". This will create a file containing the key called ren-1.pub in /etc/wireguard/ 

sudo -s
echo PASTE_THE_PUBLICKEY_STRING_RIGHT_HERE > /etc/wireguard/ren-1.pub

TO DO = write commands to complete the server set up here.

Set up the client's config file.

The port number does not matter on this end, there is no firewall between us and tarra. The client has to know tarra's port and the first time it connects to tarra it will tell tarra its port number.

Bring up the connection

wg-quick up wg0

This should show the commands it runs.

I don't know if your node will be resolving addresses so I show IP addresses here. This is the address for ren-1.tarra.link 

ping 44.127.9.33

This is the router end of the tunnel, t3.tarra.link 

ping 44.127.9.46

You should be able to hit the main address at the router, tarra.link 

ping 44.127.9.254

From tarra you should be able to ping the node. You don't need the full name here. 

ping ren-1

From your laptop or anywhere on the Internet you should be able to ping the node now, 

ping ren-1.tarra.link

You should be able to log into the node over the Internet. You did change the password? Great. Otherwise someone will figure out this is a Raspberry Pi and log in and take control of it in about 5 minutes. 

ssh [email protected]

Make wireguard run after reboot

(Here are docs) 

sudo -s
systemctl enable [email protected]
systemctl daemon-reload
systemctl start wg-quick@wg0

Reboot now to make sure it took. Once you reboot, do 

wg show

You should see the link still exists and that there is a connection. Run the tests from the previous section again to satisfy yourself that it rebooted correctly.

Retrieved from "https://wiki.wildsong.biz//index.php?title=Wireguard_client_set_up&oldid=13194"