add wireguard article
This commit is contained in:
parent
c1d6084020
commit
958c7139e0
@ -0,0 +1,109 @@
|
||||
---
|
||||
layout: post
|
||||
title: "Wireguard with floating endpoints"
|
||||
date: 2016-11-09 19:01:39 +0100
|
||||
comments: true
|
||||
categories:
|
||||
- wireguard
|
||||
- vpn
|
||||
- dynamic dns
|
||||
---
|
||||
|
||||
Since systemd-networkd v23x support [Wireguard](https://wireguard.io). It
|
||||
supports dns hostnames as endpoint but will resolve them only once at startup.
|
||||
This breaks if the endpoint is only reachable via a dynamic addresses behind
|
||||
dyndns. The following systemd timer will update networkd configuration every
|
||||
five minute in case the endpoint address changes. That way also ipv4 or ipv6 can
|
||||
be enforced.
|
||||
|
||||
Save the following to files as `/etc/systemd/update-wireguard-endpoint.timer`
|
||||
and `/etc/systemd/update-wireguard-endpoint.service`:
|
||||
|
||||
```
|
||||
# /etc/systemd/update-wireguard-endpoint.timer
|
||||
[Unit]
|
||||
Description="Update wireguard endpoint five minute"
|
||||
|
||||
[Timer]
|
||||
OnBootSec=1min
|
||||
OnUnitActiveSec=5min
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
```
|
||||
|
||||
```
|
||||
# /etc/systemd/update-wireguard-endpoint.service
|
||||
[Unit]
|
||||
Description="Update wireguard endpoint"
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/local/bin/update-wireguard-endpoint
|
||||
```
|
||||
|
||||
Replace all the the `<PLACEHOLDERS>` with the approciate values and save as
|
||||
`/usr/local/bin/update-wireguard-endpoint`:
|
||||
|
||||
```bash
|
||||
#!/usr/bin/env bash
|
||||
set -eu pipeofail
|
||||
|
||||
PRIVATE_KEY="<PRIVATE_KEY_OF_LOCAL_HOST>"
|
||||
PUBLIC_KEY="<PUBLIC_KEY_OF_DYNAMIC_ENDPOINT>"
|
||||
ENDPOINT_HOST="<ADDRESS_OF_DYNAMIC_HOST>"
|
||||
ENDPOINT_PORT="<PORT_OF_DYNAMIC_HOST>"
|
||||
# other possible values: ahostsv4 or ahostsv6 to enforce either ipv4 or ipv6
|
||||
ADDRESS_FAMILY="hosts"
|
||||
|
||||
tempfile="$(mktemp)"
|
||||
trap "rm -r '$tempfile'" EXIT
|
||||
|
||||
resolved_endpoint="$(getent "$ADDRESS_FAMILY" "$ENDPOINT_HOST" | awk '{if ($1 ~ /:/) {printf "[%s]", $1; exit} else { print $1; exit} }')"
|
||||
|
||||
cat > "$tempfile" <<EOF
|
||||
[NetDev]
|
||||
Name=wg0
|
||||
Kind=wireguard
|
||||
|
||||
[Wireguard]
|
||||
PrivateKey=$PRIVATE_KEY
|
||||
|
||||
[WireguardPeer]
|
||||
## configure as usual, example:
|
||||
#AllowedIPs=192.168.77.1/32,fe80::/64
|
||||
Endpoint=$resolved_endpoint:$ENDPOINT_PORT
|
||||
PublicKey=$PUBLIC_KEY
|
||||
PersistentKeepalive=10
|
||||
EOF
|
||||
|
||||
if ! diff "$tempfile" /etc/systemd/network/wg0.netdev >/dev/null 2>&1; then
|
||||
cp "$tempfile" /etc/systemd/network/wg0.netdev
|
||||
systemctl restart systemd-networkd
|
||||
fi
|
||||
```
|
||||
|
||||
Also make sure that the script is executable using the the following command:
|
||||
|
||||
```bash
|
||||
$ chmod +x /usr/local/bin/update-wireguard-endpoint
|
||||
```
|
||||
|
||||
To configure addresses on the interface create a new `.network` file as usual:
|
||||
|
||||
```
|
||||
#/etc/systemd/network/wg0.network
|
||||
[Match]
|
||||
Name=wg0
|
||||
|
||||
[Network]
|
||||
## example:
|
||||
#Address=fe80::1/64
|
||||
#Address=192.168.77.2/24
|
||||
```
|
||||
|
||||
Then enable the timer and check the status of the command:
|
||||
|
||||
```
|
||||
systemctl enable --now update-wireguard-endpoint.timer
|
||||
systemctl status update-wireguard-endpoint.service
|
||||
```
|
||||
Loading…
Reference in New Issue
Block a user