Skip to content

Configure WireGuard using network config manager

Jump to bottom
Susant Sahani edited this page Dec 3, 2022 · 1 revision

WireGuard is an extremely simple, fast and modern VPN that is built into Linux kernel 5.6 and above. This article presents configuration on Photon OS (Linux-based operating system) for systemd-networkd using network-config-manager. We need to install wireguard-tools. Can be downloaded or install via tdnf

❯ sudo tdnf install wireguard-tools -y

On both sites we need to create a pair of keys . Each site need other site's public key and vice-versa.

❯ wg genkey | tee wg-private.key | wg pubkey > wg-public.key

Change permission of the files so that it can be readable by systemd-network user

❯ chown root:systemd-network wg-privatge.key wg-public.key

Site #1 Configuration

❯ cat /etc/os-release
NAME="VMware Photon OS"
VERSION="4.0"
ID=photon
VERSION_ID=4.0
PRETTY_NAME="VMware Photon OS/Linux"
ANSI_COLOR="1;34"
HOME_URL="https://vmware.github.io/photon/"
BUG_REPORT_URL="https://github.com/vmware/photon/issues"

❯ ip a

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:3c:d5:8f brd ff:ff:ff:ff:ff:ff
    altname eno1
    altname enp3s0
    altname ens160
    inet 192.168.1.9/24 brd 192.168.1.255 scope global dynamic eth0
       valid_lft 84501sec preferred_lft 84501sec
    inet6 fe80::20c:29ff:fe3c:d58f/64 scope link 
       valid_lft forever preferred_lft forever

❯ cat wg-public.key 
d0AR4V68TJPA65ddKADmyTBbEgPTo75Xq/EVE1nsVFA=y
Site #2 Configuration
➜ ip a

2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000  
link/ether 00:0c:29:5f:d1:39 brd ff:ff:ff:ff:ff:ff
    altname enp2s1
    inet 192.168.1.11/24 metric 1024 brd 192.168.1.255 scope global dynamic ens33
       valid_lft 85200sec preferred_lft 85200sec
    inet6 fe80::20c:29ff:fe5f:d139/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::3279:c56d:55f9:aed7/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

➜ cat wg-public.key
lhR9C3iZGKC+CIibXsOxDql8m7YulZA5I2tqgU2PnhM=y

Now generate wire-guard configuration using nmctl on Site #1

➜ nmctl create-wg wg99 private-key-file /etc/systemd/network/wg-private.key listen-port 34966 public-key lhR9C3iZGKC+CIibXsOxDql8m7YulZA5I2tqgU2PnhM= endpoint 192.168.1.11:34966 allowed-ips 10.0.0.2/32

➜ nmctl add-addr dev wg99 a 10.0.0.1/24

The configuration generated for systemd-networkd

❯ cat 10-wg99.netdev

[NetDev]
Name=wg99
Kind=wireguard

[WireGuard]
PrivateKeyFile=/etc/systemd/network/wg-private.key
ListenPort=34966

[WireGuardPeer]
# Public key of Site #2
PublicKey=lhR9C3iZGKC+CIibXsOxDql8m7YulZA5I2tqgU2PnhM=
Endpoint=192.168.1.11:34966
AllowedIPs=10.0.0.2/32

❯ cat 10-wg99.network
[Match]
Name=wg99


[Address]
Address=10.0.0.1/24

wg output

➜  wg

interface: wg99
  public key: lhR9C3iZGKC+CIibXsOxDql8m7YulZA5I2tqgU2PnhM=
  private key: (hidden)
  listening port: 34966

peer: d0AR4V68TJPA65ddKADmyTBbEgPTo75Xq/EVE1nsVFA=
  endpoint: 192.168.1.7:34966
  allowed ips: 10.0.0.1/32
  latest handshake: 20 minutes, 36 seconds ago
  transfer: 57.70 KiB received, 58.37 KiB sent

Similarly generate configuration for site #2

➜ nmctl create-wg wg99 private-key-file /etc/systemd/network/wg-private.key listen-port 34966 public-key d0AR4V68TJPA65ddKADmyTBbEgPTo75Xq/EVE1nsVFA= endpoint 192.168.1.7:34966 allowed-ips 10.0.0.1/32

➜ nmctl add-addr dev wg99 a 10.0.0.2/24

The configuration generated for systemd-networkd

➜ cat 10-wg99.netdev 
                 
[NetDev]
Name=wg99
Kind=wireguard

[WireGuard]
PrivateKeyFile=/etc/systemd/network/wg-private.key
ListenPort=34966

[WireGuardPeer]
# Public key of Site #1
PublicKey=d0AR4V68TJPA65ddKADmyTBbEgPTo75Xq/EVE1nsVFA=
Endpoint=192.168.1.7:34966
AllowedIPs=10.0.0.1/32

➜ cat 10-wg99.network
[Match]
Name=wg99


[Address]
Address=10.0.0.2/24

➜ wg

interface: wg9
  public key: lhR9C3iZGKC+CIibXsOxDql8m7YulZA5I2tqgU2PnhM=
  private key: (hidden)
  listening port: 34966

peer: d0AR4V68TJPA65ddKADmyTBbEgPTo75Xq/EVE1nsVFA=
  endpoint: 192.168.1.7:34966
  allowed ips: 10.0.0.1/32
  latest handshake: 23 minutes, 57 seconds ago
  transfer: 57.70 KiB received, 58.37 KiB sent9

Let's ping and confirm connectivity on site #1

❯ ip a show wg99

25: wg99: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state 
UNKNOWN group default qlen 1000link/none 
    inet 10.0.0.1/24 brd 10.0.0.255 scope global wg99
       valid_lft forever preferred_lft forever

❯ ping 10.0.0.2

PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=4.90 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=3.77 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=23.0 ms

Ping and confirm connectivity on site #2

➜  ip a show wg99
209: wg99: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none 
    inet 10.0.0.2/24 scope global wg99
       valid_lft forever preferred_lft forever

➜  ping 10.0.0.1

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=1.92 ms
Clone this wiki locally