User:Maffblaster/Drafts/WireGuard

From Gentoo Wiki
Jump to: navigation, search
Resources

WireGuard is a modern, secure VPN that utilities start-of-the-art cryptography. Its goal is to be similar, faster, and easier to configure than other VPN software stacks.

Wireguard is written and maintained by Jason A. Donenfeld (zx2c4), a Gentoo developer.

Official and potentially more up-to-date installation instructions can be found upstream.

Installation

Unmasking

Currently there are no official packaged releases for WireGuard, although the live version was added to the Portage tree. Instruct Portage to allow the live repository installed by appending the following line to package.keywords which will unmask the file:

FILE /etc/portage/package.keywords
=net-misc/wireguard-9999 **

Kernel

Attempting to install WireGuard without having a few specific kernel options enabled will cause the merge to fail. A few of the symbols can only be set by setting other options. Perform the necessary work to have the following symbols enabled before moving on to the next section:

  • CONFIG_NET - For basic networking support.
  • CONFIG_INET - For basic IP support.
  • CONFIG_NET_UDP_TUNNEL - For sending and receiving UDP packets.
  • CONFIG_NF_CONNTRACK - For determining the source address when constructing ICMP packets.
  • CONFIG_NETFILTER_XT_MATCH_HASHLIMIT - For ratelimiting when under DoS attacks.
  • CONFIG_IP6_NF_IPTABLES - Only if using CONFIG_IPV6 for ratelimiting when under DoS attacks.
  • CONFIG_CRYPTO_BLKCIPHER - For doing scatter-gather I/O.
  • CONFIG_PADATA - For parallel crypto, only available on multi-core machines.[1]
KERNEL Enable kernel support for WireGuard[2]
[*] Networking support -->
    Networking options -->
        [*] TCP/IP networking
        [*]   IP: Foo (IP protocols) over UDP
        [*] Network packet filtering framework (Netfilter) -->
            [*] Advanced netfilter configuration
            Core Netfilter Configuration -->
                [*] Netfilter connection tracking support
                [*] Netfilter Xtables support
                [*]   "hashlimit" match support
            [*] IPv6: Netfilter Configuration (only if using IPv6)
[*] Cryptographic API -->
    [*] Cryptographic algorithm manager
    [*] Parallel crypto engine

Emerge

Finally, emerge the package:

root #emerge --ask net-misc/wireguard
Important
WireGuard is in the process of being mainlined into the Linux kernel. Until it is included with the kernel sources, users will need to rebuild the module when upgrading or downgrading the Linux kernel on their systems. After building the new kernel sources, this can be done by using the @module-rebuild set:


root #emerge --ask @module-rebuild

Configuration

Kernel module loading

Be sure to instruct the init system to load the WireGuard kernel modules when the system boots.

OpenRC

FILE /etc/conf.d/modules
modules="wireguard"

Be sure the modules service is set to run in the boot runlevel:

root #rc-update add modules boot

systemd

systemd users will need to create a new file in the /etc/modules-load.d/ directory in order to instruct the module loading service to get the module loaded on boot:

FILE /etc/modules-load.d/wireguard.conf
wireguard

Key generation

It is necessary to generate keys before connecting to any networks. Following the conventional schema home directory layout, create a directory to hold WireGuard's keys:

user $mkdir ~/.wireguard

Next, use the key generation to create a key pair:

user $umask 077
user $wg genkey | tee privatekey | wg pubkey > publickey

File

Usage

Invocation

Troubleshooting

Issue 1

Removal

Unmerge

root #emerge --ask --depclean net-misc/wireguard

See also

  • OpenVPN - Robust and highly flexible tunneling application.

External resources

References