VPN : OpenVPN & Wireguard
Alexis edited this page Sep 29, 2023
·
4 revisions
- https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/
- If firewalld is used on the VPN server, add the tunnel interface to the trusted zone:
firewall-cmd --zone=trusted --add-interface=as0t0 --permanent - If there is any issue to start the openvpn-as's service (you moved it or whatever), use
sqlite3to modify the DB files.
- Run openvpn at boot
- https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux/
- the client profile/configuration must be auto-login (no password, no username required)
mv clientABC.ovpn clientABC.conf
cp clientABC.conf /etc/openvpn/client/
systemctl enable openvpn-client@clientABC
# It will find automatically the clientABC.conf and run it at boot and keep it alive.- For windows 10:
0.0.0.0/0, ::0 replaces the default route and makes sure traffic won't go somewhere else in an untunnelled interface.
0.0.0.0/1, 128.0.0.0/1 use two routes not to override the default route, but once the VPN is down, these routes will disappear and traffic will go to default route ("untunneleld" interface)
- Systemd service:
/usr/lib/systemd/system/wg-quick@.service
systemctl enable wg-quick@wg0.service --now
-
To auto-reload when the
/etc/wireguard/wg0.confhas changed, -
Firewalld: https://www.procustodibus.com/blog/2021/07/wireguard-firewalld/#point-to-site
-
Full VPN (all traffic via the VPN): https://blog.ruanbekker.com/blog/2020/01/11/setup-a-wireguard-vpn-server-on-linux/
- Do not forget to add SNAT/masquerade rules in iptables/nftables, disabling firewalld isn't enough
-
When the network but the internet isn't up yet, there will be DNS failure and wireguard will stop permanently. Try again until it succeeds:
$ cat /usr/lib/systemd/system/wg-quick@.service
[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
PartOf=wg-quick.target
Documentation=man:wg-quick(8)
Documentation=man:wg(8)
Documentation=https://www.wireguard.com/
Documentation=https://www.wireguard.com/quickstart/
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
[Service]
Type=oneshot
Restart=on-failure
RestartSec=30
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
[Install]
WantedBy=multi-user.target