Suche aufrufen
Menü aufrufen
17
77
46
3630
Nerdberg
Toggle preferences menu
Persönliches Menü aufrufen
Nicht angemeldet
Ihre IP-Adresse wird öffentlich sichtbar sein, wenn Sie Änderungen vornehmen.

Nerdberg Wireguard VPN with Systemd-Networkd: Unterschied zwischen den Versionen

Aus Nerdberg
Weitere Optionen
← Zum vorherigen Versionsunterschied
Vogelchr (Diskussion | Beiträge)
44 Bearbeitungen
K fix formatting
Vogelchr (Diskussion | Beiträge)
44 Bearbeitungen
 
(17 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
Template for a vpn-config useable with [https://vpn.nerdberg.de/ vpn.nerdberg.de], to be used with [https://www.man7.org/linux/man-pages/man5/systemd.network.5.html systemd-networkd].
Template for a vpn-config useable with [https://vpn.nerdberg.de/ vpn.nerdberg.de], to be used with [https://www.man7.org/linux/man-pages/man5/systemd.network.5.html systemd-networkd]. I'm using [https://www.archlinux.org/ Arch], by the way.


== [https://www.man7.org/linux/man-pages/man5/systemd.netdev.5.html wg-netdberg.netdev] ==
== Configure the VPN ==


<code>
Create two files, <tt>wg-nerdberg.netdev</tt> and <tt>wg-nerdberg.network</tt> in <tt>/etc/systemd/network</tt> according to the templates below. Then create a new vpn endpoint using the UI of [https://vpn.nerdberg.de/ vpn.nerdberg.de] and fill in the keys and addresses for the placeholders indicated.
[NetDev]<br>
Name=wg-nerdberg<br>
Kind=wireguard<br>
Description=Nerdberg Tunnel Endpoint<br>
MTUBytes=1280<br>
<br>
[WireGuard]<br>
ListenPort=51902<br>
PrivateKey=<b>ABC123....=</b> # <em>as created by vpn server</em><br>
<br>
[WireGuardPeer]<br>
PublicKey=<b>ABC123...=</b> # <em>as created by vpn server</em><br>
PresharedKey=<b>ABC123...=</b> # <em>as created by vpn server</em><br>
AllowedIPs=10.73.36.0/23,10.3.2.0/24<br>
Endpoint=vpn.nerdberg.de:51820<br>
PersistentKeepalive = 25
</code>


== [https://www.man7.org/linux/man-pages/man5/systemd.network.5.html wg-netdberg.network] ==
=== Template for wg-nerdberg.netdev ===


<code>
It's a [https://www.man7.org/linux/man-pages/man5/systemd.netdev.5.html systemd.netdev] file.
[Match]<br>
 
Name=wg-nerdberg<br>
This file should preferably have owner <tt>root</tt>, group <tt>systemd-network</tt> and be mode 0640 or <tt>-rw-r----</tt> (i.e. writeable by root, readable by group, not readable by world) because it contains the wireguard private and shared key! If the file is world-readable the VPN still works, but this configuration will potentially leak your keys and systemd-networkd will complain in the journal "<em>/etc/systemd/network/wg-nerdberg.netdev has 0644 mode that is too permissive, please adjust the ownership and access mode.</em>" on every boot.
<br>
 
[Network]<br>
  [NetDev]
IPv6AcceptRA=false<br>
  Name=wg-nerdberg
LinkLocalAddressing=no<br>
  Kind=wireguard
DHCP=no<br>
  Description=Nerdberg Tunnel Endpoint
<br>
  MTUBytes=1280
[Address]<br>
 
Address=<b>10.3.2.120/32</b> # <em>replace as created by vpn server</em><br>
  [WireGuard]
Peer=10.3.2.1/32<br>
  ListenPort=51902
<br>
  PrivateKey=ABC123....= # as created by vpn server
[Address]<br>
 
Address=<b>fd00::3:2:b0/128</b> # <em>replace as created by vpn server</em><br>
  [WireGuardPeer]
Peer=fd00::3:2:1/128<br>
  PublicKey=ABC123...= # as created by vpn server
<br>
  PresharedKey=ABC123...= # as created by vpn server
# on-link<br>
  AllowedIPs=10.73.36.0/23,10.3.2.0/24
[Route]<br>
  Endpoint=vpn.nerdberg.de:51820
Destination=10.3.2.0/24<br>
  PersistentKeepalive = 25
Gateway=10.3.2.1<br>
 
<br>
=== Template for wg-nerdberg.network ===
# LAN<br>
 
[Route]<br>
It's a [https://www.man7.org/linux/man-pages/man5/systemd.network.5.html systemd.network] file.
Destination=10.73.36.0/23<br>
 
Gateway=10.3.2.1
  [Match]
</code>
  Name=wg-nerdberg
 
  [Link]
  # next line requires "networkctl up wg-nerdberg" to start the vpn
  # set ActivationPolicy=up, or comment out this line, to always start the vpn on machine boot
  ActivationPolicy=manual
  RequiredForOnline=no
 
  [Network]
  IPv6AcceptRA=false
  LinkLocalAddressing=no
  DHCP=no
 
  [Address]
  Address=10.3.2.120/32 # replace as created by vpn server
  Peer=10.3.2.1/32
 
  [Address]
  Address=fd00::3:2:b0/128 # replace as created by vpn server
  Peer=fd00::3:2:1/128
 
  # on-link
  [Route]
  Destination=10.3.2.0/24
  Gateway=10.3.2.1
 
  # LAN
  [Route]
  Destination=10.73.36.0/23
  Gateway=10.3.2.1
 
== Verify your configuration... ==
 
=== Systemd Networkd ===
 
Use [https://www.man7.org/linux/man-pages/man1/networkctl.1.html systemd-networkd's networkctl utility] for that.
 
  [root@thinkcentre ~]# networkctl status wg-nerdberg
  ● 6: wg-nerdberg
                    NetDev File: /etc/systemd/network/wg-nerdberg.netdev
                      Link File: /usr/lib/systemd/network/99-default.link
                  Network File: /etc/systemd/network/wg-nerdberg.network
                          State: routable (configured)
                  Online state: online                                       
                          Type: wireguard
                          Kind: wireguard
                        Driver: wireguard
                            MTU: 1280 (max: 2147483552)
                          QDisc: noqueue
  IPv6 Address Generation Mode: none
      Number of Queues (Tx/Rx): 1/1
                        Address: 10.3.2.120
                                fd00::3:2:b0
              Activation Policy: manual
            Required For Online: no
 
  Aug 16 14:31:06 thinkcentre systemd-networkd[372]: wg-nerdberg: netdev ready
  Aug 16 14:31:06 thinkcentre systemd-networkd[372]: wg-nerdberg: Configuring with /etc/systemd/network/wg-nerdberg.network.
  Aug 16 14:31:06 thinkcentre systemd-networkd[372]: wg-nerdberg: Link UP
  Aug 16 14:31:06 thinkcentre systemd-networkd[372]: wg-nerdberg: Gained carrier
 
=== Wireguard Device ===
 
Use the [https://www.man7.org/linux/man-pages/man8/wg.8.html wireguard wg utility] for that.
 
  # wg show
  interface: wg-nerdberg
    public key: KOMmBnaj4ebyJbcLuSCjTLCoyTuV5ZON2nArENP4BGE=
    private key: (hidden)
    listening port: 51902
 
  peer: ZasbMPoNaD0OGfqm/PQgs+cO/Mhz6ePYFlSB77KyUmU=
    preshared key: (hidden)
    endpoint: 212.172.14.27:51820
    allowed ips: 10.3.2.0/24, 10.73.36.0/23
    latest handshake: 13 seconds ago
    transfer: 38.03 MiB received, 1.59 MiB sent
    persistent keepalive: every 25 seconds
 
=== Address  ===
 
Use [https://www.man7.org/linux/man-pages/man8/ip-address.8.html iputils' ip addr] for that.
 
  # ip addr show dev wg-nerdberg
  6: wg-nerdberg: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
      link/none
      inet 10.3.2.120 peer 10.3.2.1/32 scope global wg-nerdberg
          valid_lft forever preferred_lft forever
      inet6 fd00::3:2:b0 peer fd00::3:2:1/128 scope global
          valid_lft forever preferred_lft forever
 
=== Route ===
 
Use [https://www.man7.org/linux/man-pages/man8/ip-route.8.html iputils' route] for that.
 
  # ip route show dev wg-nerdberg
  10.3.2.0/24 via 10.3.2.1 proto static
  10.3.2.1 proto kernel scope link src 10.3.2.120
  10.73.36.0/23 via 10.3.2.1 proto static

Aktuelle Version vom 16. August 2025, 14:47 Uhr

Template for a vpn-config useable with vpn.nerdberg.de, to be used with systemd-networkd. I'm using Arch, by the way.

Configure the VPN

Create two files, wg-nerdberg.netdev and wg-nerdberg.network in /etc/systemd/network according to the templates below. Then create a new vpn endpoint using the UI of vpn.nerdberg.de and fill in the keys and addresses for the placeholders indicated.

Template for wg-nerdberg.netdev

It's a systemd.netdev file.

This file should preferably have owner root, group systemd-network and be mode 0640 or -rw-r---- (i.e. writeable by root, readable by group, not readable by world) because it contains the wireguard private and shared key! If the file is world-readable the VPN still works, but this configuration will potentially leak your keys and systemd-networkd will complain in the journal "/etc/systemd/network/wg-nerdberg.netdev has 0644 mode that is too permissive, please adjust the ownership and access mode." on every boot. 

  [NetDev]
  Name=wg-nerdberg
  Kind=wireguard
  Description=Nerdberg Tunnel Endpoint
  MTUBytes=1280
  
  [WireGuard]
  ListenPort=51902
  PrivateKey=ABC123....= # as created by vpn server
  
  [WireGuardPeer]
  PublicKey=ABC123...= # as created by vpn server
  PresharedKey=ABC123...= # as created by vpn server
  AllowedIPs=10.73.36.0/23,10.3.2.0/24
  Endpoint=vpn.nerdberg.de:51820
  PersistentKeepalive = 25

Template for wg-nerdberg.network

It's a systemd.network file. 

  [Match]
  Name=wg-nerdberg
  
  [Link]
  # next line requires "networkctl up wg-nerdberg" to start the vpn
  # set ActivationPolicy=up, or comment out this line, to always start the vpn on machine boot
  ActivationPolicy=manual
  RequiredForOnline=no
  
  [Network]
  IPv6AcceptRA=false
  LinkLocalAddressing=no
  DHCP=no
  
  [Address]
  Address=10.3.2.120/32 # replace as created by vpn server
  Peer=10.3.2.1/32
  
  [Address]
  Address=fd00::3:2:b0/128 # replace as created by vpn server
  Peer=fd00::3:2:1/128
  
  # on-link
  [Route]
  Destination=10.3.2.0/24
  Gateway=10.3.2.1
  
  # LAN
  [Route]
  Destination=10.73.36.0/23
  Gateway=10.3.2.1

Verify your configuration...

Systemd Networkd

Use systemd-networkd's networkctl utility for that. 

  [root@thinkcentre ~]# networkctl status wg-nerdberg
  ● 6: wg-nerdberg
                   NetDev File: /etc/systemd/network/wg-nerdberg.netdev
                     Link File: /usr/lib/systemd/network/99-default.link
                  Network File: /etc/systemd/network/wg-nerdberg.network
                         State: routable (configured)
                  Online state: online                                         
                          Type: wireguard
                          Kind: wireguard
                        Driver: wireguard
                           MTU: 1280 (max: 2147483552)
                         QDisc: noqueue
  IPv6 Address Generation Mode: none
      Number of Queues (Tx/Rx): 1/1
                       Address: 10.3.2.120
                                fd00::3:2:b0
             Activation Policy: manual
           Required For Online: no
  
  Aug 16 14:31:06 thinkcentre systemd-networkd[372]: wg-nerdberg: netdev ready
  Aug 16 14:31:06 thinkcentre systemd-networkd[372]: wg-nerdberg: Configuring with /etc/systemd/network/wg-nerdberg.network.
  Aug 16 14:31:06 thinkcentre systemd-networkd[372]: wg-nerdberg: Link UP
  Aug 16 14:31:06 thinkcentre systemd-networkd[372]: wg-nerdberg: Gained carrier

Wireguard Device

Use the wireguard wg utility for that. 

  # wg show
  interface: wg-nerdberg
    public key: KOMmBnaj4ebyJbcLuSCjTLCoyTuV5ZON2nArENP4BGE=
    private key: (hidden)
    listening port: 51902
  
  peer: ZasbMPoNaD0OGfqm/PQgs+cO/Mhz6ePYFlSB77KyUmU=
    preshared key: (hidden)
    endpoint: 212.172.14.27:51820
    allowed ips: 10.3.2.0/24, 10.73.36.0/23
    latest handshake: 13 seconds ago
    transfer: 38.03 MiB received, 1.59 MiB sent
    persistent keepalive: every 25 seconds

Address

Use iputils' ip addr for that. 

  # ip addr show dev wg-nerdberg
  6: wg-nerdberg: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
      link/none 
      inet 10.3.2.120 peer 10.3.2.1/32 scope global wg-nerdberg
         valid_lft forever preferred_lft forever
      inet6 fd00::3:2:b0 peer fd00::3:2:1/128 scope global 
         valid_lft forever preferred_lft forever

Route

Use iputils' route for that. 

  # ip route show dev wg-nerdberg
  10.3.2.0/24 via 10.3.2.1 proto static 
  10.3.2.1 proto kernel scope link src 10.3.2.120 
  10.73.36.0/23 via 10.3.2.1 proto static
Abgerufen von „https://wiki.nerdberg.de/index.php?title=Nerdberg_Wireguard_VPN_with_Systemd-Networkd&oldid=3376
Zuletzt geändert
Diese Seite wurde zuletzt am 16. August 2025 um 14:47 Uhr bearbeitet.