Wireguard installation

SansSerif

New Member


Messages: 2

Hello!
I would like to ask, how can I install wireguard on my FreeBSD machine? Yea I know this sounds pretty bad, but I'm a noob and just started with FreeBSD. I found a tutorial on the official wireguard webpage (https://www.wireguard.com/quickstart/), but still don't know how. There was a command IP, that is not installed on my machine (IP: command not found), so I decided to run "sudo pkg install ip". didn't work so I'm asking here. Can someone post some instructions on how to do that? (again: I'm starting with FreeBSD)

Sorry for my bad English
 

Bucky

Member

Reaction score: 8
Messages: 39

Here are my notes from when I installed it a couple of years ago. There is no quick-and-easy way to get this running. You need to understand how a VPN works in order to understand what the various parts below mean. Running on FBSD 11.3 presently:

|# pkg search wireguard
|# pkg install ...

|# cd /usr/local/etc/wireguard
|# umask 077
|# wg genkey > server-private.key
|# wg pubkey < server-private.key > server-public.key
|# wg genkey > client0-private.key
|# wg pubkey < client0-private.key > client0-public.key
|# wg genpsk > client0.psk // .psk = pre-shared key

each additional client computer needs its own keys
|# wg genkey > client1-private.key
|# wg pubkey < client1-private.key > client1-public.key
|# wg genpsk > client1.psk

|# touch wg0.conf
|# touch client0.conf
// the 'server' end of the tunnel can see lots of peers (clients)
|# ee wg0.conf
# server
[Interface]
Address = 10.14.28.1/24 #, fc00:23:5::1/64, inside tunnel
ListenPort = 1500
PrivateKey = < server private key>
DNS = 10.0.1.1

# client0
[Peer]
PublicKey = < client0 public key >
PresharedKey = < client0 pre-shared key >
AllowedIPs = 10.14.28.2/32 #, fc00:23:5::2/128, inside tunnel, clients may not share AllowedIPs

# client1
#[Peer]
#PublicKey = < client1 public key >
#PresharedKey = < client1 pre-shared key >
#AllowedIPs = 10.14.28.3/32 #, fc00:23:5::2/128, inside tunnel, clients may not share AllowedIPs

# -EOF-

the server side...
|# sysrc gateway_enabled="YES"
-or-
|# sysctl net.inet.ip.forwarding=1
|# ee /boot/loader.conf
net.inet.ip.forwarding=1
# -EOF-

|# sysrc wireguard_enable=YES
|# sysrc wireguard_interfaces=wg0

be sure the /etc/pf.conf NAT covers all interfaces

|# service wireguard start

check on the wireguard daemon

|# netstat -4rn
|# top
|# ps -auxc
|# sockstat -4l

on the client side...

// the client end of the tunnel can only see one peer (server)
|# ee client0.conf
# client0
[Interface]
PrivateKey = < client0 private key >
Address = 10.14.28.2/24 #, fc00:23:5::2/64

# server
[Peer]
PublicKey = < server public key >
# PresharedKey = < client0 pre-shared key >
Endpoint = 10.0.0.133:1500 # FQDN:1500
AllowedIPs = 0.0.0.0/0 #, ::/0, all traffic thru the tunnel

# -EOF-

the client computer will need a 'client' which talks to the
wireguard server.

fetch from https://tunsafe.com/
TunSafe-1.4-x64.zip // the windows client is in here
TunSafe-TAP-9.21.2.exe // windows interface

I found these sites very helpful:

<https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/>
<https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-android/>
 
Top