English Italian
peer: <fcos_public_key>
preshared key: (hidden)
endpoint: <FCOS IP address>:51820
allowed ips: 192.168.71.0/24, fdc9:3c6b:21c7:e6bd::/64
[root@wireguard-client ~]# ip a s wg0
21: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.71.2/24 scope global wg0
valid_lft forever preferred_lft forever
inet6 fdc9:3c6b:21c7:e6bd::2/64 scope global
valid_lft forever preferred_lft forever
Test the WireGuard connection
You can now ping the FCOS server's WireGuard IP address:
Ping the FCOS server over WireGuard from client
[root@wireguard-client ~]# ping 192.168.71.1
PING 192.168.71.1 (192.168.71.1) 56(84) bytes of data.
64 bytes from 192.168.71.1: icmp_seq=1 ttl=64 time=0.439 ms
64 bytes from 192.168.71.1: icmp_seq=2 ttl=64 time=0.422 ms
64 bytes from 192.168.71.1: icmp_seq=3 ttl=64 time=0.383 ms
^C
--- 192.168.71.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2027ms
rtt min/avg/max/mdev = 0.383/0.414/0.439/0.023 ms
[root@wireguard-client ~]# ping6 fdc9:3c6b:21c7:e6bd::1
PING fdc9:3c6b:21c7:e6bd::1(fdc9:3c6b:21c7:e6bd::1) 56 data bytes
64 bytes from fdc9:3c6b:21c7:e6bd::1: icmp_seq=1 ttl=64 time=1.55 ms
64 bytes from fdc9:3c6b:21c7:e6bd::1: icmp_seq=2 ttl=64 time=0.454 ms
64 bytes from fdc9:3c6b:21c7:e6bd::1: icmp_seq=3 ttl=64 time=0.424 ms
64 bytes from fdc9:3c6b:21c7:e6bd::1: icmp_seq=4 ttl=64 time=0.424 ms
^C
--- fdc9:3c6b:21c7:e6bd::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3054ms
rtt min/avg/max/mdev = 0.424/0.712/1.546/0.481 ms
When you run `sudo wg show` on your client you should see a recent handshake and a transfer sections with sent and received:
Verify handshake and transfer metrics
peer: <fcos_public_key>
preshared key: (hidden)
endpoint: <Client IP address>:51820
allowed ips: 192.168.71.0/24, fdc9:3c6b:21c7:e6bd::/64
latest handshake: 9 seconds ago
transfer: 22.02 KiB received, 22.28 KiB sent
Route all traffic over WireGuard
If you plan on forwarding all of your client's traffic through the FCOS instance you will need to enable IP Forwarding and you need to set and set some PostUp and PostDown directives:
Example FCOS WireGuard configuration with IP forwarding
variant: fcos
version: 1.4.0
storage:
files:
- path: /etc/sysctl.d/90-ipv4-ip-forward.conf
mode: 0644
contents:
inline: |
net.ipv4.ip_forward = 1
- path: /etc/sysctl.d/90-ipv6-ip-forwarding.conf
mode: 0644
contents:
inline: |
net.ipv6.conf.all.forwarding = 1
- path: /etc/wireguard/wg0.conf
mode: 0600
contents:
inline: |
[Interface]
Address = 192.168.71.1/24,fdc9:3c6b:21c7:e6bd::1/64
PrivateKey = <fcos_private_key>
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
FCOS uses https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/[predictable interface names] by https://lists.fedoraproject.org/archives/list/coreos-status@lists.fedoraproject.org/thread/6IPTZL57Z5NLBMPYMXNVSYAGLRFZBLIP/[default]. Please take care to use the correct interface name for your hardware in the above PostUp and PostDown commands!
and set `AllowedIPs = 0.0.0.0/0,::/0` in `/etc/wireguard/wg0.conf` on the client configuration to route all IPv4 and IPv6 the traffic on the client computer over the WireGuard interface:
A configuration for routing all traffic on the client over WireGuard:
[Interface]
Address = 192.168.71.1/24,fdc9:3c6b:21c7:e6bd::2/64
PrivateKey = <client_one_private_key>
ListenPort = 51821