Sunday, January 29, 2023

Quick Note on WireGuard Configuration Files

Assume that we set up a VPN server, and a number of clients are the peers of the server. Below are example configuration files

  1. Server Configuration
    
    [Interface]
    Address = 10.188.0.1/32
    PrivateKey = (Private Key of the server, genreated via: wg genkey | server.private)
    ListenPort = 51820
    
    
    
    [Peer]
    PublicKey = (Public key of the client, generated via: wg genkey | tee client.2.private | wg pubkey)
    AllowedIPs = 10.188.0.2/32
    
    [Peer]
    PublicKey = (Public key of the client, generated via: wg genkey | tee client.3.private | wg pubkey)
    AllowedIPs = 10.188.0.3/32
    
    [Peer]
    PublicKey = (Public key of the client, generated via: wg genkey | tee client.4.private | wg pubkey)
    AllowedIPs = 10.188.0.4/32
    
    [Peer]
    PublicKey = (Public key of the client, generated via: wg genkey | tee client.5.private | wg pubkey)
    AllowedIPs = 10.188.0.5/32  
    
    • The AllowedIPs of the Peer section is to assign the IP address to the client.
  2. Client Configuration
    
    [Interface]
    Address = 10.188.0.5/32
    PrivateKey = (Private Key of the the client, e.g., the content of client.5.private)
    DNS = 192.168.1.1,1.1.1.1,8.8.8.8
    
    
    
    [Peer]
    PublicKey = (Public key of the server, generated via: cat server.private | wg pubkey)
    AllowedIPs = 10.188.0.1/32,10.188.0.5/32
    Endpoint = Server_Public_IP_OR_Hostname:51820
    
    
    • The AllowedIPs is to control access the client has to the part of the network. My experience is that you must give the access to the server, i.e., it must include server's IP address 10.188.0.1; otherwise, there would be a reachability problem.
    • Since it is a client, we should also inclue the Endpoint.
    • Numerous examples on the Web often use AllowedIPs = 0.0.0.0/0,::/0 as part of the client configuration. Although a further investigation is needed to confirm it, my experience is that this can be a problematic setup for Windows clients, in particular, both the server and the client reside in private networks with the same network prefix, e.g., 192.168.1.0/24. Windows does not appear to set up proper routes and appears to be confused with which private network it should reach when given an IP address like 192.168.1.1. My experience seems to be when this happens, Ping on Windows would report "General Failure."

No comments:

Post a Comment