Point-to-Site Wireguard Configuration

2022-03-08

Configuring Wireguard to allow a "road-warrior" (aka point-to-site) setup using OPNsense and systemd-networkd.

• Generating Point Peer Keys
• Configuring the Site Peer
• Configuring the Point Peer(s)
  • 99-wg0.netdev
  • 99-wg0.network
• Toggling the VPN
• Additional Resources

Note: Wireguard views every connection as a peer. I'll use the terms client/point and server/site to better differentiate between each peer.

Generating Point Peer Keys

Keys need to be generated for each point that wants to connect and cannot be reused.

The following commands will create the three key files a point will need to connect to the site: a private key, a public key, and a pre-shared key.

$ wg genkey | (umask 0077 && tee wg-point-private.key) | wg pubkey > wg-point-public.key
$ wg genpsk | (umask 0077 && tee site-point.psk)

Configuring the Site Peer

OPNsense has an excellent walk through on configuring the site side of the VPN connection.

Follow along with WireGuard Road Warrior Setup up to the configuring the client. Make sure to note the "Tunnel Address" (10.10.10.1/24), the client peer "Allowed IPs" (10.10.10.2/32), and the port chosen (51820). These will be used later.

Configuring the Point Peers

To configure a point using systemd-networkd four files need to be created in the /etc/systemd/network/ directory. A XX-wg0.netdev, XX-wg0.network, wg-point-private.key, and site-point.psk

Note: Both the *.key and *.psk files contain secrets. It is recommended that only root and systemd-network have access to them.

# chown root:systemd-network /etc/systemd/network/<KEY_FILE>
# chmod 0640 /etc/systemd/network/<KEY_FILE>

99-wg0.netdev

[NetDev]
Name=wg0
Kind=wireguard
Description=Homelab Tunnel

[WireGuard]
PrivateKeyFile=/etc/systemd/network/wg-point-private.key

[WireGuardPeer]
PublicKey=<Site Peer Public Key>
PresharedKeyFile=/etc/systemd/network/site-point.psk
Endpoint=<Site Peer IP or Domain>:<Port>
AllowedIPs=0.0.0.0/0

99-wg0.network

Destinations under the Route header define what systemd-networkd routes though the VPN.

[Match]
Name=wg0

[Network]
Address=10.10.10.2/32 # The Point Peer's address

[Route]
Gateway = 10.10.10.1 # The Site Peer's address
Destination = 10.10.10.0/24
Destination = 10.0.3.0/24
GatewayOnlink = true

Toggling the VPN

By default systemd-networkd will route only packets that match the Destinations defined in 99-wg0.network through the tunnel. However to turn off the VPN run networkctl down wg0. Likewise to turn the VPN on: networkctl up wg0

Additional Resources

• Wireguard -- Main Site -- Installation Docs
• Elouworld -- WireGuard (via systemd-networkd)
• Arch Wiki -- WireGuard
• systemd-networkd -- Netdev docs
• OPNsense -- Road Warrior setup