...
Update the repo
Code Block [root@pikvm pisugar-archlinux]# rw + mount -o remount,rw / + mount -o remount,rw /boot + set +x === PiKVM is in Read-Write mode === [root@pikvm pisugar-archlinux]# sudo pacman -Syy :: Synchronizing package databases... core 239.0 KiB 79.1 KiB/s 00:03 [###################################] 100% extra 9.0 MiB 414 KiB/s 00:22 [###################################] 100% community 45.0 B 121 B/s 00:00 [###################################] 100% alarm 94.8 KiB 243 KiB/s 00:00 [###################################] 100% aur 9.3 KiB 12.1 KiB/s 00:01 [###################################] 100% pikvm 10.7 KiB 3.00 KiB/s 00:04 [###################################] 100%
Install wireguard
Code Block [root@pikvm pisugar-archlinux]# pacman -S wireguard-tools resolving dependencies... looking for conflicting packages... Packages (1) wireguard-tools-1.0.20210914-2 Total Download Size: 0.08 MiB Total Installed Size: 0.22 MiB :: Proceed with installation? [Y/n] Y :: Retrieving packages... wireguard-tools-1.0.20210914-... 80.4 KiB 45.4 KiB/s 00:02 [###################################] 100% (1/1) checking keys in keyring [###################################] 100% (1/1) checking package integrity [###################################] 100% (1/1) loading package files [###################################] 100% (1/1) checking for file conflicts [###################################] 100% (1/1) checking available disk space [###################################] 100% :: Processing package changes... (1/1) installing wireguard-tools [###################################] 100% Optional dependencies for wireguard-tools openresolv: for DNS functionality [installed] sudo: elevate privileges [installed] :: Running post-transaction hooks... (1/2) Reloading system manager configuration... (2/2) Arming ConditionNeedsUpdate...Create private and public keys
Code Block wg genkey | tee privatekey | wg pubkey > publickey
Create the config file
Now you can configure the server, just add a new file called/etc/wireguard/wg0.conf. Insert the following configuration lines and replace the<server-private-key>placeholder with the previously generated private key.Code Block vi /etc/wireguard/wg0.conf [Interface] PrivateKey=<server-private-key> Address=Address = 10.99.0.1/32 #SaveConfig SaveConfig= true PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE; PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE; ListenPort = 51821 PrivateKey = <server-private-key> [Peer] PublicKey = <client-public-key> AllowedIPs = 10.99.0.2/32
Configure the wireguard client
Now, we need to configure the client. Create a new file called/etc/wireguard/wg0.conf. Insert the following configuration lines and replace the<client-private-key>placeholder with the previously generated private key.Next, replace the
<server-public-key>with the generated servers public key. And also replace<server-public-ip-address>with the IP address where the server listens for incoming connections.Code Block [Interface] PrivateKey = <client-private-key> ListenPort = 51821 Address = 10.99.0.2/2432 [Peer] PublicKey = <server-public-key> AllowedIPs = 10.99.0.0/24 Endpoint = <server-public-ip-address>:51821 PersistentKeepalive = 30
Open ports (UDP) for wireguard on your router.
Start and test
enable the wg0 interface with the following commandCode Block wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.99.0.1/24 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE;
You can check the status of the connection with this command.
Code Block [root@pikvm ~]# wg interface: wg0 public key: K9aP9W9TW/bfdaGQA2fSFBZh6ZZy198Q= private key: (hidden) listening port: 51821 [root@pikvm ~]# ifcongif -a -bash: ifcongif: command not found [root@pikvm ~]# ifconfig -a lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 99 bytes 8158 (7.9 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 99 bytes 8158 (7.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420 inet 10.99.0.1 netmask 255.255.255.0 destination 10.99.0.1 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::e65f:1ff:fe87:f396 prefixlen 64 scopeid 0x20<link> ether e4:5f:01:87:f3:96 txqueuelen 1000 (Ethernet) RX packets 1505204 bytes 36789964 (35.0 MiB) RX errors 0 dropped 1224409 overruns 0 frame 0 TX packets 110425 bytes 8452065 (8.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Next, you need to add the client to the server configuration file. Otherwise, the tunnel will not be established. Replace the
<client-public-key>with the clients generated public key and the<client-ip-address>with the client's IP address on the wg0 interface.Code Block wg set wg0 peer <client-public-key> allowed-ips <client-ip-address>/32Now you can enable the wg0 interface on the server.
Code Block wg-quick up wg0
Configure auto-startCode Block wgConfigure auto-start
Code Block [root@pikvm ~]# systemctl enable --now wg-quick@wg0 Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service -> /usr/lib/systemd/system/wg-quick@.service.
Install and configure Lets Encrypt Certificates for the PiKVM
...