Edited Wireguard README.md

2025-11-20 08:46:15 -05:00 · 2025-11-20 08:46:15 -05:00 · 3abe20c14b
parent a4e7d10389
commit 3abe20c14b
1 changed files with 83 additions and 0 deletions
--- a/wireguard/README.md
+++ b/wireguard/README.md
@ -21,3 +21,86 @@ securely over a VPN, without exposing them on the public Internet.
   sudo mkdir -p /etc/wireguard
   sudo cp wireguard/wg0.conf.example /etc/wireguard/wg0.conf
   sudo chmod 600 /etc/wireguard/wg0.conf
+
+Generate keys:
+
+```bash
+wg genkey | tee server.key | wg pubkey > server.pub
+wg genkey | tee client.key | wg pubkey > client.pub
+```
+
+* Put `server.key` into `PrivateKey` for `[Interface]`.
+* Put `client.pub` into `PublicKey` for `[Peer]`.
+
+2. **Enable WireGuard**
+
+   ```bash
+   sudo systemctl enable wg-quick@wg0
+   sudo systemctl start wg-quick@wg0
+   ```
+
+   You should now see the interface:
+
+   ```bash
+   ip addr show wg0
+   ```
+
+3. **Configure firewall**
+
+   Use `firewall/nftables-wireguard.conf.example` as a starting point:
+
+   ```bash
+   sudo cp firewall/nftables-wireguard.conf.example /etc/nftables.conf
+   sudo nft -f /etc/nftables.conf
+   sudo systemctl enable nftables
+   ```
+
+   Adjust:
+
+   * `wan_if` to match your actual WAN interface (e.g., `eno1`).
+   * `wg_if` to `wg0` (default).
+   * `wg_tcp_ports` set to match your private services (SSH, Stable Diffusion, etc.).
+
+4. **Client configuration**
+
+   On your client (laptop, etc.), create a WireGuard config like:
+
+   ```ini
+   [Interface]
+   Address    = 10.20.0.2/32
+   PrivateKey = <CLIENT_PRIVATE_KEY>
+   DNS        = 1.1.1.1
+
+   [Peer]
+   PublicKey  = <SERVER_PUBLIC_KEY>
+   Endpoint   = your.domain.example:51820
+   AllowedIPs = 10.20.0.0/24
+   PersistentKeepalive = 25
+   ```
+
+   Bring it up with your WireGuard client (e.g., `wg-quick up`, or a GUI).
+
+5. **Access private services**
+
+   Once the tunnel is up, you should be able to reach private services on the
+   VHostLoom host by its VPN address:
+
+   * `http://10.20.0.1:7860` (Stable Diffusion)
+   * `http://10.20.0.1:8080` (Llamafile)
+   * `http://10.20.0.1:11434` (Ollama)
+   * etc.
+
+   Public services (e.g. `https://cloud.example.com`, `https://git.example.com`)
+   remain available via their normal DNS names and the Traefik reverse proxy.
+
+## Coexistence with ZeroTier
+
+If you prefer ZeroTier or want both:
+
+* Keep the ZeroTier interface and rules.
+* Treat `wg0` and `zt+` as equally trusted VPN ingress points.
+* Use a shared set (e.g. `vpn_tcp_ports`) for ports allowed from either VPN
+  interface, and separate sets if you want to distinguish them.
+
+This module is intentionally minimal; adapt the address ranges, ports, and
+routing rules to match your environment.