jon-hedgerows · March 21, 2024 13:07
diff --git a/a way to get wireguard running on WSL2 b/a way to get wireguard running on WSL2
 wg-quick on WSL2 doesn't play well - if you have a default route through wireguard it tries to use features of nftables/iptables that aren't compiled into the WSL2 kernel, and all the answers I could find basically said "build a custom kernel".  No thanks!

 Wireguard itself works fine on ubuntu on WSL2, it's just the way wg-quick sets it up that doesn't.

 this might help you if you have one peer, and want to route all traffic through it.

 This note doesn't tell you how to configure wireguard - there are plenty of sites that cover that.  The config below is just an example, and will NOT work!

 the startup script finds the IP of the wireguard endpoint you're connecting to and sets up a host route to it, firs up wireguard, and sets a default route through wireguard.

 the shutdown script unwinds all that.

 Notes:
 - these scripts assume you have a single peer
 - these scripts blindly route ALL traffic through wireguard, regardless of what the AllowedIPs line in the config file says

diff --git a/wg0-shutdown.sh b/wg0-shutdown.sh
 #!/bin/bash

 DEV=wg0
 CONF=/etc/wireguard/$DEV.conf

 ENDPOINT=$(grep Endpoint $CONF | awk '{print $3}' | cut -f1 -d:)
 ENDPOINTIP=$(dig +short $ENDPOINT | grep -E "^[0-9]+")
 if [ -z $ENDPOINTIP ]; then
        echo Endpoint not found
        exit 1
 fi

 # check $DEV exists
 if ! ip a show dev $DEV ; then
        echo device $DEV not found
        exit 2
 fi

 # put the routes back to normal...
 ip route delete default
 ip route add default $(ip route get $ENDPOINTIP | grep via | awk '{print $2,$3,$4,$5}')
 ip route delete $ENDPOINTIP

 # stop the wireguard link
 ip link set down dev $DEV
 ip link delete dev $DEV

 echo $DEV stopped
 exit 0
diff --git a/wg0-startup.sh b/wg0-startup.sh
 #!/bin/bash

 DEV=wg0
 CONF=/etc/wireguard/$DEV.conf

 ENDPOINT=$(grep Endpoint $CONF | awk '{print $3}' | cut -f1 -d:)
 ENDPOINTIP=$(dig +short $ENDPOINT | grep -E "^[0-9]+")
 if [ -z $ENDPOINTIP ]; then
        echo Endpoint not found
        exit 1
 fi

 ADDR=$(grep Address $CONF | awk '{print $3}' | cut -f1 -d:)

 # setup the wireguard link
 ip link add dev $DEV type wireguard
 ip address add dev $DEV $ADDR
 grep -v Address $CONF | wg setconf $DEV /dev/stdin
 ip link set up dev $DEV

 # now route everything through it
 # first add a host route so we can still access the wg server
 ip route add $(ip route get $ENDPOINTIP | head -1 | cut -f1-5 -d\ )
 # then delete and recreate the default route
 ip route delete default
 ip route add default dev $DEV
 echo $DEV started
 exit 0
diff --git a/wg0.conf b/wg0.conf
 [Interface]
 Address = 192.168.100.2/24
 ListenPort = 51820
 PrivateKey = yourprivatekeyhere

 [Peer]
 PublicKey = yourpeerpublickeyhere
 AllowedIPs = 0.0.0.0/0
 Endpoint = 192.0.2.1:51820
 PersistentKeepalive = 60
	wg-quick on WSL2 doesn't play well - if you have a default route through wireguard it tries to use features of nftables/iptables that aren't compiled into the WSL2 kernel, and all the answers I could find basically said "build a custom kernel". No thanks!

	Wireguard itself works fine on ubuntu on WSL2, it's just the way wg-quick sets it up that doesn't.

	this might help you if you have one peer, and want to route all traffic through it.

	This note doesn't tell you how to configure wireguard - there are plenty of sites that cover that. The config below is just an example, and will NOT work!

	the startup script finds the IP of the wireguard endpoint you're connecting to and sets up a host route to it, firs up wireguard, and sets a default route through wireguard.

	the shutdown script unwinds all that.

	Notes:
	- these scripts assume you have a single peer
	- these scripts blindly route ALL traffic through wireguard, regardless of what the AllowedIPs line in the config file says
	#!/bin/bash

	DEV=wg0
	CONF=/etc/wireguard/$DEV.conf

	ENDPOINT=$(grep Endpoint $CONF \| awk '{print $3}' \| cut -f1 -d:)
	ENDPOINTIP=$(dig +short $ENDPOINT \| grep -E "^[0-9]+")
	if [ -z $ENDPOINTIP ]; then
	echo Endpoint not found
	exit 1
	fi

	# check $DEV exists
	if ! ip a show dev $DEV ; then
	echo device $DEV not found
	exit 2
	fi

	# put the routes back to normal...
	ip route delete default
	ip route add default $(ip route get $ENDPOINTIP \| grep via \| awk '{print $2,$3,$4,$5}')
	ip route delete $ENDPOINTIP

	# stop the wireguard link
	ip link set down dev $DEV
	ip link delete dev $DEV

	echo $DEV stopped
	exit 0
	[Interface]
	Address = 192.168.100.2/24
	ListenPort = 51820
	PrivateKey = yourprivatekeyhere

	[Peer]
	PublicKey = yourpeerpublickeyhere
	AllowedIPs = 0.0.0.0/0
	Endpoint = 192.0.2.1:51820
	PersistentKeepalive = 60