STEPS:
- Organize zones
- Forward wireguard traffic (tunnel unrecognized (0.0.0.0/0) traffic to your default gateway)
- Masquerade forwarding traffic (do snat for outgoing and dnat for incoming traffic)
# Remove existing zones (Optional)
# Add wan interfaces to external, (interfaces that takes 0.0.0.0/0)
# wg interfaces to internal, (wg0)
# lo to trusted,
firewall-cmd --permanent --zone=external --add-interface=eth0
firewall-cmd --permanent --zone=internal --add-interface=wg0
firewall-cmd --permanent --zone=trusted --add-interface=lo # Enable IPv4, IPv6 forwarding in the kernel
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
# Enable forwarding for a specific interface
# forward traffic that originates from wireguard interface to your default gateway or wan interface (interface that takes 0.0.0.0/0)
#
# Optionally, this can be done through wireguard config using PostUp/PostDown to add/remove forwarding. Then
# --permanent would become useless. (Not Recommend, will interfere with other interfaces in the same zone)
firewall-cmd --zone=internal ---add-forward --permanent
# Can be done through wireguard config as well.
firewall-cmd --zone=external --add-masquerade --permanent firewall-cmd --reload # generate private/public key. can be used for both server and peers
wg genkey | tee private.key | wg pubkey >> public.key# /etc/wireguard/wg0.conf
[Interface]
Address = 172.16.0.1/24
ListenPort = 2408
MTU = 1492
PrivateKey = ---
PostUp = firewall-cmd --zone=external --add-port=2408/udp
PostDown = firewall-cmd --zone=external --remove-port=2408/udp
[Peer]
PublicKey = ---
AllowedIPs = 172.16.0.3/32
[Peer]
PublicKey = ---
AllowedIPs = 172.16.0.5/32
wg-quick up wg0 wg-quick down wg0 systemctl enable [email protected]
systemctl daemon-reload
Just so you know, you have a triple-dash in your 'add-forward' command. The copy-pasters among us (like me) were quite thrown off :-P