Wireguard
- ensure Wireguard MTU is something reasonable (from
1280 to 1360) e.g. /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <PRIVATE_KEY>
Address = <1.2.3.4/32 IP_ASSUMING_NOT_GATEWAY>
MTU = 1360
[Peer]
PublicKey = <PEER_PUBLIC_KEY>
Endpoint = <PEER_IP_OR_FQDN>:<PORT>
AllowedIPs = <0.0.0.0/0 UNLESS_RESTRICTED_PEER_SUBNETS>
- since Wireguard does not start by default
- create an /etc/init.d/S50wireguard script
#!/bin/sh
case "$1" in
start)
echo "Waiting for network connectivity..."
PEER_IP="<PEER_IP_OR_FQDN>"
MAX_RETRIES=60
WAIT_SEC=2
COUNT=0
# Loop until we can ping the public internet (8.8.8.8) or our peer
# -c 1 (one packet), -W 1 (1 second timeout)
while ! ping -q -c 1 -W 1 "$PEER_IP" >/dev/null 2>&1; do
if [ $COUNT -ge $MAX_RETRIES ]; then
echo "Network timeout reached. WireGuard will not start."
exit 1
fi
echo "Network not ready yet... (Attempt $COUNT/$MAX_RETRIES)"
sleep $WAIT_SEC
COUNT=$((COUNT + 1))
done
echo "Network detected! Starting WireGuard..."
# Load kernel modules if necessary
modprobe wireguard
# Start WireGuard
wg-quick up wg0
;;
stop)
echo "Stopping WireGuard..."
wg-quick down wg0
;;
restart|reload)
"$0" stop
"$0" start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
-
- make sure it’s executable
