From 225d71d8851ee411769423b77dc5ec0d374b59ed Mon Sep 17 00:00:00 2001 From: moparisthebest Date: Mon, 23 Dec 2019 01:41:03 -0500 Subject: [PATCH] More documentation in example server.conf --- systemd/server.conf | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/systemd/server.conf b/systemd/server.conf index 0cac9eb..0997a79 100644 --- a/systemd/server.conf +++ b/systemd/server.conf @@ -1,14 +1,25 @@ # refer to wireguard-proxy --help for info on what these are -WGP_TCP_HOST=0.0.0.0:5555 +# this binds ipv4 and ipv6 if dual stacked +WGP_TCP_HOST=[::]:5555 +# this binds all ipv4 addresses +#WGP_TCP_HOST=0.0.0.0:5555 + WGP_UDP_TARGET=127.0.0.1:51820 + +# on the server you'll want to set this to slightly more than PersistentKeepalive= in your client's wireguard config +# this allows the udp sockets to be closed in a reasonable amount of time after the TCP connections are terminated +# if PersistentKeepalive=25 as is recommended just set this to 60 +WGP_SOCKET_TIMEOUT=60 + WGP_UDP_BIND_HOST_RANGE=127.0.0.1:30000-40000 # if you don't want proper cert generate with: -# openssl req -new -x509 -days 3650 -nodes -out cert.pem -keyout key.pem +# openssl req -new -x509 -sha256 -days 3650 -nodes -subj "/C=US/CN=example.org" -newkey rsa:2048 -out cert.pem -keyout key.pem +# if systemd template has SupplementaryGroups=systemd-network set permissions on key properly: +# chown root.systemd-network key.pem && chmod 640 key.pem # optionally (but recommended) extract pinnedpubkey hash from the above generated cert like so: # openssl x509 -in cert.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 #WGP_TLS_KEY=/etc/wireguard-proxy/key.pem #WGP_TLS_CERT=/etc/wireguard-proxy/cert.pem -#WGP_SOCKET_TIMEOUT=0