More documentation in example server.conf

2019-12-23 01:41:03 -05:00 · 2019-12-23 01:41:03 -05:00 · 225d71d885
commit 225d71d885
parent c59cef666a
1 changed files with 14 additions and 3 deletions
--- a/systemd/server.conf
+++ b/systemd/server.conf
@ -1,14 +1,25 @@
 # refer to wireguard-proxy --help for info on what these are

-WGP_TCP_HOST=0.0.0.0:5555
+# this binds ipv4 and ipv6 if dual stacked
+WGP_TCP_HOST=[::]:5555
+# this binds all ipv4 addresses
+#WGP_TCP_HOST=0.0.0.0:5555
+
 WGP_UDP_TARGET=127.0.0.1:51820
+
+# on the server you'll want to set this to slightly more than PersistentKeepalive= in your client's wireguard config
+# this allows the udp sockets to be closed in a reasonable amount of time after the TCP connections are terminated
+# if PersistentKeepalive=25 as is recommended just set this to 60
+WGP_SOCKET_TIMEOUT=60
+
 WGP_UDP_BIND_HOST_RANGE=127.0.0.1:30000-40000

 # if you don't want proper cert generate with:
-# openssl req -new -x509 -days 3650 -nodes -out cert.pem -keyout key.pem
+# openssl req -new -x509 -sha256 -days 3650 -nodes -subj "/C=US/CN=example.org" -newkey rsa:2048 -out cert.pem -keyout key.pem
+# if systemd template has SupplementaryGroups=systemd-network set permissions on key properly:
+# chown root.systemd-network key.pem && chmod 640 key.pem
 # optionally (but recommended) extract pinnedpubkey hash from the above generated cert like so:
 # openssl x509 -in cert.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
 #WGP_TLS_KEY=/etc/wireguard-proxy/key.pem
 #WGP_TLS_CERT=/etc/wireguard-proxy/cert.pem

-#WGP_SOCKET_TIMEOUT=0