forked from r-pufky/wireguard-initramfs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig
41 lines (33 loc) · 1.51 KB
/
config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# Wireguard initramfs configuration.
#
# NOTE: As most systems do not encrypt /boot, private key material is exposed
# and compromised/untrusted. Boot wireguard network should be
# **different** & untrusted; versus the network used after booting.
# Always restrict ports and access on the wireguard server.
#
# Be sure to test wireguard config with a running system before setting
# options. See: https://manpages.debian.org/unstable/wireguard-tools/wg.8.en.html
#
# Restricting dropbear connections to **only** wireguard:
# * Confirm wireguard/dropbear work without restriction first.
# * Set dropbear listen address to only wireguard client interface address.
#
# /etc/dropbear-initramfs/config
# DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...'
#
# Wireguard interface name.
INTERFACE=example_vpn
# CIDR wireguard interface address.
INTERFACE_ADDR=172.31.255.10/32
# Peer public key (server's public key).
PEER_PUBLIC_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# Pre shared key (optional: leave blank to disable).
PRE_SHARED_KEY=/etc/wireguard-initramfs/pre_shared_key
# IP:PORT of the peer (server); any reachable IP/DNS.
PEER_ENDPOINT=wg.example.com:51820
# Client Private key. Specify location of file containing only the private key.
CLIENT_PRIVATE_KEYFILE=/etc/wireguard-initramfs/private_key
# Persistent Keepalive. Required to ensure connection for non-exposed ports.
PERSISTENT_KEEPALIVES=25
# Allowed IP's (CIDR) on wireguard; for boot this should be the peer (server).
ALLOWED_IPS=172.31.255.254/32