Skip to main content

Wireguard

This details how to quickly establish connectivity between two or more nodes in a Treasury deployment using Wireguard. You may do this on your own (bring your own machines) or work with a hosting partner to host one or more of the nodes.

This example details setting up a 2-node deployment, but this can be adjusted for any number of nodes.

Requirements

  • At least one public IP
  • Wireguard

Create Wireguard private key(s)

Create a private key for each node that you host.

wg genkey > wireguard_key

Record the public key to share with other participants.

cat wireguard_key | wg pubkey

Setup interface

By convention, the Wireguard network is 10.87.77.0/24 with each host mapping the last octet to their participant ID.

For example, participant 1 should have IP address 10.87.77.1 and participant 2 should have IP 10.87.77.2.

# create the interface and set the IP address
ip link add dev wg0 type wireguard
ip address add dev wg0 10.87.77.1/24

# import the private key we created for this node
wg set wg0 private-key wireguard_key
wg set wg0 listen-port 51820

ip link set wg0 up

# add peers
wg set wg0 peer ${PEER_2_PUBKEY} allowed-ips 10.87.77.2/32 endpoint ${PEER_2_PUBLIC_IP}:51820

# create configuration and systemd unit
touch /etc/wireguard/wg0.conf
wg-quick save wg0
systemctl enable wg-quick@wg0

Set PEER_2_PUBLIC_IP to your public IP of participant 2. This is typically the hosting partner. If all nodes are on an internal network, you may want to add the external IP's for each node.

You need to associate the correct public key with each participant (PEER_1_PUBKEY, PEER_2_PUBKEY). To see a peer's public key, check the wireguard interface by running wg.