wireguard seperate configs for server and client

debian/bullseye/etc/systemd/network/drop-ins/dhcp.conf

@@ -9,3 +9,8 @@ DNS=1.0.0.1
 
 # Link discovery causes some issues so disable it.
 LLDP=no
+
+[Route]
+Destination=192.168.1.0/24
+Gateway=192.168.1.1
+

debian/bullseye/etc/systemd/network/drop-ins/wg-client.conf

@@ -0,0 +1,18 @@
+[Network]
+
+Address=10.0.0.2/32
+
+DNSOverTLS=opportunistic
+
+DNS=1.1.1.1
+
+DNS=1.0.0.1
+
+# Link discovery causes some issues so disable it.
+LLDP=no
+
+[Route]
+Destination=10.0.0.0/24
+Gateway=10.0.0.1
+
+

debian/bullseye/etc/systemd/network/drop-ins/wg-server.conf

@@ -2,9 +2,6 @@
 
 Address=10.0.0.1/24
 
-# For clients use an IP address within the peer range with a prefix!
-#Address=10.0.0.2/32
-
 DNSOverTLS=opportunistic
 
 DNS=1.1.1.1

debian/bullseye/etc/systemd/network/wg0.netdev

@@ -5,9 +5,6 @@ Kind=wireguard
 
 [WireGuard]
 
-# Port to listen on.
-ListenPort=31987
-
 # The Base64 encoded private key for the interface. It can be generated
 # using the wg genkey command (see wg(8)). This option or
 # PrivateKeyFile= is mandatory to use WireGuard. Note that because this
@@ -17,7 +14,7 @@ ListenPort=31987
 PrivateKey=<YOUR KEY HERE>
 
 
-# For Peers.
+# Your Peers.
 [WireGuardPeer]
 
 # Base64 encoded public key calculated by wg pubkey (see wg(8)) from a

debian/bullseye/etc/systemd/network/wg0.network.d/wg-client.conf

@@ -0,0 +1 @@
+../drop-ins/wg-client.conf

debian/bullseye/etc/systemd/network/wg0.network.d/wg.conf

@@ -1 +0,0 @@
-../drop-ins/wg.conf

debian/bullseye/etc/systemd/network/wgs0.netdev

@@ -0,0 +1,32 @@
+[NetDev]
+Name=wgs0
+
+Kind=wireguard
+
+[WireGuard]
+
+# Port to listen on.
+ListenPort=31987
+
+# The Base64 encoded private key for the interface. It can be generated
+# using the wg genkey command (see wg(8)). This option or
+# PrivateKeyFile= is mandatory to use WireGuard. Note that because this
+# information is secret, you may want to set the permissions of the
+# .netdev file to be owned by "root:systemd-network" with a "0640" file
+# mode.
+PrivateKey=<YOUR KEY HERE>
+
+
+# Your Peers.
+[WireGuardPeer]
+
+# Base64 encoded public key calculated by wg pubkey (see wg(8)) from a
+# private key, and usually transmitted out of band to the author of the
+# configuration file. This option is mandatory for this section.
+#PublicKey=<YOUR KEY HERE>
+
+# Comma-separated list of IP addresses with CIDR masks from which this
+# peer is allowed to send incoming traffic and to which outgoing traffic
+# for this peer is directed.
+AllowedIPs=10.0.0.2/32
+

debian/bullseye/etc/systemd/network/wgs0.network

@@ -0,0 +1,4 @@
+# Needs wgs0.netdev & wireguard & wireguard-tools installed to work.
+
+[Match]
+Name=wgs0

debian/bullseye/etc/systemd/network/wgs0.network.d/wg-server.conf

@@ -0,0 +1 @@
+../drop-ins/wg-server.conf