systemd-networkd: add wireguard

debian/bullseye/etc/systemd/network/drop-ins/dhcp.conf

@@ -7,5 +7,5 @@ DNS=1.1.1.1
 
 DNS=1.0.0.1
 
-# Link discovery causes some issues on wwan so disable it.
+# Link discovery causes some issues so disable it.
 LLDP=no

debian/bullseye/etc/systemd/network/drop-ins/lan.conf

@@ -8,7 +8,7 @@ IPForward=yes
 # Masquerade.
 IPMasquerade=both
 
-# Link discovery causes some issues on wwan so disable it.
+# Link discovery causes some issues so disable it.
 LLDP=no
 
 # As systemd-networkd doesn't yet *fully* support being a dhcp server

debian/bullseye/etc/systemd/network/drop-ins/static.conf

@@ -0,0 +1,37 @@
+[Route]
+
+# v4
+Gateway=<IPv4>
+
+# v6
+Gateway=<IPv6>
+
+# Not always needed but here just in case.
+#GatewayOnLink=yes
+
+[Network]
+
+# v4
+Address=<IPv4>/prefix
+
+# v6
+Address=<IPv6>/prefix
+
+
+# DNS
+# 1.1.1.1 / 1.0.0.1 / 2606:4700:4700::1111 / 2606:4700:4700::1001
+# are Cloudflare
+DNSOverTLS=opportunistic
+
+# v4
+DNS=1.1.1.1
+
+DNS=1.0.0.1
+
+# v6
+DNS=2606:4700:4700::1111
+DNS=2606:4700:4700::1001
+
+# Link discovery causes some issues so disable it.
+LLDP=no
+

debian/bullseye/etc/systemd/network/drop-ins/wg.conf

@@ -0,0 +1,16 @@
+[Network]
+
+Address=10.0.0.1/24
+
+# For clients use an IP address within the peer range with a prefix!
+#Address=10.0.0.2/32
+
+DNSOverTLS=opportunistic
+
+DNS=1.1.1.1
+
+DNS=1.0.0.1
+
+# Link discovery causes some issues so disable it.
+LLDP=no
+

debian/bullseye/etc/systemd/network/wg0.netdev

@@ -0,0 +1,35 @@
+[NetDev]
+Name=wg0
+
+Kind=wireguard
+
+[WireGuard]
+
+# Port to listen on.
+ListenPort=31987
+
+# The Base64 encoded private key for the interface. It can be generated
+# using the wg genkey command (see wg(8)). This option or
+# PrivateKeyFile= is mandatory to use WireGuard. Note that because this
+# information is secret, you may want to set the permissions of the
+# .netdev file to be owned by "root:systemd-network" with a "0640" file
+# mode.
+PrivateKey=<YOUR KEY HERE>
+
+
+# For Peers.
+[WireGuardPeer]
+
+# Base64 encoded public key calculated by wg pubkey (see wg(8)) from a
+# private key, and usually transmitted out of band to the author of the
+# configuration file. This option is mandatory for this section.
+#PublicKey=<YOUR KEY HERE>
+
+# Comma-separated list of IP addresses with CIDR masks from which this
+# peer is allowed to send incoming traffic and to which outgoing traffic
+# for this peer is directed.
+AllowedIPs=0.0.0.0/0, ::/0
+
+# Endpoint of a peer (for clients).
+#Endpoint=<ip>:<port>
+

debian/bullseye/etc/systemd/network/wg0.network

@@ -0,0 +1,4 @@
+# Needs wg0.netdev & wireguard & wireguard-tools installed to work.
+
+[Match]
+Name=wg0