How to Setup WireGuard

From Linux Delta
Revision as of 16:16, 29 July 2020 by Casper sullivan (talk | contribs) (Clearing up ambiguities in how to use the .conf templates.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

How to Setup WireGuard

Author: Kernellinux


Overview The following guide will walk you through setting up a WireGuard server and client. WireGuard is a free and open-source software application and communication protocol that implements virtual private network techniques to create secure point-to-point connections in routed or bridged configurations. It is run as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols.


System Requirements

1. A Machine running a currently supported release of Ubuntu


Step-By-Step Guide


Step 0: If using Ubuntu 14.04 or Ubuntu 16.04, add the WireGuard PPA

add-apt-repository ppa:wireguard/wireguard
apt-get update

Step 1: Install the Wireguard software

apt-get install wireguard-dkms wireguard-tools linux-headers-$(uname -r)

Step 2: Generate a public and private certificate on the server

umask 077
wg genkey | tee server_private_key | wg pubkey > server_public_key
wg genpsk > server_preshared_key

Step 3: Create the server configuration file (/etc/wireguard/wg0.conf) using the template provided here.

[Interface]
Address = 10.100.100.1/24
SaveConfig = true
PrivateKey = <Server Private Key>
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING     -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING  -o eth0 -j MASQUERADE
[Peer]
PublicKey = <Client Public Key>
PresharedKey = <Server Preshared Key>
AllowedIPs = 10.100.100.2/32

The notation <Server Private Key> refers to the content of the file "server_private_key" created in the prior step. Similar notation is likewise used to indicate the contents of the related files. "client_public_key" will be generated in a later step.

Step 4: Enable IPv4 forwarding so that we can access the rest of the LAN and not just the server itself.

Open /etc/sysctl.conf and comment out the following line

net.ipv4.ip_forward=1

Step 5: Restart the server, or use the following commands for the IP forwarding to take effect without restarting the server

sysctl -p
echo 1 > /proc/sys/net/ipv4/ip_forward


Step 5: Start WireGuard on the Server and enable WireGuard to start automatically when the server starts.

chown -v root:root /etc/wireguard/wg0.conf
chmod -v 600 /etc/wireguard/wg0.conf
wg-quick up wg0
systemctl enable wg-quick@wg0.service 


Step 6: Add the WireGuard repository and install the software on the client.

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard-dkms wireguard-tools linux-headers-$(uname -r)


Step 7: Generate a public and private certificate on the client

wg genkey | tee client_private_key | wg pubkey > client_public_key


Step 8: Create the client configuration file (/etc/wireguard/wg0-client.conf) using the template provided here.

[Interface]
Address = 10.100.100.2/32
PrivateKey = <Client Private Key>
[Peer]
PublicKey = <Server Public Key>
PresharedKey = <Server Preshared Key>
Endpoint = <server IP>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21


Step 9: Start the WireGuard Client

sudo wg-quick up wg0-client