4.3 KiB
WireGuard
Work in progress
guide-by-example
Purpose & Overview
VPN.
When you need to connect to a machine/network over the internet, securely.
WireGuard is an opensource extremely simple, fast and modern VPN.
Written in C, with userspace implementation written in Go.
WireGuard is included in linux kernel version 5.6 and newer.
While with WireGuard there is no server-clients model, there are just peers connecting to each other, this setup will consider peer_A a server, and clients will be connecting to it.
This setup runs directly on the host machine, not in a container.
Most of the stuff here is based on Arch wiki and
this tutorial.
Files and directory structure
/etc/
└── wireguard/
└── wg0.conf
Installation
on linux server
Install wireguard-tools
or whatever is the equivalent in your distro.
The package should provide two command line utilities
wg
- utility for configuration and management of WireGuard tunnel interfaceswg-quick
- script for bringing up or down a WireGuard interface
on linux client
Same as server
on Windows or macOS clients
Install the official application.
extra info:
Might be of interest server setup on
Windows
on Android or iOS
Install the official app from the stores.
Configuration on linux server
- switch to root and go in to in /etc/wireguard
su
cd /etc/wireguard
- generate a private key
wg genkey > peer_A.key
- create a public key from the private key
wg pubkey < peer_A.key > peer_A.pub
Use the generated keys in the wg0.conf, in the [Interface]
section.
wg0.conf
[Interface]
PrivateKey = AA9q7CkUG3MuKP1eyyJFGgKzACIJ1rRIkkWYAi3p3WM=
# PublicKey = fuCKVQU+x/jukZq3WH5yorJ4mE665dkv2HKN/0mH5hQ=
Address = 10.200.200.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# TESTER-1
# PrivateKey = kGqwq/+xy8CISBLfOZVOa8Za02MRzg5bN3Ddcf5KV2M=
PublicKey = eVolUbiYj1kY8neKiDnA+NPB2hhCcsGs7LNIhMvUYj0=
AllowedIPs = 10.200.200.2/32
[Peer]
# TESTER-2
# PrivateKey = QNc0dunuRQAjuKpFmRPqvPAysqpklctcdblqrazUT0o=
PublicKey = CAt7g42pPxgU5Lcc3uyNh5BmkITJS1K6XAoFbkhN6Qk=
AllowedIPs = 10.200.200.3/32
This configuration when run creates a new network interface on the machine.
- PrivateKey - the key that was generated, will be used to encrypt traffic
- # PublicKey - just a note, what is the public key of the private key
- Address - IP address on the created wireguard interface network,
/24
defines its mask as255.255.255.0
- ListenPort - port
- PostUp/PostDown - define what should be done after interface is turned on and off in this case firewall rules to let traffic through, only ipv4 in this setup
- [Peer] - section defining a peer, its public key
- AllowedIPs -
Start and enable the service
sudo systemctl enable --now wg-quick@wg0
Configuration on clients
TESTER-1.conf
[Interface]
PrivateKey = kGqwq/+xy8CISBLfOZVOa8Za02MRzg5bN3Ddcf5KV2M=
Address = 10.200.200.2/32
[Peer]
PublicKey = fuCKVQU+x/jukZq3WH5yorJ4mE665dkv2HKN/0mH5hQ=
AllowedIPs = 10.200.200.0/24, 192.168.5.0/24
Endpoint = 63.123.113.495:51820
PersistentKeepalive = 25
Troubleshooting
Update
During host linux packages update.
Backup and restore
Backup
Using borg that makes daily snapshot of the /etc directory which contains the config file.
restore
Replace the content of the config file with the one from the backup.