Difference between revisions of "Configure WireGuard VPN"

From Organic Design wiki
(client config)
(See also: Configure OpenVPN)
 
(4 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
We've recently changed from [https://openvpn.net/ OpenVPN] to [https://www.wireguard.com/ WireGuard] for our VPN solution. We use a VPN so that we can be sure our local browsing traffic's private even when we're on an insecure connection like a hotel or airport. Of course there are many solutions available such as ''ProtonVPN'' or ''RiseupVPN'', but we like to be independent for our security, and also this allows us to customise the ports and locations and have higher bandwidth than a shared solution.
 
We've recently changed from [https://openvpn.net/ OpenVPN] to [https://www.wireguard.com/ WireGuard] for our VPN solution. We use a VPN so that we can be sure our local browsing traffic's private even when we're on an insecure connection like a hotel or airport. Of course there are many solutions available such as ''ProtonVPN'' or ''RiseupVPN'', but we like to be independent for our security, and also this allows us to customise the ports and locations and have higher bandwidth than a shared solution.
  
These first steps need to be done on the same way on the server and on the clients. First install ''WireGuard'' which is in the default Debian repositories, and we'll also need ''resolvconf''.
+
== Server ==
 +
Our server setup requires that the server is running a DNS server, if this is an Organic Design server it will already be running since we use a local caching non-forwarding DNS Server for our mail configuration, see [[Configure DNS]] for details.
 +
 
 +
First install ''WireGuard'' which is in the default Debian repositories.
 
<source lang="bash">
 
<source lang="bash">
sudo apt install wireguard resolvconf
+
sudo apt install wireguard
 
</source>
 
</source>
  
Line 14: Line 17:
  
  
 +
Create a config file called ''/etc/wireguard/wg0.conf'':
 
<source>
 
<source>
 
[Interface]
 
[Interface]
PrivateKey = SERVER_PRIVATE_KEY
+
PrivateKey = {!SERVER_PRIVATE_KEY!}
Address = 10.xx.xx.1/24
+
Address = 10.{!xx!}.{!xx!}.1/24, fd{!xx!}:{!xxxx!}:{!xxxx!}::1/64
Address = fdxx:xxxx:xxxx::1/64
+
ListenPort = {!51820!}
ListenPort = 51820
 
 
SaveConfig = true
 
SaveConfig = true
PostUp = iptables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
+
PostUp = ufw route allow in on wg0 out on {!DEFAULT_INTERFACE!}
PostUp = ip6tables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
+
PostUp = iptables -t nat -I POSTROUTING -o {!DEFAULT_INTERFACE!} -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
+
PostUp = ip6tables -t nat -I POSTROUTING -o {!DEFAULT_INTERFACE!} -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
+
PreDown = ufw route delete allow in on wg0 out on {!DEFAULT_INTERFACE!}
 +
PreDown = iptables -t nat -D POSTROUTING -o {!DEFAULT_INTERFACE!} -j MASQUERADE
 +
PreDown = ip6tables -t nat -D POSTROUTING -o {!DEFAULT_INTERFACE!} -j MASQUERADE
 
</source>
 
</source>
 +
*'''SERVER_PRIVATE_KEY''' is the content of the ''/etc/wireguard/privatekey'' file.
 +
*The IP addresses can be anything, but are best within standard non-public address spaces, and using 1 within that space for the server, then 2 for the first client, 3 for the second etc.
 +
*The port can be anything you prefer, the default for WireGuard is 51820
 +
*'''DEFAULT_INTERFACE''' is the ethernet interface connected to the internet, if you don't know this you can see it with the '''ip route list default''' command.
 +
*Only include the '''ufw''' rules in ''PostUp'' and ''PreDown'' if you're running ''ufw''.
 +
  
 +
Make sure that IP forwarding is enabled for both IPv4 and IPv6 by setting both ''net.ipv4.ip_forward'' and ''net.ipv6.conf.all.forwarding'' to ''1'' in ''/etc/sysctl.conf'' and then force the configuration to update immediately:
 +
<source lang="bash">
 +
sudo sysctl -p
 +
</source>
  
 +
== Clients ==
 +
First install ''WireGuard'' which is in the default Debian repositories, and we'll also need ''resolvconf''.
 +
<source lang="bash">
 +
sudo apt install wireguard
 +
</source>
  
client...
+
 
 +
Then create a key-pair that are called ''privatekey'' and ''publickey'' in the ''/etc/wireguard'' directory.
 +
<source lang="bash">
 +
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
 +
</source>
  
 
<source lang="bash">
 
<source lang="bash">
Line 47: Line 71:
 
AllowedIPs = 0.0.0.0/0, ::/0
 
AllowedIPs = 0.0.0.0/0, ::/0
 
</source>
 
</source>
 +
 +
Set permissions of the files.
 +
<source lang="bash">
 +
sudo chmod 600 /etc/wireguard/*
 +
sudo chmod 644 /etc/wireguard/publickey
 +
</source>
 +
 +
== See also ==
 +
*[[Configure OpenVPN]]
 +
*[https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04#step-3-%E2%80%94-creating-a-wireguard-server-configuration Digital Ocean's WireGuard setup procedure]
 +
*[https://github.com/angristan/wireguard-install Angristan's WireGuard installer script]
 +
*[https://blog.ipfire.org/post/why-not-wireguard Michael Tremer, the main WireGuard critic in the field]

Latest revision as of 15:48, 24 March 2022

Cone.png This article or section is a stub. Stubs are articles that have not yet received substantial attention from the authors. They are short or insufficient pieces of information and require additions to further increase the article's usefulness. The project values stubs as useful first steps toward complete articles.

We've recently changed from OpenVPN to WireGuard for our VPN solution. We use a VPN so that we can be sure our local browsing traffic's private even when we're on an insecure connection like a hotel or airport. Of course there are many solutions available such as ProtonVPN or RiseupVPN, but we like to be independent for our security, and also this allows us to customise the ports and locations and have higher bandwidth than a shared solution.

Server

Our server setup requires that the server is running a DNS server, if this is an Organic Design server it will already be running since we use a local caching non-forwarding DNS Server for our mail configuration, see Configure DNS for details.

First install WireGuard which is in the default Debian repositories.

sudo apt install wireguard


Then create a key-pair that are called privatekey and publickey in the /etc/wireguard directory.

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey


Create a config file called /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.xx.xx.1/24, fdxx:xxxx:xxxx::1/64
ListenPort = 51820
SaveConfig = true
PostUp = ufw route allow in on wg0 out on DEFAULT_INTERFACE
PostUp = iptables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on DEFAULT_INTERFACE
PreDown = iptables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
  • SERVER_PRIVATE_KEY is the content of the /etc/wireguard/privatekey file.
  • The IP addresses can be anything, but are best within standard non-public address spaces, and using 1 within that space for the server, then 2 for the first client, 3 for the second etc.
  • The port can be anything you prefer, the default for WireGuard is 51820
  • DEFAULT_INTERFACE is the ethernet interface connected to the internet, if you don't know this you can see it with the ip route list default command.
  • Only include the ufw rules in PostUp and PreDown if you're running ufw.


Make sure that IP forwarding is enabled for both IPv4 and IPv6 by setting both net.ipv4.ip_forward and net.ipv6.conf.all.forwarding to 1 in /etc/sysctl.conf and then force the configuration to update immediately:

sudo sysctl -p

Clients

First install WireGuard which is in the default Debian repositories, and we'll also need resolvconf.

sudo apt install wireguard


Then create a key-pair that are called privatekey and publickey in the /etc/wireguard directory.

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.xx.xx.2/24
Address = fdxx:xxxx:xxxx::2/64
DNS = SERVER_IP # assumes server is running a DNS server
PostUp = ip rule add table 200 from CLIENT_IP
PostUp = ip route add table 200 default via CLIENT_GATEWAY
PreDown = ip rule delete table 200 from CLIENT_IP
PreDown = ip route delete table 200 default via CLIENT_GATEWAY

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP:SERVER_VPN_PORT
AllowedIPs = 0.0.0.0/0, ::/0

Set permissions of the files.

sudo chmod 600 /etc/wireguard/*
sudo chmod 644 /etc/wireguard/publickey

See also