Difference between revisions of "Configure WireGuard VPN"
m (→Create the TUN/TAP device) |
(→See also: Configure OpenVPN) |
||
(40 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | {{ | + | {{stub}} |
− | + | We've recently changed from [https://openvpn.net/ OpenVPN] to [https://www.wireguard.com/ WireGuard] for our VPN solution. We use a VPN so that we can be sure our local browsing traffic's private even when we're on an insecure connection like a hotel or airport. Of course there are many solutions available such as ''ProtonVPN'' or ''RiseupVPN'', but we like to be independent for our security, and also this allows us to customise the ports and locations and have higher bandwidth than a shared solution. | |
− | |||
− | |||
− | == | + | == Server == |
− | + | Our server setup requires that the server is running a DNS server, if this is an Organic Design server it will already be running since we use a local caching non-forwarding DNS Server for our mail configuration, see [[Configure DNS]] for details. | |
− | |||
− | |||
− | |||
− | + | First install ''WireGuard'' which is in the default Debian repositories. | |
− | ''' | + | <source lang="bash"> |
− | + | sudo apt install wireguard | |
− | + | </source> | |
− | |||
− | |||
− | |||
− | </ | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Then create a key-pair that are called ''privatekey'' and ''publickey'' in the ''/etc/wireguard'' directory. | |
− | + | <source lang="bash"> | |
− | < | + | wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey |
− | + | </source> | |
− | |||
− | |||
− | |||
− | |||
− | </ | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | === | + | Create a config file called ''/etc/wireguard/wg0.conf'': |
− | + | <source> | |
+ | [Interface] | ||
+ | PrivateKey = {!SERVER_PRIVATE_KEY!} | ||
+ | Address = 10.{!xx!}.{!xx!}.1/24, fd{!xx!}:{!xxxx!}:{!xxxx!}::1/64 | ||
+ | ListenPort = {!51820!} | ||
+ | SaveConfig = true | ||
+ | PostUp = ufw route allow in on wg0 out on {!DEFAULT_INTERFACE!} | ||
+ | PostUp = iptables -t nat -I POSTROUTING -o {!DEFAULT_INTERFACE!} -j MASQUERADE | ||
+ | PostUp = ip6tables -t nat -I POSTROUTING -o {!DEFAULT_INTERFACE!} -j MASQUERADE | ||
+ | PreDown = ufw route delete allow in on wg0 out on {!DEFAULT_INTERFACE!} | ||
+ | PreDown = iptables -t nat -D POSTROUTING -o {!DEFAULT_INTERFACE!} -j MASQUERADE | ||
+ | PreDown = ip6tables -t nat -D POSTROUTING -o {!DEFAULT_INTERFACE!} -j MASQUERADE | ||
+ | </source> | ||
+ | *'''SERVER_PRIVATE_KEY''' is the content of the ''/etc/wireguard/privatekey'' file. | ||
+ | *The IP addresses can be anything, but are best within standard non-public address spaces, and using 1 within that space for the server, then 2 for the first client, 3 for the second etc. | ||
+ | *The port can be anything you prefer, the default for WireGuard is 51820 | ||
+ | *'''DEFAULT_INTERFACE''' is the ethernet interface connected to the internet, if you don't know this you can see it with the '''ip route list default''' command. | ||
+ | *Only include the '''ufw''' rules in ''PostUp'' and ''PreDown'' if you're running ''ufw''. | ||
− | |||
− | |||
− | + | Make sure that IP forwarding is enabled for both IPv4 and IPv6 by setting both ''net.ipv4.ip_forward'' and ''net.ipv6.conf.all.forwarding'' to ''1'' in ''/etc/sysctl.conf'' and then force the configuration to update immediately: | |
+ | <source lang="bash"> | ||
+ | sudo sysctl -p | ||
+ | </source> | ||
− | + | == Clients == | |
+ | First install ''WireGuard'' which is in the default Debian repositories, and we'll also need ''resolvconf''. | ||
+ | <source lang="bash"> | ||
+ | sudo apt install wireguard | ||
+ | </source> | ||
− | + | ||
− | + | Then create a key-pair that are called ''privatekey'' and ''publickey'' in the ''/etc/wireguard'' directory. | |
+ | <source lang="bash"> | ||
+ | wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey | ||
+ | </source> | ||
+ | |||
+ | <source lang="bash"> | ||
+ | [Interface] | ||
+ | PrivateKey = CLIENT_PRIVATE_KEY | ||
+ | Address = 10.xx.xx.2/24 | ||
+ | Address = fdxx:xxxx:xxxx::2/64 | ||
+ | DNS = SERVER_IP # assumes server is running a DNS server | ||
+ | PostUp = ip rule add table 200 from CLIENT_IP | ||
+ | PostUp = ip route add table 200 default via CLIENT_GATEWAY | ||
+ | PreDown = ip rule delete table 200 from CLIENT_IP | ||
+ | PreDown = ip route delete table 200 default via CLIENT_GATEWAY | ||
+ | |||
+ | [Peer] | ||
+ | PublicKey = SERVER_PUBLIC_KEY | ||
+ | Endpoint = SERVER_IP:SERVER_VPN_PORT | ||
+ | AllowedIPs = 0.0.0.0/0, ::/0 | ||
+ | </source> | ||
+ | |||
+ | Set permissions of the files. | ||
+ | <source lang="bash"> | ||
+ | sudo chmod 600 /etc/wireguard/* | ||
+ | sudo chmod 644 /etc/wireguard/publickey | ||
+ | </source> | ||
== See also == | == See also == | ||
− | *[ | + | *[[Configure OpenVPN]] |
+ | *[https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04#step-3-%E2%80%94-creating-a-wireguard-server-configuration Digital Ocean's WireGuard setup procedure] | ||
+ | *[https://github.com/angristan/wireguard-install Angristan's WireGuard installer script] | ||
+ | *[https://blog.ipfire.org/post/why-not-wireguard Michael Tremer, the main WireGuard critic in the field] |
Latest revision as of 15:48, 24 March 2022
We've recently changed from OpenVPN to WireGuard for our VPN solution. We use a VPN so that we can be sure our local browsing traffic's private even when we're on an insecure connection like a hotel or airport. Of course there are many solutions available such as ProtonVPN or RiseupVPN, but we like to be independent for our security, and also this allows us to customise the ports and locations and have higher bandwidth than a shared solution.
Server
Our server setup requires that the server is running a DNS server, if this is an Organic Design server it will already be running since we use a local caching non-forwarding DNS Server for our mail configuration, see Configure DNS for details.
First install WireGuard which is in the default Debian repositories.
sudo apt install wireguard
Then create a key-pair that are called privatekey and publickey in the /etc/wireguard directory.
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
Create a config file called /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.xx.xx.1/24, fdxx:xxxx:xxxx::1/64
ListenPort = 51820
SaveConfig = true
PostUp = ufw route allow in on wg0 out on DEFAULT_INTERFACE
PostUp = iptables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on DEFAULT_INTERFACE
PreDown = iptables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
- SERVER_PRIVATE_KEY is the content of the /etc/wireguard/privatekey file.
- The IP addresses can be anything, but are best within standard non-public address spaces, and using 1 within that space for the server, then 2 for the first client, 3 for the second etc.
- The port can be anything you prefer, the default for WireGuard is 51820
- DEFAULT_INTERFACE is the ethernet interface connected to the internet, if you don't know this you can see it with the ip route list default command.
- Only include the ufw rules in PostUp and PreDown if you're running ufw.
Make sure that IP forwarding is enabled for both IPv4 and IPv6 by setting both net.ipv4.ip_forward and net.ipv6.conf.all.forwarding to 1 in /etc/sysctl.conf and then force the configuration to update immediately:
sudo sysctl -p
Clients
First install WireGuard which is in the default Debian repositories, and we'll also need resolvconf.
sudo apt install wireguard
Then create a key-pair that are called privatekey and publickey in the /etc/wireguard directory.
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.xx.xx.2/24
Address = fdxx:xxxx:xxxx::2/64
DNS = SERVER_IP # assumes server is running a DNS server
PostUp = ip rule add table 200 from CLIENT_IP
PostUp = ip route add table 200 default via CLIENT_GATEWAY
PreDown = ip rule delete table 200 from CLIENT_IP
PreDown = ip route delete table 200 default via CLIENT_GATEWAY
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP:SERVER_VPN_PORT
AllowedIPs = 0.0.0.0/0, ::/0
Set permissions of the files.
sudo chmod 600 /etc/wireguard/*
sudo chmod 644 /etc/wireguard/publickey