Difference between revisions of "Configure WireGuard VPN"

From Organic Design wiki
(See also)
(See also: Configure OpenVPN)
 
(36 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{procedure
+
{{stub}}
|description = Once a [[w:VPN|VPN]] has been set up with the [[install a new VPN]] procedure, all the workstations which are connected to the same VPN connection form part of a "virtual LAN" and they can all publish and use resources shared in that LAN such as shared directories, printers and services. They all show up in the normal "network places" or equivalent even though the hosts can be located in diverse locations around the internet, and all these connections are encrypted and secure.
+
We've recently changed from [https://openvpn.net/ OpenVPN] to [https://www.wireguard.com/ WireGuard] for our VPN solution. We use a VPN so that we can be sure our local browsing traffic's private even when we're on an insecure connection like a hotel or airport. Of course there are many solutions available such as ''ProtonVPN'' or ''RiseupVPN'', but we like to be independent for our security, and also this allows us to customise the ports and locations and have higher bandwidth than a shared solution.
|role = Sysop
 
}}
 
  
== Install OpenVPN ==
+
== Server ==
OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN is a single program that is run on both the server hosting the share, and on the clients which will be accessing it. First install it on the server an Linux clients.
+
Our server setup requires that the server is running a DNS server, if this is an Organic Design server it will already be running since we use a local caching non-forwarding DNS Server for our mail configuration, see [[Configure DNS]] for details.
{{code|<pre>
 
apt-get install openvpn
 
</pre>}}
 
  
== Create the TUN/TAP device ==
+
First install ''WireGuard'' which is in the default Debian repositories.
A TAP device is a virtual ethernet adapter, while a TUN device is a virtual point-to-point IP link. Most Linux systems will have these devices set up by default, but some VPS hosts such as [http://www.vpslink.com VPSLink] do not (see the [http://forums.vpslink.com/linux/116-dev-net-tun-tun-tap-bridge-disabled-please-enable-it.html issue raised in their forum] and the [http://wiki.vpslink.com/index.php?title=TUN/TAP_device_with_OpenVPN_or_Hamachi solution added to their wiki] for more detail about this). If '''/dev/net/tun''' exists then you already have TUN/TAP set up and can move on to the OpenVPN configuration, otherwise do the following to create a TUN device.
+
<source lang="bash">
{{code|<pre>
+
sudo apt install wireguard
mkdir -p /dev/net
+
</source>
mknod /dev/net/tun c 10 200
 
chmod 600 /dev/net/tun
 
</pre>}}
 
  
== Server configuration ==
 
We'll go for a configuration which is as close to the default ''server.conf'' example file as possible to simplify the procedure. The certificate files must be specified with full pathnames, and the protocol must be changed to TCP rather than UDP which is the default. Here's all the required settings with comments removed for brevity.
 
{{code|<pre>
 
port 1194
 
proto tcp
 
dev tun
 
ca /etc/openvpn/ca.crt
 
cert /etc/openvpn/server.crt
 
key /etc/openvpn/server.key
 
dh /etc/openvpn/dh1024.pem
 
server 10.8.0.0 255.255.255.0
 
ifconfig-pool-persist ipp.txt
 
keepalive 10 120
 
comp-lzo
 
persist-key
 
persist-tun
 
status openvpn-status.log
 
verb 4
 
</pre>}}
 
  
=== Creating Keys ===
+
Then create a key-pair that are called ''privatekey'' and ''publickey'' in the ''/etc/wireguard'' directory.
There's a utility called ''easy-rsa'' in ''/usr/share/doc/openvpn/examples/easy-rsa'' which should be copied to another location (we use ''/etc/openvpn/easy-rsa''. The default values for all certificates generated can be updated in the ''vars'' file. First, configure ''easy-rsa'' with the following shell commands:
+
<source lang="bash">
<pre>
+
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
cp -pR /usr/share/doc/openvpn/examples/easy-rsa /etc
+
</source>
cd /etc/easy-rsa
 
mkdir keys
 
. ./vars
 
./clean-all
 
</pre>
 
  
Next we'll user ''easy-rsa'' to generate a master key, a server key and a couple of client keys (it's more secure for the client keys to be created locally, but we'll get that procedure sorted out another day!). Each of the commands requires a number of questions to be answered which can all be left as their defaults (which were set up in the ''vars'' file above), except for the ''common name'' setting which we'll set to "organicdesign-ca" for the master key, "server" for the server key, and the client name for all the client keys (e.g. "nad-laptop" or "zenia-office" for this example).
 
<pre>
 
./build-ca
 
./build-key-server server
 
./build-key nad-laptop
 
./build-key zenia-office
 
</pre>
 
Then after all the keys are made we must build the [[w:Diffie-Hellman key exchange|Diffie Hellman key exchange parameters]].
 
./build-dh
 
All the generated key files are in the ''easy-rsa/keys''. All the files having the ''.key'' suffix are secret and should only be communicated over encrypted connections like ''SCP''. The ''ca.crt'' file belongs on the server and all the client machines as well. The files that start with a client name belong on that client machine.
 
  
=== Setting up Ubuntu workstations ===
+
Create a config file called ''/etc/wireguard/wg0.conf'':
First install OpenVPN and the configuration GUI using '''apt-get install openvpn network-manager-openvpn'''. The GUI adds a "VPN Connections" item to the network menu from the system tray which VPN's can be added, removed and configured from.
+
<source>
 +
[Interface]
 +
PrivateKey = {!SERVER_PRIVATE_KEY!}
 +
Address = 10.{!xx!}.{!xx!}.1/24, fd{!xx!}:{!xxxx!}:{!xxxx!}::1/64
 +
ListenPort = {!51820!}
 +
SaveConfig = true
 +
PostUp = ufw route allow in on wg0 out on {!DEFAULT_INTERFACE!}
 +
PostUp = iptables -t nat -I POSTROUTING -o {!DEFAULT_INTERFACE!} -j MASQUERADE
 +
PostUp = ip6tables -t nat -I POSTROUTING -o {!DEFAULT_INTERFACE!} -j MASQUERADE
 +
PreDown = ufw route delete allow in on wg0 out on {!DEFAULT_INTERFACE!}
 +
PreDown = iptables -t nat -D POSTROUTING -o {!DEFAULT_INTERFACE!} -j MASQUERADE
 +
PreDown = ip6tables -t nat -D POSTROUTING -o {!DEFAULT_INTERFACE!} -j MASQUERADE
 +
</source>
 +
*'''SERVER_PRIVATE_KEY''' is the content of the ''/etc/wireguard/privatekey'' file.
 +
*The IP addresses can be anything, but are best within standard non-public address spaces, and using 1 within that space for the server, then 2 for the first client, 3 for the second etc.
 +
*The port can be anything you prefer, the default for WireGuard is 51820
 +
*'''DEFAULT_INTERFACE''' is the ethernet interface connected to the internet, if you don't know this you can see it with the '''ip route list default''' command.
 +
*Only include the '''ufw''' rules in ''PostUp'' and ''PreDown'' if you're running ''ufw''.
  
=== Setting up on Windows workstations ===
 
On Windows OpenVPN is normally run from the console, which can be a little annoying to have lying on the taskbar all the time. OpenVPN GUI lets you run OpenVPN without this console window. Instead you get an icon in the notification area (the area on the right side of the taskbar) from which you can control OpenVPN to start/stop your VPN tunnels, view the log, change your password and other useful things.
 
  
The simplest setup (and the only one covered here) is if your internet connection is through a normal LAN or Wifi adapter and uses DHCP (i.e. "obtain IP address automatically" is ticked).
+
Make sure that IP forwarding is enabled for both IPv4 and IPv6 by setting both ''net.ipv4.ip_forward'' and ''net.ipv6.conf.all.forwarding'' to ''1'' in ''/etc/sysctl.conf'' and then force the configuration to update immediately:
 +
<source lang="bash">
 +
sudo sysctl -p
 +
</source>
  
After OpenVPN has been installed, you'll notice in network settings that an extra LAN connection has been added. First, right-click it and rename it to "OpenVPN". Then select both the original network connection that you connect to the internet through, and the OpenVPN connection, then right-click and select "Bridge connections" which takes a few seconds to complete. After that's done a new icon will appear in the network list called "Network bridge" or something which you can rename to "OpenVPN Bridge". No more settings are required if your original internet connection used DHCP.
+
== Clients ==
 +
First install ''WireGuard'' which is in the default Debian repositories, and we'll also need ''resolvconf''.
 +
<source lang="bash">
 +
sudo apt install wireguard
 +
</source>
  
*See [http://openvpn.se OpenVPN GUI for Windows]
 
*[http://www.pavelec.net/adam/openvpn/bridge OpenVPN Bridging with Windows HOWTO]
 
  
== Bridging ==
+
Then create a key-pair that are called ''privatekey'' and ''publickey'' in the ''/etc/wireguard'' directory.
Ethernet bridging essentially involves combining an ethernet interface with one or more virtual TAP interfaces and bridging them together under the umbrella of a single bridge interface. Ethernet bridges represent the software analog to a physical ethernet switch. The ethernet bridge can be thought of as a kind of software switch which can be used to connect multiple ethernet interfaces (either physical or virtual) on a single machine while sharing a single IP subnet.
+
<source lang="bash">
 +
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
 +
</source>
  
By bridging a physical ethernet NIC with an OpenVPN-driven TAP interface at two separate locations, it is possible to logically merge both ethernet networks, as if they were a single ethernet subnet. See the [http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html OpenVPN bridging information] for more detail.
+
<source lang="bash">
 +
[Interface]
 +
PrivateKey = CLIENT_PRIVATE_KEY
 +
Address = 10.xx.xx.2/24
 +
Address = fdxx:xxxx:xxxx::2/64
 +
DNS = SERVER_IP # assumes server is running a DNS server
 +
PostUp = ip rule add table 200 from CLIENT_IP
 +
PostUp = ip route add table 200 default via CLIENT_GATEWAY
 +
PreDown = ip rule delete table 200 from CLIENT_IP
 +
PreDown = ip route delete table 200 default via CLIENT_GATEWAY
 +
 
 +
[Peer]
 +
PublicKey = SERVER_PUBLIC_KEY
 +
Endpoint = SERVER_IP:SERVER_VPN_PORT
 +
AllowedIPs = 0.0.0.0/0, ::/0
 +
</source>
 +
 
 +
Set permissions of the files.
 +
<source lang="bash">
 +
sudo chmod 600 /etc/wireguard/*
 +
sudo chmod 644 /etc/wireguard/publickey
 +
</source>
  
 
== See also ==
 
== See also ==
*[http://openvpn.net/index.php/open-source/faq.html OpenVPN FAQ]
+
*[[Configure OpenVPN]]
*[http://openvpn.net/index.php/open-source/documentation/install.html?start=1 OpenVPN Win32 Installation]
+
*[https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04#step-3-%E2%80%94-creating-a-wireguard-server-configuration Digital Ocean's WireGuard setup procedure]
*[http://wiki.openvz.org/VPN VPN on OpenVZ] (our VPS's OS)
+
*[https://github.com/angristan/wireguard-install Angristan's WireGuard installer script]
 +
*[https://blog.ipfire.org/post/why-not-wireguard Michael Tremer, the main WireGuard critic in the field]

Latest revision as of 15:48, 24 March 2022

Cone.png This article or section is a stub. Stubs are articles that have not yet received substantial attention from the authors. They are short or insufficient pieces of information and require additions to further increase the article's usefulness. The project values stubs as useful first steps toward complete articles.

We've recently changed from OpenVPN to WireGuard for our VPN solution. We use a VPN so that we can be sure our local browsing traffic's private even when we're on an insecure connection like a hotel or airport. Of course there are many solutions available such as ProtonVPN or RiseupVPN, but we like to be independent for our security, and also this allows us to customise the ports and locations and have higher bandwidth than a shared solution.

Server

Our server setup requires that the server is running a DNS server, if this is an Organic Design server it will already be running since we use a local caching non-forwarding DNS Server for our mail configuration, see Configure DNS for details.

First install WireGuard which is in the default Debian repositories. 

sudo apt install wireguard


Then create a key-pair that are called privatekey and publickey in the /etc/wireguard directory. 

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey


Create a config file called /etc/wireguard/wg0.conf: 

[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.xx.xx.1/24, fdxx:xxxx:xxxx::1/64
ListenPort = 51820
SaveConfig = true
PostUp = ufw route allow in on wg0 out on DEFAULT_INTERFACE
PostUp = iptables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on DEFAULT_INTERFACE
PreDown = iptables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
  • SERVER_PRIVATE_KEY is the content of the /etc/wireguard/privatekey file.
  • The IP addresses can be anything, but are best within standard non-public address spaces, and using 1 within that space for the server, then 2 for the first client, 3 for the second etc.
  • The port can be anything you prefer, the default for WireGuard is 51820
  • DEFAULT_INTERFACE is the ethernet interface connected to the internet, if you don't know this you can see it with the ip route list default command.
  • Only include the ufw rules in PostUp and PreDown if you're running ufw.


Make sure that IP forwarding is enabled for both IPv4 and IPv6 by setting both net.ipv4.ip_forward and net.ipv6.conf.all.forwarding to 1 in /etc/sysctl.conf and then force the configuration to update immediately: 

sudo sysctl -p

Clients

First install WireGuard which is in the default Debian repositories, and we'll also need resolvconf. 

sudo apt install wireguard


Then create a key-pair that are called privatekey and publickey in the /etc/wireguard directory. 

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.xx.xx.2/24
Address = fdxx:xxxx:xxxx::2/64
DNS = SERVER_IP # assumes server is running a DNS server
PostUp = ip rule add table 200 from CLIENT_IP
PostUp = ip route add table 200 default via CLIENT_GATEWAY
PreDown = ip rule delete table 200 from CLIENT_IP
PreDown = ip route delete table 200 default via CLIENT_GATEWAY

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP:SERVER_VPN_PORT
AllowedIPs = 0.0.0.0/0, ::/0

Set permissions of the files. 

sudo chmod 600 /etc/wireguard/*
sudo chmod 644 /etc/wireguard/publickey

See also

Retrieved from "https://organicdesign.nz/wiki/index.php?title=Configure_WireGuard_VPN&oldid=129088"