Difference between revisions of "Configure WireGuard VPN"

From Organic Design wiki
(server conf)
(client config)
Line 1: Line 1:
 +
{{stub}}
 
We've recently changed from [https://openvpn.net/ OpenVPN] to [https://www.wireguard.com/ WireGuard] for our VPN solution. We use a VPN so that we can be sure our local browsing traffic's private even when we're on an insecure connection like a hotel or airport. Of course there are many solutions available such as ''ProtonVPN'' or ''RiseupVPN'', but we like to be independent for our security, and also this allows us to customise the ports and locations and have higher bandwidth than a shared solution.
 
We've recently changed from [https://openvpn.net/ OpenVPN] to [https://www.wireguard.com/ WireGuard] for our VPN solution. We use a VPN so that we can be sure our local browsing traffic's private even when we're on an insecure connection like a hotel or airport. Of course there are many solutions available such as ''ProtonVPN'' or ''RiseupVPN'', but we like to be independent for our security, and also this allows us to customise the ports and locations and have higher bandwidth than a shared solution.
  
Line 15: Line 16:
 
<source>
 
<source>
 
[Interface]
 
[Interface]
PrivateKey = PRIVATEKEY_FILE_CONTENTS
+
PrivateKey = SERVER_PRIVATE_KEY
 
Address = 10.xx.xx.1/24
 
Address = 10.xx.xx.1/24
 
Address = fdxx:xxxx:xxxx::1/64
 
Address = fdxx:xxxx:xxxx::1/64
 
ListenPort = 51820
 
ListenPort = 51820
 
SaveConfig = true
 
SaveConfig = true
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
+
PostUp = iptables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
+
PostUp = ip6tables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
PreDown = iptables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
PreDown = ip6tables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
 +
</source>
 +
 
 +
 
 +
 
 +
client...
 +
 
 +
<source lang="bash">
 +
[Interface]
 +
PrivateKey = CLIENT_PRIVATE_KEY
 +
Address = 10.xx.xx.2/24
 +
Address = fdxx:xxxx:xxxx::2/64
 +
DNS = SERVER_IP # assumes server is running a DNS server
 +
PostUp = ip rule add table 200 from CLIENT_IP
 +
PostUp = ip route add table 200 default via CLIENT_GATEWAY
 +
PreDown = ip rule delete table 200 from CLIENT_IP
 +
PreDown = ip route delete table 200 default via CLIENT_GATEWAY
 +
 
 +
[Peer]
 +
PublicKey = SERVER_PUBLIC_KEY
 +
Endpoint = SERVER_IP:SERVER_VPN_PORT
 +
AllowedIPs = 0.0.0.0/0, ::/0
 
</source>
 
</source>

Revision as of 00:51, 23 March 2022

Cone.png This article or section is a stub. Stubs are articles that have not yet received substantial attention from the authors. They are short or insufficient pieces of information and require additions to further increase the article's usefulness. The project values stubs as useful first steps toward complete articles.

We've recently changed from OpenVPN to WireGuard for our VPN solution. We use a VPN so that we can be sure our local browsing traffic's private even when we're on an insecure connection like a hotel or airport. Of course there are many solutions available such as ProtonVPN or RiseupVPN, but we like to be independent for our security, and also this allows us to customise the ports and locations and have higher bandwidth than a shared solution.

These first steps need to be done on the same way on the server and on the clients. First install WireGuard which is in the default Debian repositories, and we'll also need resolvconf. 

sudo apt install wireguard resolvconf


Then create a key-pair that are called privatekey and publickey in the /etc/wireguard directory. 

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey


[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.xx.xx.1/24
Address = fdxx:xxxx:xxxx::1/64
ListenPort = 51820
SaveConfig = true
PostUp = iptables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE


client... 

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.xx.xx.2/24
Address = fdxx:xxxx:xxxx::2/64
DNS = SERVER_IP # assumes server is running a DNS server
PostUp = ip rule add table 200 from CLIENT_IP
PostUp = ip route add table 200 default via CLIENT_GATEWAY
PreDown = ip rule delete table 200 from CLIENT_IP
PreDown = ip route delete table 200 default via CLIENT_GATEWAY

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP:SERVER_VPN_PORT
AllowedIPs = 0.0.0.0/0, ::/0
Retrieved from "https://organicdesign.nz/wiki/index.php?title=Configure_WireGuard_VPN&oldid=129059"