Configure WireGuard VPN
From Organic Design wiki
|
We've recently changed from OpenVPN to WireGuard for our VPN solution. We use a VPN so that we can be sure our local browsing traffic's private even when we're on an insecure connection like a hotel or airport. Of course there are many solutions available such as ProtonVPN or RiseupVPN, but we like to be independent for our security, and also this allows us to customise the ports and locations and have higher bandwidth than a shared solution.
These first steps need to be done on the same way on the server and on the clients. First install WireGuard which is in the default Debian repositories, and we'll also need resolvconf.
sudo apt install wireguard resolvconf
Then create a key-pair that are called privatekey and publickey in the /etc/wireguard directory.
wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.xx.xx.1/24
Address = fdxx:xxxx:xxxx::1/64
ListenPort = 51820
SaveConfig = true
PostUp = iptables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o DEFAULT_INTERFACE -j MASQUERADE
client...
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.xx.xx.2/24
Address = fdxx:xxxx:xxxx::2/64
DNS = SERVER_IP # assumes server is running a DNS server
PostUp = ip rule add table 200 from CLIENT_IP
PostUp = ip route add table 200 default via CLIENT_GATEWAY
PreDown = ip rule delete table 200 from CLIENT_IP
PreDown = ip route delete table 200 default via CLIENT_GATEWAY
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP:SERVER_VPN_PORT
AllowedIPs = 0.0.0.0/0, ::/0
