Skip to content

Latest commit

 

History

History
157 lines (128 loc) · 5.71 KB

wireguard.md

File metadata and controls

157 lines (128 loc) · 5.71 KB
Raw

Resources

Steps

Steps on the server

  • Generate privatekey: wg genkey | sudo tee /etc/wireguard/private.key.
  • Change the ownership of the file so that the root will be the only one who can access it: sudo chmod go= /etc/wireguard/private.key.
  • Generate a publickey sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
  • choose IP from reserved ranage
    • by the RFC 1918 specification:
      • 10.0.0.0 to 10.255.255.255 (10/8 prefix)
      • 172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
      • 192.168.0.0 to 192.168.255.255 (192.168/16 prefix)
  • We will choose the 10.6.0.0/24 range
  • Write a config in /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <privkey>
Address = 10.6.0.1/24
ListenPort = 51820
SaveConfig = true
  • If we wanted to expose servers local network and not only the point to point connection:
    • sudo sh -c "echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf"
  • Find your public interface:
    • ip route list default:
      • default via 192.168.121.1 dev eth0 proto dhcp src 192.168.121.115 metric 100
      • We pick eth0.
  • Now lets add the iptables rules to our wg0.conf.
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

  • Explanation:

    • ufw route allow in on wg0 out on eth0 - This rule will allow forwarding IPv4 and IPv6 traffic that comes in on the wg0 VPN interface to the eth0 network interface on the server. It works in conjunction with the net.ipv4.ip_forward and net.ipv6.conf.all.forwarding sysctl values that you configured in the previous section.
    • iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE - This rule configures masquerading, and rewrites IPv4 traffic that comes in on the wg0 VPN interface to make it appear like it originates directly from the WireGuard Server’s public IPv4 address.
    • ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE - (OPTIONAL) This rule configures masquerading, and rewrites IPv6 traffic that comes in on the wg0 VPN interface to make it appear like it originates directly from the WireGuard Server’s public IPv6 address.

  • Lets also setup the ufw:

    • sudo ufw allow 51820/udp
    • sudo ufw allow OpenSSH
    • sudo ufw reload
    • sudo ufw status

  • Now start the service:

    • sudo systemctl enable --now wg-quick@wg0.service

Steps on client

  • What you need:

    • Basically you must generate the priv and pub key same as on the server
    • public IP of a server
    • server pubkey

  • Now generate a file /etc/wireguard/wg0.conf

[Interface]
PrivateKey = <Generted privkey on client>
Address = 10.6.0.X/24

[Peer]
PublicKey = <server pubkey>
AllowedIPs = 10.6.0.0/24
Endpoint = <server public ip>:51820
  • Now login to a server and register a client:
    • sudo wg set wg0 peer <client-pubkey> allowed-ips <client-wg-ip>
    • And check if the peer is listed with sudo wg

DNS

If you are using the WireGuard Server as a VPN gateway for all your peer’s traffic, you will need to add a line to the [Interface] section that specifies DNS resolvers. If you do not add this setting, then your DNS requests may not be secured by the VPN, or they might be revealed to your Internet Service Provider or other third parties.

  • To get a list which DNS reslovers the wireguard server uses (issue this command on a connected peer):
    • resolvectl dns eth0
    • then select one and add the ip to tthe bottom of the [Interface] section /etc/wireguard/wg0.conf
[Interface]
...
DNS = <ip from command>

Setup wireguard ui;

version: "3"

services:
  boringtun:
    image: ghcr.io/ntkme/boringtun:edge
    command:
      - wg0
    container_name: boringtun
    # use the network of the 'wireguard-ui' service. this enables to show active clients in the status page
    network_mode: service:wireguard-ui
    cap_add:
      - NET_ADMIN
    volumes:
      - /dev/net/tun:/dev/net/tun
      - ./config:/etc/wireguard
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1 # Enable kernel packet forwarding

  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:0.5.2
    container_name: wireguard-ui
    cap_add:
      - NET_ADMIN
    environment:
      - SENDGRID_API_KEY
      - EMAIL_FROM_ADDRESS
      - EMAIL_FROM_NAME
      - SESSION_SECRET
      - WGUI_USERNAME=admin
      - WGUI_PASSWORD=no_password_for_u
      - WG_CONF_TEMPLATE
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - ./db:/app/db
      - ./config:/etc/wireguard
    ports:
      # port for wireguard-ui
      - "5000:5000"
      # port of the wireguard server. this must be set here as the `boringtun` container joins the network of this container and hasn't its own network over which it could publish the ports
      - "51820:51820/udp"

And then add these iptables rules to the server:

PreUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;