Tuesday, July 6, 2021

Wireguard on Linux : A basic approach using Ubuntu 20.04 LTS server and client

 We begin with a fresh installation of Ubuntu server 20.04 LTS

Server

  1. Install wireguard
    • sudo apt install wireguard
  2. Generate server and client keys
    • umask 077
    • wg genkey | tee server_private_key | wg pubkey > server_public_key
    • wg genkey | tee client_private_key | wg pubkey > client_public_key
  3. Create server config
    • Create a file wg0.conf in /etc/wireguard/
    • [Interface] Address = 10.199.0.1/24 SaveConfig = true PrivateKey = <insert server_private_key> ListenPort = 51820 [Peer] PublicKey = <insert client_public_key> AllowedIPs = 10.199.0.2/24 <-- it means 254 IPs allowed to connect
    • Note: If you only want 1 IP to connect,change /24 to /3You can change filename from wg0.conf to vpn.conf or whatever name you want
  4. Running the wireguard's service
    • sudo systemctl enable wg-quick@wg0 <-- need to run for the first time only
    • sudo systemctl start wg-quick@wg0
  5. Enable IP forwarding (Applicable for internet-enabled vpn connection. See client's note below)
    • echo 1 > /proc/sys/net/ipv4/ip_forward
    • sudo sysctl -p <-- to make the above change effective without reboot
Client
  1. Install wireguard package
    • sudo apt install wireguard
  2. Create a file in /etc/wireguard called wg0.conf
    • [Interface] Address = 10.199.0.2/24 PrivateKey = <insert client_private_key> DNS = 1.1.1.1 [Peer] PublicKey = <insert server_public_key> Endpoint = <insert vpn_server_address>:51820 AllowedIPs = 10.199.0.0/24 PersistentKeepalive = 60
    • Note: Address parameter is the IP address for the client
      • you can also change the name of the file wg0.conf to something else
      • EndPoint is the wireguard server's IP address above.You can use IP or domain name
      • DNS is the IP of DNS server for the client.
      • *IF* the AllowedIPs is 0.0.0.0/0, it means all the traffic from the client
        • will go through vpn server and if you want the client to be able to go to
        • the internet, you must add this rule in the server:
        • iptables -t nat -A POSTROUTING -s 10.199.0.0/24 -o eth0 -j MASQUERADE or
        • You can put the iptables command above in server's wireguard config as below under [Interface]:
        • PostUp = iptables -t nat -A POSTROUTING -s 10.199.0.0/24 -o eth0 -j MASQUERADE 
  3. Connect the client
    • sudo systemctl enable wg-quick@wg0 <-- run only this time
    • sudo systemctl start wg-quick@wg0
    • Test the connection: ping 10.199.0.1
That'sall there is to it. Hope it is working for you.

Cheers!

PS: Check this out! Easy setup for wireguard : https://github.com/burghardt/easy-wg-quick
            

at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Nvidia new hotplug feature on Linux

 If you use nvidia driver for your GPU, you probably wonder why in some config, you can't hotplug your second monitor. You need to reboo...