Tuesday, July 6, 2021

Wireguard on Linux : A basic approach using Ubuntu 20.04 LTS server and client

 We begin with a fresh installation of Ubuntu server 20.04 LTS

Server

  1. Install wireguard
    • sudo apt install wireguard
  2. Generate server and client keys
    • umask 077
    • wg genkey | tee server_private_key | wg pubkey > server_public_key
    • wg genkey | tee client_private_key | wg pubkey > client_public_key
  3. Create server config
    • Create a file wg0.conf in /etc/wireguard/
    • [Interface] Address = 10.199.0.1/24 SaveConfig = true PrivateKey = <insert server_private_key> ListenPort = 51820 [Peer] PublicKey = <insert client_public_key> AllowedIPs = 10.199.0.2/24 <-- it means 254 IPs allowed to connect
    • Note: If you only want 1 IP to connect,change /24 to /3You can change filename from wg0.conf to vpn.conf or whatever name you want
  4. Running the wireguard's service
    • sudo systemctl enable wg-quick@wg0 <-- need to run for the first time only
    • sudo systemctl start wg-quick@wg0
  5. Enable IP forwarding (Applicable for internet-enabled vpn connection. See client's note below)
    • echo 1 > /proc/sys/net/ipv4/ip_forward
    • sudo sysctl -p <-- to make the above change effective without reboot
Client
  1. Install wireguard package
    • sudo apt install wireguard
  2. Create a file in /etc/wireguard called wg0.conf
    • [Interface] Address = 10.199.0.2/24 PrivateKey = <insert client_private_key> DNS = 1.1.1.1 [Peer] PublicKey = <insert server_public_key> Endpoint = <insert vpn_server_address>:51820 AllowedIPs = 10.199.0.0/24 PersistentKeepalive = 60
    • Note: Address parameter is the IP address for the client
      • you can also change the name of the file wg0.conf to something else
      • EndPoint is the wireguard server's IP address above.You can use IP or domain name
      • DNS is the IP of DNS server for the client.
      • *IF* the AllowedIPs is 0.0.0.0/0, it means all the traffic from the client
        • will go through vpn server and if you want the client to be able to go to
        • the internet, you must add this rule in the server:
        • iptables -t nat -A POSTROUTING -s 10.199.0.0/24 -o eth0 -j MASQUERADE or
        • You can put the iptables command above in server's wireguard config as below under [Interface]:
        • PostUp = iptables -t nat -A POSTROUTING -s 10.199.0.0/24 -o eth0 -j MASQUERADE 
  3. Connect the client
    • sudo systemctl enable wg-quick@wg0 <-- run only this time
    • sudo systemctl start wg-quick@wg0
    • Test the connection: ping 10.199.0.1
That'sall there is to it. Hope it is working for you.

Cheers!

PS: Check this out! Easy setup for wireguard : https://github.com/burghardt/easy-wg-quick
            

No comments:

Renew letsencrypt ssl certificate for zimbra 8.8.15

 Letsencrypt certs usually consists of these files: 1. cert.pem 2. chain.pem 3. fullchain.pem 4. privkey.pem I am not going to discuss about...