ThinkServer

WireGuard: Difference between revisions

Saved progress so far
 
Added attribution
 
(6 intermediate revisions by the same user not shown)
Line 37: Line 37:
We will now configure the server settings for WireGuard. WireGuard comes complete with tools to create the the private/public keys needed to function and is configured with a simple configuration file.
We will now configure the server settings for WireGuard. WireGuard comes complete with tools to create the the private/public keys needed to function and is configured with a simple configuration file.


=== Become a superuser ===
For the following sets, you may need to become a superuser (<code>su</code>) to access the WireGuard folder.
For the following sets, you may need to become a superuser (<code>su</code>) to access the WireGuard folder.


* Become a superuser - <code>su</code>
* Become a superuser - <code>su</code>
=== Move to WireGuard directory ===
* Type your root password and press {{key press|Enter}}. The terminal text should change to red to indicate you are now a superuser.
* Type your root password and press {{key press|Enter}}. The terminal text should change to red to indicate you are now a superuser.
* Move to the WireGuard directory - <code>cd /etc/wireguard</code>
* Move to the WireGuard directory - <code>cd /etc/wireguard</code>
Line 45: Line 49:
You will find this directory is empty - we will work in this directory which is secure.
You will find this directory is empty - we will work in this directory which is secure.


* Create a private and public key for the server. You can use the following command:
=== Generate a public/private key pair ===
 
* Generate a private and public key for the server. You can use the following command:
  wg genkey | tee server-privatekey | wg pubkey > server-publickey
  wg genkey | tee server-privatekey | wg pubkey > server-publickey
**<code>server-privatekey</code> and <code>server-publickey</code> are filenames and can be anything you want and can be changed accordingly. These files are not directly used by WireGuard.
**<code>server-privatekey</code> and <code>server-publickey</code> are filenames and can be anything you want and can be changed accordingly. These files are not directly used by WireGuard.


Line 64: Line 71:
* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 server-privatekey</code>
* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 server-privatekey</code>
* We need the private key to put in the configuration file: <code>cat server-privatekey</code>. This will display the key on the screen which can then be copied.
* We need the private key to put in the configuration file: <code>cat server-privatekey</code>. This will display the key on the screen which can then be copied.
=== Create configuration file ===
* We will create a configuration file with the same name as the interface WireGuard will create: <code>nano wg0.conf</code>
* We will create a configuration file with the same name as the interface WireGuard will create: <code>nano wg0.conf</code>
* Insert the following into the file:
* Insert the following into the file:
Line 85: Line 95:
** <code>PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE</code> and <code>PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE</code> - the interface needs changing according to the name of the Ethernet card on your computer (<code>em1</code> in this example</code>, which can be found by typing <code>ip a</code>. Common names include <code>eth0</code>, <code>eno1</code> and <code>em1</code>.
** <code>PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE</code> and <code>PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE</code> - the interface needs changing according to the name of the Ethernet card on your computer (<code>em1</code> in this example</code>, which can be found by typing <code>ip a</code>. Common names include <code>eth0</code>, <code>eno1</code> and <code>em1</code>.
* Once done, save the file: {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
* Once done, save the file: {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
* Change the permissions so that the configuration file can only be accessed by superusers: <code>chmod 600 wg0.conf</code>


== Start WireGuard ==
== Start WireGuard ==
Line 97: Line 108:
* The public key should match the one generated earlier and can be viewed by typing <code>cat server-publickey</code>
* The public key should match the one generated earlier and can be viewed by typing <code>cat server-publickey</code>
* If you would like WireGuard to start on startup, type the following: <code>systemctl enable wg-quick@wg0</code>
* If you would like WireGuard to start on startup, type the following: <code>systemctl enable wg-quick@wg0</code>
== Setting up a client ==
Client software is available for many operating systems, including Windows, macOS, Linux (native support past Kernel 5.6) and Android. Here we will make a config file and add it to the server configuration, but due to the vast amount of different operating systems supported, we will not cover how to add the configuration to your respective operating system.
The client configuration file is similar to the server configuration file and remains very simple.
=== Generate a public/private key pair ===
* We will generated a public/private key pair much the same way as we did for the server:
wg genkey | tee client-privatekey | wg pubkey > client-publickey
** The name <code>client</code> for the file name can be changed to anything you like for convenience.
* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 client-privatekey</code>
* We need the private key to put in the configuration file: <code>cat client-privatekey</code>. This will display the key on the screen which can then be copied.
=== Creating a configuration file ===
* Open a new configuration file: <code>sudo nano client.conf</code>
** Once again, the name <code>client</code> can be anything you like for convenience.
* Insert the following into the file:
[Interface]
PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=
ListenPort = 33333
Address = 10.20.10.2/24
DNS = 1.1.1.1, 1.0.0.1<br>
[Peer]
PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
AllowedIPs = 0.0.0.0/0
Endpoint = example.com:33333
* Tweak the file to match your client configuration:
** <code>PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=</code> - the private key generated for the client ('''NOT''' the server private key).
** <code>ListenPort = 33333</code> - needs to match the <code>ListenPort</code> for the server.
** <code>Address = 10.20.10.2/24</code> - the address to use, within the subnet defined in the server configuration.
** <code>DNS = 1.1.1.1, 1.0.0.1</code> - the DNS server to use to resolve names. Something needs to be defined here as there is no DHCP to define a DNS server. This can be a server of your own on the network, your router or one of the many online services (CloudFlare DNS = 1.1.1.1, 1.0.0.1, Google DNS = 8.8.8.8, 8.8.4.4).
** <code>PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=</code> - the public key of the server, '''NOT''' the client public key.
** <code>AllowedIPs = 0.0.0.0/0</code> - range of addresses that will be passed over the tunnel. Comma-separated list, can include IPv6 addresses if being used. 0.0.0.0/0 forwards everything.
** <code>Endpoint = example.com:33333</code> - DNS address or IP address to connect to the server. An IP address will only be useful if you have a static address, otherwise a DNS address with DynDNS is a better solution.
* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
* The file can then be transferred to the client and imported into the WireGuard client ready for use.
=== Adding peers to the server configuration ===
* Open the server configuration file - <code>nano wg0.conf</code>
* Add the <code>[Peer]</code> section, marked in italics, as follows:
[Interface]
## Local Address : A private IP address for wg0 interface.
Address = 10.20.10.1/24
ListenPort = 33333<br>
## local server privatekey
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>
## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE<br>
''[Peer]''
''# one client which will be setup to use 10.20.10.2 IP''
''PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=''
''AllowedIPs = 10.20.10.2/32''
* Tweak the file to match your client configuration:
** <code>PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=</code> - the public key generated for the client.
** <code>AllowedIPs = 10.20.10.2/32</code> - the IP address used for the tunnel, should match the client configuration file.
* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
== Reloading the server ==
For our changes to take effect, the WireGuard daemon needs to be reloaded or restarted using:
systemctl reload wg-quick@wg0
or
systemctl restart wg-quick@wg0
At this point, the WireGuard VPN is ready to go!
== Adding further clients ==
* Generate a public/private key pair as explained under the client section.
* Create a configuration with the new public/private key pair generated.
* Copy the configuration to the respective client.
* Add another <code>[Peer]</code> section to the server configuration.
* Reload the WireGuard server.
== See also ==
Thank you to "Mark Liversedge" at [https://markliversedge.blogspot.com/2023/09/wireguard-setup-for-dummies.html Wireguard setup for dummeies] with his comprehensive guide that made this possible for me
Retrieved from "https://thinkserver.freddythechick.net/wiki/WireGuard"