WireGuard: Difference between revisions
→Configure the server: Split the section up and added permissions bullet point |
Added attribution |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 49: | Line 49: | ||
You will find this directory is empty - we will work in this directory which is secure. | You will find this directory is empty - we will work in this directory which is secure. | ||
=== Generate public/private key pair === | === Generate a public/private key pair === | ||
* | * Generate a private and public key for the server. You can use the following command: | ||
wg genkey | tee server-privatekey | wg pubkey > server-publickey | wg genkey | tee server-privatekey | wg pubkey > server-publickey | ||
**<code>server-privatekey</code> and <code>server-publickey</code> are filenames and can be anything you want and can be changed accordingly. These files are not directly used by WireGuard. | **<code>server-privatekey</code> and <code>server-publickey</code> are filenames and can be anything you want and can be changed accordingly. These files are not directly used by WireGuard. | ||
| Line 107: | Line 108: | ||
* The public key should match the one generated earlier and can be viewed by typing <code>cat server-publickey</code> | * The public key should match the one generated earlier and can be viewed by typing <code>cat server-publickey</code> | ||
* If you would like WireGuard to start on startup, type the following: <code>systemctl enable wg-quick@wg0</code> | * If you would like WireGuard to start on startup, type the following: <code>systemctl enable wg-quick@wg0</code> | ||
== Setting up a client == | |||
Client software is available for many operating systems, including Windows, macOS, Linux (native support past Kernel 5.6) and Android. Here we will make a config file and add it to the server configuration, but due to the vast amount of different operating systems supported, we will not cover how to add the configuration to your respective operating system. | |||
The client configuration file is similar to the server configuration file and remains very simple. | |||
=== Generate a public/private key pair === | |||
* We will generated a public/private key pair much the same way as we did for the server: | |||
wg genkey | tee client-privatekey | wg pubkey > client-publickey | |||
** The name <code>client</code> for the file name can be changed to anything you like for convenience. | |||
* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 client-privatekey</code> | |||
* We need the private key to put in the configuration file: <code>cat client-privatekey</code>. This will display the key on the screen which can then be copied. | |||
=== Creating a configuration file === | |||
* Open a new configuration file: <code>sudo nano client.conf</code> | |||
** Once again, the name <code>client</code> can be anything you like for convenience. | |||
* Insert the following into the file: | |||
[Interface] | |||
PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI= | |||
ListenPort = 33333 | |||
Address = 10.20.10.2/24 | |||
DNS = 1.1.1.1, 1.0.0.1<br> | |||
[Peer] | |||
PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To= | |||
AllowedIPs = 0.0.0.0/0 | |||
Endpoint = example.com:33333 | |||
* Tweak the file to match your client configuration: | |||
** <code>PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=</code> - the private key generated for the client ('''NOT''' the server private key). | |||
** <code>ListenPort = 33333</code> - needs to match the <code>ListenPort</code> for the server. | |||
** <code>Address = 10.20.10.2/24</code> - the address to use, within the subnet defined in the server configuration. | |||
** <code>DNS = 1.1.1.1, 1.0.0.1</code> - the DNS server to use to resolve names. Something needs to be defined here as there is no DHCP to define a DNS server. This can be a server of your own on the network, your router or one of the many online services (CloudFlare DNS = 1.1.1.1, 1.0.0.1, Google DNS = 8.8.8.8, 8.8.4.4). | |||
** <code>PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=</code> - the public key of the server, '''NOT''' the client public key. | |||
** <code>AllowedIPs = 0.0.0.0/0</code> - range of addresses that will be passed over the tunnel. Comma-separated list, can include IPv6 addresses if being used. 0.0.0.0/0 forwards everything. | |||
** <code>Endpoint = example.com:33333</code> - DNS address or IP address to connect to the server. An IP address will only be useful if you have a static address, otherwise a DNS address with DynDNS is a better solution. | |||
* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}. | |||
* The file can then be transferred to the client and imported into the WireGuard client ready for use. | |||
=== Adding peers to the server configuration === | |||
* Open the server configuration file - <code>nano wg0.conf</code> | |||
* Add the <code>[Peer]</code> section, marked in italics, as follows: | |||
[Interface] | |||
## Local Address : A private IP address for wg0 interface. | |||
Address = 10.20.10.1/24 | |||
ListenPort = 33333<br> | |||
## local server privatekey | |||
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br> | |||
## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel. | |||
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel. | |||
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet. | |||
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT | |||
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE | |||
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT | |||
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE<br> | |||
''[Peer]'' | |||
''# one client which will be setup to use 10.20.10.2 IP'' | |||
''PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM='' | |||
''AllowedIPs = 10.20.10.2/32'' | |||
* Tweak the file to match your client configuration: | |||
** <code>PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=</code> - the public key generated for the client. | |||
** <code>AllowedIPs = 10.20.10.2/32</code> - the IP address used for the tunnel, should match the client configuration file. | |||
* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}. | |||
== Reloading the server == | |||
For our changes to take effect, the WireGuard daemon needs to be reloaded or restarted using: | |||
systemctl reload wg-quick@wg0 | |||
or | |||
systemctl restart wg-quick@wg0 | |||
At this point, the WireGuard VPN is ready to go! | |||
== Adding further clients == | |||
* Generate a public/private key pair as explained under the client section. | |||
* Create a configuration with the new public/private key pair generated. | |||
* Copy the configuration to the respective client. | |||
* Add another <code>[Peer]</code> section to the server configuration. | |||
* Reload the WireGuard server. | |||
== See also == | |||
Thank you to "Mark Liversedge" at [https://markliversedge.blogspot.com/2023/09/wireguard-setup-for-dummies.html Wireguard setup for dummeies] with his comprehensive guide that made this possible for me | |||