WireGuard

WireGuard is a lightweight VPN server, built-in to the Linux kernel past kernel 5.6, making it very easy to set up on a Linux server. This guide will detail how to install on this server.

You will need to install the following packages:

• openresolv (for DNS resolution)
• wireguard-tools

• Type sudo zypper in openresolv wireguard-tools
• Press Y to accept

WireGuard requires IP forwarding to function as it will forward packets between your network adapter and a virtual adapter.

• Open a terminal window
• Move to /etc - cd /etc
• Open sysctl.conf for editing - sudo nano sysctl.conf
• Type your root password and press ↵ Enter
• At the end of the file, type the following:

net.ipv4.ip_forward=1

• Press Ctrl+X then Y to save then ↵ Enter to confirm saving the file
• Load the changes - sysctl -p

• After completing the previous steps, restart the computer. This will active openresolv (no further configuration needed) and ensure IP forwarding is enabled. You are now ready to configure WireGuard.

• Port 33333 or whatever port you choose later must be port forwarded through your router. Ensure this is for UDP, NOT TCP.

We will now configure the server settings for WireGuard. WireGuard comes complete with tools to create the the private/public keys needed to function and is configured with a simple configuration file.

For the following sets, you may need to become a superuser (su) to access the WireGuard folder.

• Become a superuser - su

• Type your root password and press ↵ Enter. The terminal text should change to red to indicate you are now a superuser.
• Move to the WireGuard directory - cd /etc/wireguard

You will find this directory is empty - we will work in this directory which is secure.

• Generate a private and public key for the server. You can use the following command:

wg genkey | tee server-privatekey | wg pubkey > server-publickey

• • server-privatekey and server-publickey are filenames and can be anything you want and can be changed accordingly. These files are not directly used by WireGuard.

• Change the permissions of the private key so that only superusers can access the key: chmod 600 server-privatekey
• We need the private key to put in the configuration file: cat server-privatekey. This will display the key on the screen which can then be copied.

• We will create a configuration file with the same name as the interface WireGuard will create: nano wg0.conf
• Insert the following into the file:

[Interface]
## Local Address : A private IP address for wg0 interface.
Address = 10.20.10.1/24
ListenPort = 33333

## local server privatekey
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=

## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE

• Tweak the file to match your server configuration:
  • Address = 10.20.10.1/24 - this is the address used by the WireGuard interface and should be different from your local network subnet.
  • ListenPort = 33333 - 33333 is the default WireGuard network port but can be changed to anything you like as long as the port is not already in use by something else.
  • PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA= - Paste the key your generated and copied earlier.
  • PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE and PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE - the interface needs changing according to the name of the Ethernet card on your computer (em1 in this example, which can be found by typing ip a. Common names include eth0, eno1 and em1.
• Once done, save the file: Ctrl+X, Y then ↵ Enter.
• Change the permissions so that the configuration file can only be accessed by superusers: chmod 600 wg0.conf

• Type systemctl start wg-quick@wg0 to start WireGuard.
  • wg0 is the name of the WireGuard interface and configuration file we created. If different, this should be changed to match the same name as the configuration file.
• Check that WireGuard is running: wg show. You should see something similar to the following if all is well:

interface: wg0
  public key: 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
  private key: (hidden)
  listening port: 33333

• The public key should match the one generated earlier and can be viewed by typing cat server-publickey
• If you would like WireGuard to start on startup, type the following: systemctl enable wg-quick@wg0

Client software is available for many operating systems, including Windows, macOS, Linux (native support past Kernel 5.6) and Android. Here we will make a config file and add it to the server configuration, but due to the vast amount of different operating systems supported, we will not cover how to add the configuration to your respective operating system.

The client configuration file is similar to the server configuration file and remains very simple.

• We will generated a public/private key pair much the same way as we did for the server:

wg genkey | tee client-privatekey | wg pubkey > client-publickey

• • The name client for the file name can be changed to anything you like for convenience.
• Change the permissions of the private key so that only superusers can access the key: chmod 600 client-privatekey
• We need the private key to put in the configuration file: cat client-privatekey. This will display the key on the screen which can then be copied.

• Open a new configuration file: sudo nano client.conf
  • Once again, the name client can be anything you like for convenience.
• Insert the following into the file:

[Interface]
PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=
ListenPort = 33333
Address = 10.20.10.2/24
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
AllowedIPs = 0.0.0.0/0
Endpoint = example.com:33333

• Tweak the file to match your client configuration:
  • PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI= - the private key generated for the client (NOT the server private key).
  • ListenPort = 33333 - needs to match the ListenPort for the server.
  • Address = 10.20.10.2/24 - the address to use, within the subnet defined in the server configuration.
  • DNS = 1.1.1.1, 1.0.0.1 - the DNS server to use to resolve names. Something needs to be defined here as there is no DHCP to define a DNS server. This can be a server of your own on the network, your router or one of the many online services (CloudFlare DNS = 1.1.1.1, 1.0.0.1, Google DNS = 8.8.8.8, 8.8.4.4).
  • PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To= - the public key of the server, NOT the client public key.
  • AllowedIPs = 0.0.0.0/0 - range of addresses that will be passed over the tunnel. Comma-separated list, can include IPv6 addresses if being used. 0.0.0.0/0 forwards everything.
  • Endpoint = example.com:33333 - DNS address or IP address to connect to the server. An IP address will only be useful if you have a static address, otherwise a DNS address with DynDNS is a better solution.
• Save the file - Ctrl+X, Y then ↵ Enter.
• The file can then be transferred to the client and imported into the WireGuard client ready for use.

• Open the server configuration file - nano wg0.conf
• Add the [Peer] section, marked in italics, as follows:

[Interface]
## Local Address : A private IP address for wg0 interface.
Address = 10.20.10.1/24
ListenPort = 33333

## local server privatekey
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=

## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE

[Peer]
# one client which will be setup to use 10.20.10.2 IP
PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=
AllowedIPs = 10.20.10.2/32

• Tweak the file to match your client configuration:
  • PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM= - the public key generated for the client.
  • AllowedIPs = 10.20.10.2/32 - the IP address used for the tunnel, should match the client configuration file.
• Save the file - Ctrl+X, Y then ↵ Enter.

For our changes to take effect, the WireGuard daemon needs to be reloaded or restarted using:

systemctl reload wg-quick@wg0

or

systemctl restart wg-quick@wg0

At this point, the WireGuard VPN is ready to go!

• Generate a public/private key pair as explained under the client section.
• Create a configuration with the new public/private key pair generated.
• Copy the configuration to the respective client.
• Add another [Peer] section to the server configuration.
• Reload the WireGuard server.