WireGuard

WireGuard is a lightweight VPN server, built-in to the Linux kernel past kernel 5.6, making it very easy to set up on a Linux server. This guide will detail how to install on this server.

Before you start

You will need to install the following packages:

openresolv (for DNS resolution)
wireguard-tools

Install the required packages

Type sudo zypper in openresolv wireguard-tools
Press Y to accept

Allow IP forwarding

WireGuard requires IP forwarding to function as it will forward packets between your network adapter and a virtual adapter.

Open a terminal window
Move to /etc - cd /etc
Open sysctl.conf for editing - sudo nano sysctl.conf
Type your root password and press ↵ Enter
At the end of the file, type the following:

net.ipv4.ip_forward=1

Press Ctrl+X then Y to save then ↵ Enter to confirm saving the file
Load the changes - sysctl -p

Restart the computer

After completing the previous steps, restart the computer. This will active openresolv (no further configuration needed) and ensure IP forwarding is enabled. You are now ready to configure WireGuard.

Allow port forwarding on the router

Port 33333 or whatever port you choose later must be port forwarded through your router. Ensure this is for UDP, NOT TCP.

Configure the server

We will now configure the server settings for WireGuard. WireGuard comes complete with tools to create the the private/public keys needed to function and is configured with a simple configuration file.

Become a superuser

For the following sets, you may need to become a superuser (su) to access the WireGuard folder.

Become a superuser - su

Move to WireGuard directory

Type your root password and press ↵ Enter. The terminal text should change to red to indicate you are now a superuser.
Move to the WireGuard directory - cd /etc/wireguard

You will find this directory is empty - we will work in this directory which is secure.

Generate public/private key pair

Create a private and public key for the server. You can use the following command:

wg genkey | tee server-privatekey | wg pubkey > server-publickey

- server-privatekey and server-publickey are filenames and can be anything you want and can be changed accordingly. These files are not directly used by WireGuard.

Warning

The private key generated should NEVER leave the server. Anyone with the private key can connect to and compromise the server. If the key does become compromised, a new private key should be generated and configured immediately and the old key never used again.

To keep private keys secure once used, it is advisable to store the private key somewhere offline and secure, away from the server. One example would be a USB stick. This way, if the server is compromised, it will be more difficult to compromise the private key. Ensure the permissions are correct as follows so that access is restricted to only superusers.

The public key is safe from compromise, this does not need to be stored with such security.

All private/public keys in this guide were generated as an example and are not in use on this server.

Change the permissions of the private key so that only superusers can access the key: chmod 600 server-privatekey
We need the private key to put in the configuration file: cat server-privatekey. This will display the key on the screen which can then be copied.

Create configuration file

We will create a configuration file with the same name as the interface WireGuard will create: nano wg0.conf
Insert the following into the file:

[Interface]
## Local Address : A private IP address for wg0 interface.
Address = 10.20.10.1/24
ListenPort = 33333

## local server privatekey
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=

## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE

Tweak the file to match your server configuration:
- Address = 10.20.10.1/24 - this is the address used by the WireGuard interface and should be different from your local network subnet.
- ListenPort = 33333 - 33333 is the default WireGuard network port but can be changed to anything you like as long as the port is not already in use by something else.
- PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA= - Paste the key your generated and copied earlier.
- PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE and PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE - the interface needs changing according to the name of the Ethernet card on your computer (em1 in this example, which can be found by typing ip a. Common names include eth0, eno1 and em1.
Once done, save the file: Ctrl+X, Y then ↵ Enter.
Change the permissions so that the configuration file can only be accessed by superusers: chmod 600 wg0.conf

Start WireGuard

Type systemctl start wg-quick@wg0 to start WireGuard.
- wg0 is the name of the WireGuard interface and configuration file we created. If different, this should be changed to match the same name as the configuration file.
Check that WireGuard is running: wg show. You should see something similar to the following if all is well:

interface: wg0
  public key: 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
  private key: (hidden)
  listening port: 33333

The public key should match the one generated earlier and can be viewed by typing cat server-publickey
If you would like WireGuard to start on startup, type the following: systemctl enable wg-quick@wg0