Configuration of Wireguard

From packets2photons
Jump to navigation Jump to search

In this lab we will investigate Wireguard VPN, which aims to be faster, simpler, leaner, and more useful than IPsec. This guide is is based on Ubuntu 18.04 LTS.

Start with updating the repositories.

sudo apt update

If you can install wireguard with apt, using the command below, then do so on both client and server machines.

sudo apt install wireguard

If this does not work, then you might need to build from source, so see Installation of Wireguard on Raspberry Pi.

Now that you have installed wireguard, you can generate the public and private keys below. You should follow these steps for both machines.

sudo wg genkey > private.key
sudo wg pubkey > public.key < private.key

Create a configuration file on the server:

sudo vim /etc/wireguard/wg0.conf 

Adapt the following for your circumstances. The address is going to be private address space. You can modify the port, the number to whatever you like, just be aware that Wireguard will use UDP so ensure the appropriate firewall hole is open.

 [Interface]
 Address = 192.168.99.1/24
 ListenPort = 3500
 PrivateKey = sJgz1S8eJS1[never_reveal_private_keys]8oAR/lDYz+LfWg=
 PreUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o [interface_facing_internet] -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o [interface_facing_internet] -j MASQUERADE

 [Peer]
 PublicKey = ZgfBeiyyTxR1LSaMA0OE8rfd8ReS3nA2wmE7g9Wc6wU=
 AllowedIPs = 192.168.99.2/32

You can work out the private key with, the command below. Note that you cannot and should not try to mimic the keys in a how to:

less private.key

Also make sure you enable packet forwarding. This is a sysctl setting which tells the server's kernel to forward traffic from client devices out to the Internet. Otherwise, the traffic will stop at the server. Enable packet forwarding during runtime by entering this command:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

We need to make this permanent so the server still forwards traffic after rebooting. Packet Forwarding

vim /etc/sysctl.conf

Create the same configuration file on the client:

sudo vim /etc/wireguard/wg0.conf 
 [Interface]
 PrivateKey = YHJ+pkvzSN[never_reaveal_private_keys]gwhQsfQEM=
 Address = 192.168.99.2/24
 DNS = 8.8.8.8

 [Peer]
 Endpoint = 10.64.0.1:3500
 PublicKey = S25QuCVpLgIVzMXxMTHIVHjmLTaCRgfzyHGsnn7vZQM=
 AllowedIPs = 0.0.0.0/0

You can now start and stop the Wireguard VPN with the following commands:

sudo wg-quick up wg0
sudo wg-quick down wg0

Make sure you test. Monitor using wireshark on your physical network adapter. You can also test your connection here to check for common DNS leaks https://www.dnsleaktest.com/