WireGuard VPN Walkthrough

updated 7JUN19@1023

 

 

Installing WireGuard VPN on Debian Based Linux Servers with Ubuntu Based Linux Clients

WireGuard is a kernel-based VPN solution that features speeds several times faster than normal IPSEC based VPN solutions.

This Guide is Subject To Change at Any Point given improvements in the usability and configuration of WireGuard.

Steps to Install & Configure WireGuard

  • Install WireGuard on Server
  • Install WireGuard on Client
  • Generate Private/Public Key Sets
  • Write Server Conf
  • Write Client Conf
  • Set iptables and ipv4 forward
  • Install iptables-persistent
  • Open necessary firewalls ports
  • Stand up WireGuard on server
  • Stand up WireGuard on client

Install WireGuard on Server

Given a Debian install, run the following commands.

# echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
# printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
# apt update
# apt install wireguard

Verify install by running sudo ls /etc/. Your etc directory should include a wireguard/ directory.

Install WireGuard on Client

Given a Ubuntu-based *nix distro, run the following commands.

$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt-get update
$ sudo apt-get install wireguard

Verify install by running sudo ls /etc/. Your etc directory should include a wireguard/ directory.

Generate Private/Public Keys

Run the following on the server/clients separately:

$ wg genkey > PrivateKey
# This generates a public key and send the output to a file called PrivateKey
$ wg pubkey < PrivateKey > PublicKey
# This reads PrivateKey to generate a public key, which is then written to a file called PublicKey

Create a wg0.conf in /etc/wireguard/

Server
[Interface]
Address = 192.168.16.1/32 #Chosen IP/CIDR for Tunnel
PrivateKey = #PrivateKey for Server
ListenPort = 51820 #ListeningPort

[Peer]
PublicKey = #PublicKey of Client
AllowedIPs = 192.168.16.2/32 #Chosen IP/CIDR of Client
Client
[Interface]
Address = 192.168.16.2 #Clients Chosen IP, Must match Server side
PrivateKey = #Clients PrivateKey
ListenPort = 51820 #Matching Ports, Possibly can be asynchronous
DNS = 8.8.8.8 #LAN or WAN DNS Server

[Peer]
PublicKey = #Server Public Key
AllowedIPs = 0.0.0.0/0 #Allowed IP of Endpoints
EndPoint = vpn.mcafeemediasolutions.com:51820 #Peer or Servers FQDN or IP Address
PersistentKeepAlive = 25 #Keeps Firewall open when one client is behind a NAT

Set IP Tables and Port Forward on Server

Run sudo cat /proc/sys/net/ipv4/ip_forward. If a 0 is returned, run sudo nano /etc/sysctl.conf and uncomment as in the below example.

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Save using CTRL+O, ENTER, CTRL+X.

Run sudo iptables -t nat -A POSTROUTING -o $DEVICENAME -j MASQUERADE where $DEVICENAME is the name of the interfaces you’d like packets to be forwarded through. Note: this is likely eth0. This interfaces can be located using the command ip a s to see a list of active and installed interfaces.

Install iptables-persistent using apt.

Forward Ports on WAN Routers/Firewall

This is setup specific. Utilize standard procedures to forward your routers traffic on the above ports to your server. ONLY UDP traffic is necessary as WireGuard does not utilized TCP.

Stand Up WireGuard on Server

Run sudo wg-quick up wg0.
Run ip a s or sudo wg show. Output should match the below.

user@Server $ sudo wg show
interface: wg0
public key: #Your PublicKey should appear hear.
private key: (hidden)
listening port: 51820

peer: #Any Identified Peer's Public Keys
endpoint: #Peers WAN address
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 7 seconds ago
transfer: 15.33 GiB received, 574.08 MiB sent

Stand Up WireGuard on Client

user@client $ sudo wg show
interface: wg0
public key: #Your PublicKey should appear hear.
private key: (hidden)
listening port: 51820
fwmark: 0xca6c

peer: #Servers Public Key
endpoint: #Servers IP Address
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 7 seconds ago
transfer: 15.33 GiB received, 574.08 MiB sent
persistent keepalive: every 25 seconds

Verify connection from client

Using ssh ping and/or netcat attempt to contact the server.

SSH Example:
ssh user@IP.Address.of.Server Note: IP should be the one listed in wg0.conf, NOT the actual public WAN IP.

PING Example:
ping IP.Address.of.Server Note: IP should be the one listed in wg0.conf, NOT the actual public WAN IP.

netcat Example:
On Server:
nc -l -p 5001
On Client:
echo "TEST" | nc IP.Address.of.Server 5001
Note: IP should be the one listed in wg0.conf, NOT the actual public WAN IP.
TEST should appear on Server cli.

Verify Port Forwarding

Google what is my ip?. If the WAN address of the Client appears, port forwarding is NOT setup correctly. Revisit the IPTables.

Additional verification steps

Install nload and launch it in the terminal. Navigate to the wg0 panel. Load a YouTube video and look for traffic.
Install nethogs and launch using sudo nethogs. Load a Youtube video and look for traffic coming from interface wg0.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *