updated 7JUN19@1023
Installing WireGuard VPN on Debian Based Linux Servers with Ubuntu Based Linux Clients
WireGuard is a kernel-based VPN solution that features speeds several times faster than normal IPSEC based VPN solutions.
This Guide is Subject To Change at Any Point given improvements in the usability and configuration of WireGuard.
Steps to Install & Configure WireGuard
- Install WireGuard on Server
- Install WireGuard on Client
- Generate Private/Public Key Sets
- Write Server Conf
- Write Client Conf
- Set
iptablesandipv4 forward - Install
iptables-persistent - Open necessary firewalls ports
- Stand up WireGuard on server
- Stand up WireGuard on client
Install WireGuard on Server
Given a Debian install, run the following commands.
# echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
# printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
# apt update
# apt install wireguard
Verify install by running sudo ls /etc/. Your etc directory should include a wireguard/ directory.
Install WireGuard on Client
Given a Ubuntu-based *nix distro, run the following commands.
$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt-get update
$ sudo apt-get install wireguard
Verify install by running sudo ls /etc/. Your etc directory should include a wireguard/ directory.
Generate Private/Public Keys
Run the following on the server/clients separately:
$ wg genkey > PrivateKey
# This generates a public key and send the output to a file called PrivateKey
$ wg pubkey < PrivateKey > PublicKey
# This reads PrivateKey to generate a public key, which is then written to a file called PublicKey
Create a wg0.conf in /etc/wireguard/
Server
[Interface]
Address = 192.168.16.1/32 #Chosen IP/CIDR for Tunnel
PrivateKey = #PrivateKey for Server
ListenPort = 51820 #ListeningPort
[Peer]
PublicKey = #PublicKey of Client
AllowedIPs = 192.168.16.2/32 #Chosen IP/CIDR of Client
Client
[Interface]
Address = 192.168.16.2 #Clients Chosen IP, Must match Server side
PrivateKey = #Clients PrivateKey
ListenPort = 51820 #Matching Ports, Possibly can be asynchronous
DNS = 8.8.8.8 #LAN or WAN DNS Server
[Peer]
PublicKey = #Server Public Key
AllowedIPs = 0.0.0.0/0 #Allowed IP of Endpoints
EndPoint = vpn.mcafeemediasolutions.com:51820 #Peer or Servers FQDN or IP Address
PersistentKeepAlive = 25 #Keeps Firewall open when one client is behind a NAT
Set IP Tables and Port Forward on Server
Run sudo cat /proc/sys/net/ipv4/ip_forward. If a 0 is returned, run sudo nano /etc/sysctl.conf and uncomment as in the below example.
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
Save using CTRL+O, ENTER, CTRL+X.
Run sudo iptables -t nat -A POSTROUTING -o $DEVICENAME -j MASQUERADE where $DEVICENAME is the name of the interfaces you’d like packets to be forwarded through. Note: this is likely eth0. This interfaces can be located using the command ip a s to see a list of active and installed interfaces.
Install iptables-persistent using apt.
Forward Ports on WAN Routers/Firewall
This is setup specific. Utilize standard procedures to forward your routers traffic on the above ports to your server. ONLY UDP traffic is necessary as WireGuard does not utilized TCP.
Stand Up WireGuard on Server
Run sudo wg-quick up wg0.
Run ip a s or sudo wg show. Output should match the below.
user@Server $ sudo wg show
interface: wg0
public key: #Your PublicKey should appear hear.
private key: (hidden)
listening port: 51820
peer: #Any Identified Peer's Public Keys
endpoint: #Peers WAN address
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 7 seconds ago
transfer: 15.33 GiB received, 574.08 MiB sent
Stand Up WireGuard on Client
user@client $ sudo wg show
interface: wg0
public key: #Your PublicKey should appear hear.
private key: (hidden)
listening port: 51820
fwmark: 0xca6c
peer: #Servers Public Key
endpoint: #Servers IP Address
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 7 seconds ago
transfer: 15.33 GiB received, 574.08 MiB sent
persistent keepalive: every 25 seconds
Verify connection from client
Using ssh ping and/or netcat attempt to contact the server.
SSH Example:
ssh user@IP.Address.of.Server Note: IP should be the one listed in wg0.conf, NOT the actual public WAN IP.
PING Example:
ping IP.Address.of.Server Note: IP should be the one listed in wg0.conf, NOT the actual public WAN IP.
netcat Example:
On Server:
nc -l -p 5001
On Client:
echo "TEST" | nc IP.Address.of.Server 5001
Note: IP should be the one listed in wg0.conf, NOT the actual public WAN IP.
TEST should appear on Server cli.
Verify Port Forwarding
Google what is my ip?. If the WAN address of the Client appears, port forwarding is NOT setup correctly. Revisit the IPTables.
Additional verification steps
Install nload and launch it in the terminal. Navigate to the wg0 panel. Load a YouTube video and look for traffic.
Install nethogs and launch using sudo nethogs. Load a Youtube video and look for traffic coming from interface wg0.