Ivan Kovmir

 WireGuard Quickly - Ivan Kovmir

WireGuard Quickly

Last edit: 2024-10-08

WireGuard quick setup guide.

Introduction

WireGuard is a simple and secure VPN. In essense, a VPN allows multiple hosts to communicate with one another across the internet like they are on the same switch. It has nothing to do with hiding your public IP address, but it can be used for that as well. For instance, you will be able to access your home desktop computer from your laptop/telephone wherever you go, provided both are connected to the internet.

Key Pairs

WireGuard uses a key pair to encrypt the trafic, just like SSH. Invoke wg genkey | tee privatekey | wg pubkey > publickey on each device to create them. Private key never leaves the device, public key is shared.

Server

Server has to have a public IP addres. Save under /etc/wireguard/srv.conf:

[Interface]
Address = 10.9.0.1/24
Privatekey = SERVER_PRIVATE_KEY_HERE
ListenPort = 51820

[Peer]
PublicKey = HOST_PUBLIC_KEY_HERE
AllowedIPs = 10.9.0.2/32

[Peer]
PublicKey = ANOTHER_HOST_PUBLIC_KEY_HERE
AllowedIPs = 10.9.0.3/32

To make VPN host able to reach one another, not just the server, invoke sysctl net.ipv4.ip_forward=1 on the server. ListenPort must be open and packet forwarding for wg0 interface allowed. AllowedIPs says which IP addresses this host (server in this case) is allowed to connect to, only the given peer. Run wg-quick up srv to start.

Hosts

Save under /etc/wireguard/cli.conf:

[Interface]
Address = 10.9.0.2/24
Privatekey = HOST_PRIVATE_KEY_HERE

[Peer]
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = SERVER.PUBLIC.IP.HERE:51820
AllowedIPs = 10.9.0.0/24

AllowedIPs here says this client is allowed to reach all VPN hosts. If you want the host without a public IP address to be reachable all the time, add PersistentKeepAlive = 25 to the host config in [Peer] section. Run wg-quick up cli to connect.

Hiding IPs

It is possible to use WireGuard server as internet gateway to hide your IP address, so that websites you visit will see the server’s public IP address rather than yours.

AllowedIPs of the host must be set to 0.0.0.0/0 and the server’s firewall must be configured to do IP masquerading:

chain postrouting {
    type nat hook postrouting priority 100; policy accept;

    # Masquerade Wireguard traffic.
    oifname eth0 ip saddr 10.9.0.0/24 masquerade
}

Further Steps

As soon as you have everything up and running, benchmark your VPN download/upload speeds with iperf. Here is a great performance tuning article.

frogbar

© 2024 Ivan Kovmir — CC-BY-NC-SA 4.0 License

Created with swege Best viewed with a computer Indexed by Wiby