Want to set up a simple security VPN, that routes all your internet traffic out of a potentially hostile network through a trusted VM somewhere? Here you go. Note that while all this is tested and working, this is still literal day zero of my personal experience with Wireguard; in particular while Wireguard claims to use only the most secure crypto (the best, everybody says that!) I not only have not really investigated that, I don’t know how to configure that part of it, so this is just using whatever the WG defaults are. Caveat imperator.
Installing Wireguard, generating keys:
This first set of steps is the same for all machines. Substitute the actual machine name as appropriate; you want to make sure you know which of these keys is which later on down the line, so actually name them and don’t be sloppy about it.
root@machine:~# apt-add-repository ppa:wireguard/wireguard ; apt update ; apt install wireguard-dkms wireguard-tools root@machinename:~# mkdir /etc/wireguard/keys root@machinename:~# chmod 700 /etc/wireguard/keys root@machinename:~# touch /etc/wireguard/keys/machinename.wg0.key root@machinename:~# chmod 600 /etc/wireguard/keys/machinename.wg0.key root@machinename:~# wg genkey > /etc/wireguard/keys/machinename.wg0.key root@machinename:~# wg pubkey < /etc/wireguard/keys/machinename.wg0.key > /etc/wireguard/keys/machinename.wg0.pub
OK, you’ve installed wireguard on your server VM and one or two clients, and you’ve generated some keys.
Setting up your server VM:
Create your config file on the server, at /etc/wireguard/wg0.conf:
[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = YOUR_SERVER_PRIVATE_KEY SaveConfig = false # Internet Gateway config: nat wg1 out to the internet on eth0 PostUp = iptables -A FORWARD -i wg1 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg1 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] # Client1 PublicKey = PUBLIC_KEY_FROM_CLIENT1 AllowedIPs = 10.0.0.2/32 [Peer] # Client2 PublicKey = PUBLIC_KEY_FROM_CLIENT2 AllowedIPs = 10.0.0.3/32
Now you’ll need to enable ipv4 forwarding in /etc/sysctl.conf.
root@server:~# sed -i 's/^#net\.ipv4\.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf root@server:~# sysctl -p
Enable your wg0 interface to start automatically at boot, and bring it up:
root@server:~# sysctl enable wg-quick@wg0 root@server:~# sysctl start wg-quick@wg0
Server should be good to go now.
Setting up your clients:
Client setup is a bit simpler; all you really need is the /etc/wireguard/wg0.conf file itself.
[Interface] # CLIENT1 Address = 10.0.0.2/24 PrivateKey = CLIENT1_PRIVATE_KEY SaveConfig = false # the DNS line is broken on 18.04 due to lack of resolvconf # DNS = 188.8.131.52 [Peer] # SERVER PublicKey = PUBLIC_KEY_FROM_SERVER Endpoint = wireguard.yourdomain.fqdn:51820 # gateway rule - send all traffic out over the VPN AllowedIPs = 0.0.0.0/0
Note that I have the
DNS = 184.108.40.206 line commented out above – its syntax is correct, and it works fine on Ubuntu 16.04, but on 18.04 it will cause the entire interface not to come up due to a lack of installed resolvconf.
You can use
sysctl enable wg-quick@wg0 to have the wg0 interface automatically start at boot the way we did on the server, but you likely won’t want to. Without enabling it to start automatically at boot, you can use
sysctl start wg-quick@wg0 by itself to manually start it, and
sysctl stop wg-quick@wg0 to manually disconnect it. Or if you’re not in love with systemd, you can accomplish the same thing with the raw wg-quick commands:
wg-quick up wg0 to start it, and
wg-quick down wg0 to bring it down again. Your choice.
What about Windows? Android? Etc?
You can use TunSafe as a Windows client, and the WireGuard app on Android. Setup steps will basically be the same as shown above. On a Mac, you can reportedly
brew install wireguard-tools and have everything work as above (though you’ll need to invoke wg-quick directly; systemd isn’t a thing there).
If you’ve rooted your Android phone, you can build a kernel that includes the Wireguard kernel module; if you haven’t, stock kernels work fine – the Android app just runs in userspace mode, which is somewhat less efficient. (You’re currently stuck in userspace mode on a Mac no matter what, AFAIK; not sure what the story is with TunSafe on Windows.)
If you’re using iOS, there’s a Git repository that purports to be a Wireguard client for iPhone/iPad; but good f’n luck actually doing anything with it unless you’re pretty deep into the iOS development world already.