tristan/journal
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a9e98f8d64
journal/Home_Lab/SetupWireguard.md

5.7 KiB
Raw Blame History

Setting up Wireguard

Steps

Step 1: Install the dependencies

Here you will be needing to install the packages that wireguard needs to work.

## Debian or Ubuntu
sudo apt install wireguard

## RHEL-based
sudo dnf install wireguard-tools

Step 2: Setup wireguard interface configs

This step requires you to do multiple things: a) Generate a private & public key for both the server and client b) Create a wireguard interface config for both the server & client - In this step you will need to choose an IP for both server and client (the usual choice is on a subnet included in 10.0.0.0/8 (ex: 10.200.1.x/24)).

A: Create Pub & Priv keys (server & client)

Here we will generate a private and public key for both the server & client.

## Much of this will be inline commands with pipes, but feel free to seperate them if you feel you need to.
### Generate pub and priv key for server
wg genkey | tee wg0-server-privkey | wg pubkey > wg0-server-pubkey

### Generate pub and priv key for first client
wg genkey | tee wg0-client-privkey | wg pubkey > wg0-client-pubkey

## This is the networks you want your client to have access to (configured in the client's wg0.conf)
networks=10.200.1.0/24,192.168.1.0/24

## This is just my example IPs for a basic setup, you can use your own (it won't matter as long as they are valid addresses)
### The server IP needs to be one that will be on the network 10.200.1.0/24 (with the /24 at the end signifying the subnet mask)
server_ip=10.200.1.1/24

### While you can just use 10.200.1.0/24 on the AllowedIPs, it will cause issues when you are wanting to setup more peers/clients to use that interface.
### to be able to provide VPN connections for multiple clients you will need to scope it down to a specific IP using the /32 netmask
### otherwise all connections will have issues when you try to reload the wg interface config (as it will try to forward all traffic accross all peers)
client_ip=10.200.1.2

masquerade_interface=eno1 # You will need to find out what interface you want/need to use (just look it up with "ip address" or "ifconfig" (whatever your util is))

### This will actually generate the config using bash, but feel free to do it manually (for your choice of IPs you will need to make sure you 
cat > wg0-server.conf <<EOF
[Interface]
Address = $server_ip
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o $masquerade_interface -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o $masquerade_interface -j MASQUERADE
## This can be any port, this is just the standard port that most choose when using wireguard
ListenPort = 51820
PrivateKey = $(<wg0-server-privkey)

[peer]
# This needs to be pubkey/public key of the peer
PublicKey = $(<wg0-client-pubkey)
AllowedIPs = $client_ip/32
# This will just have the server ping the client every x seconds to make sure the connection stays alive (since it's using UDP a stateless protocol)
PersistentKeepalive = 24
EOF

: "
Note:
You can configure MULTIPLE peers when creating the server config (to allow it to provide multiple clients VPN services off the same port). 

But when doing so you will need to setup the AllowedIPs of each peer to be a single ip (EX: 10.200.1.x/32) , or else it will confuse wg. To do this you just need to setup an additional peer section with the new peers pubkey and ip.
"

cat > wg0-client.conf <<EOF
[Interface]
Address = $client_ip/24
PrivateKey = $(<wg0-client-privkey)

[peer]
# This needs to be pubkey/public key of the server
PublicKey = $(<wg0-server-pubkey)
### This is where you configure what networks you want your wireguard interface to access on the other end (if the masquerading interface has access to them)
AllowedIPs = $networks 
# This will just have the server ping the server every x seconds to make sure the connection stays alive (since it's using UDP a stateless protocol)
PersistentKeepalive = 24
EOF

Step 3: Configure System to allow masquerading

By default most systems don't allow for programs to setup interface masquerading. So you need to change a config in /etc/sysctl.conf to allow for forwarding/masquerading.

In the config file you will either need to add or uncomment the following line to allow for wireguard to masquerade as another interface (giving you access to the network it is connected to).

net.ipv4.ip_forward=1

Afterwards you will likely need to load the change into your system.

## Can also use "sudo sysctl --system" to just have it reload all configs
sysctl --load=/etc/sysctl.conf

# or just manually set it

sudo sysctl net.ipv4.ip_forward=1

Step 4: Setup persistant service on server (or client)

Here is where you will setup a service to make sure your wg iterface will be restarted/started after boot or reboot.

# Systemd as init system
## Replace wg# with the wg interface you named/created in step 2
systemctl enable wg-quick@wg#

Step 4: Deploy on client and server

This is simple. You just have to put the config we generated in step 2 in the /etc/wireguard directory as wg#.conf (with # being the wireguard interface number (can be anything)) on both the server and client.

Afterwards you can

Step 5: Setup port forwarding on router/gateway

For this step you just need to get on your router and port-forward a port on the router to the port configured on your server. I cannot provide the specific how-to for that since I cannot account for all the different devices that you may be using.

Step 6: Test work

Now all you have to do is test your config work.

Just go ahead issue this command on your server and client (while off your home network)

wg-quick up wg#

After this you should see packets/traffic (transfer) when running "wg" to see how much data has been transferred to & from the interface.