Wireguard VPN
Published on
Updated on
Having some sort of VPN solution has always been a necessity for me. Whether it’s back in the day where LAN games where the rage and I wanted to play it with my distant friends, or nowadays when I need to be able to access my Desktop running simulations behind my home LAN.
This blog post is going to describe how I settled on Wireguard VPN as my preferred solution and how I use it to create a small secured network.
Keep note that I am not talking about a VPN that masks your internet traffic. For that, look up a VPN provider such as Private Internet Access or ProtonVPN.
About Wireguard
Wireguard is a point-to-point protocol. This means that you will be exchanging public and private keys between two clients and only those two clients will communicate with one another.
In a way this makes it a lot simpler than other VPN solutions like OpenVPN where you have to set up a key server. That doesn’t mean, however, that we cannot build upon this concept to create a secure network.
Now in order to create this network, we’ll need at least one publicly accessible through the Internet computer. I use a VPS instance on DigitalOcean to act as my server.
Key Generation
First you’ll want to get Wireguard installed, and then create public-private keys for both the server and the client computers.
On each machine:
cd /etc/wireguard
sudo umask 077
sudo wg genkey | tee privatekey | wg pubkey > publickey
On the server:
Edit /etc/wireguard/wg0.conf
[Interface]
Address = 10.10.100.1/24
SaveConfig = false
ListenPort = 51826
PrivateKey = <server_private_key>
[Peer]
PublicKey = <client1_public_key>
AllowedIPs = 10.10.100.2/32
[Peer]
PublicKey = <client2_public_key>
AllowedIPs = 10.10.100.3/32
You might be wondering why we have /24
in the Address field but /32
in the AllowedIPs field.
This is because we want our address to be in the /24
subnet, but we only want that specific IP to be able to connect via that specific public key.
Firewall Rules First you want to make sure that the port you specified is open on your firewall
sudo ufw allow 51826
Next you’ll want to allow routing and any traffic to happen within that VPN interface.
sudo ufw route allow in on wg0 out on wg0
Now to have your server route traffic between the different clients connected to it, you need to enable IPv4 forwarding.
For current session:
sysctl -w net.ipv4.ip_forward=1
For persistence across reboots:
Edit /etc/sysctl.d/99-sysctl.conf
to make sure net.ipv4.ip_forward=1
On the client machines:
Edit /etc/wireguard/wg0.conf
[Interface]
Address = 10.10.100.x/32
PrivateKey = <client_private_key>
PostUp = ping -c1 10.10.100.1
DNS = 10.10.100.y # Include only if relevant
[Peer]
PublicKey = <server_public_key>
Endpoint = public_ip_or_domain:51826
AllowedIPs = 10.10.100.0/24
PersistentKeepalive = 21
Replace x
with a unique value per client. This configuration file has the client establish a connection to the server, send a packet via ping to initiate the connection and then try to persistently keep it alive.
The DNS server is helpful if you have a DNS server running in that private network to access local resources. If you don’t have an existing DNS server in the network, do not include that line. Also if you receive any errors in the future, you might need to make sure resolvconf
is a command on your system.
If you want you can also allow traffic within your trusted VPN network.
sudo ufw allow in on wg0 out on wg0
On all machines:
Have the Wireguard service start at boot
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
Alternatively you can add the profile to NetworkManager for it to manage.
sudo nmcli connection import type wireguard file /etc/wireguard/wg0.conf
And enjoy a fully secure routable network!
Potential Errors
Wireguard depends on resolvconf
. I noticed that on Kubuntu 19.10, that is not installed by default. If you see a error message involving resolvconf
chances are you need to install that package.
sudo apt install resolvconf