selfhosted-apps-docker/wireguard/readme.md
2022-04-03 18:13:26 +02:00

8.3 KiB

WireGuard

guide-by-example

logo

Purpose & Overview

VPN.
When you need to connect to a machine/network over the internet, securely.

WireGuard is an opensource simple, fast and modern VPN.
Written in C, with userspace implementation written in Go.
WireGuard is included in linux kernel version 5.6 and newer.

WireGuard works at layer 3 and uses UDP protocol.
While with WireGuard there is no server-clients model, there are just peers connecting to each other, this gudie will setup peer_A as a server listening at a port, and clients will be connecting to it.

This setup runs directly on the host machine, not in a container.
Most of the stuff here is based on Arch wiki and this tutorial.

Files and directory structure

/etc/
└── wireguard/
    └── wg0.conf

Installation

on linux

Install wireguard-tools package, or whatever is the equivalent in your distro.
The package should provide two command line utilities

  • wg - utility for configuration and management of WireGuard tunnel interfaces
  • wg-quick - script for bringing up or down a WireGuard interface and provide some extra configuration functions

on Windows or macOS clients

Install the official application.

extra info:
Might be of interest server setup on Windows

on Android or iOS devices

Install the official app from the stores.

Configuration on linux server

  • switch to root and go in to in /etc/wireguard
    su
    cd /etc/wireguard
  • generate a private key
    wg genkey > peer_A.key
  • create a public key from the private key
    wg pubkey < peer_A.key > peer_A.pub

Use the generated keys in the wg0.conf, in the [Interface] section.

wg0.conf

[Interface]
PrivateKey = AA9q7CkUG3MuKP1eyyJFGgKzACIJ1rRIkkWYAi3p3WM=
# PublicKey = fuCKVQU+x/jukZq3WH5yorJ4mE665dkv2HKN/0mH5hQ=
Address = 10.200.200.1/24
ListenPort = 51820
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s25 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s25 -j MASQUERADE

[Peer]
# TESTER-1
# PrivateKey = kGqwq/+xy8CISBLfOZVOa8Za02MRzg5bN3Ddcf5KV2M=
PublicKey = eVolUbiYj1kY8neKiDnA+NPB2hhCcsGs7LNIhMvUYj0=
AllowedIPs = 10.200.200.2/32

[Peer]
# TESTER-2
# PrivateKey = QNc0dunuRQAjuKpFmRPqvPAysqpklctcdblqrazUT0o=
PublicKey = CAt7g42pPxgU5Lcc3uyNh5BmkITJS1K6XAoFbkhN6Qk=
AllowedIPs = 10.200.200.3/32

This configuration when run creates a new wg0 network interface on the machine.

[Interface] - section defining wg0 wireguard interface

  • PrivateKey - the key that was generated, identifies the server, will be used to encrypt packets
  • # PublicKey - just a note, what is the public key of the private key
  • Address - IP address on the created wg0 network interface, can be whatever you want as long as it does not clash with other networks. /24 defines the mask as 255.255.255.0
  • ListenPort - port on which wireguard connects to the internet, using UDP protocol
  • PostUp/PostDown - section where one can define what should be done after the interface is turned on or off.
    In this case forwarding traffic across the tunnel and enabling NAT for interface enp0s25 which you want to replace with your own
    This setup ipv4 only

[Peer] - section defining a peers that will be able to connect

  • PublicKey - public key of the peer
  • AllowedIPs - IP addresses that you want to reach at the other end of the tunnel.
    When wg-quick is run with these defined, a route is added in to the machines network stack that makes sure that if something wants IP address defined here, it is send through the wireguard tunnel and not the default gateway.
    Two peers can not have the same IP.
    In this case we want to define only single IP of the client as being accessible, allowed through.

ipv4 packet forwarding

Without this you will be be able to connect, but your access will be only to the wireguard host. To have access to the entire network you need to enable packet forwarding.

You can check current value cat /proc/sys/net/ipv4/ip_forward

To permanently enable it create a file

/etc/sysctl.d/99-sysctl.conf

net.ipv4.ip_forward=1

NAT forwarding on the router

Forward port 51820 to the machine running the wireguard server.

Start and enable the service

sudo systemctl enable --now wg-quick@wg0

Configuration on clients

TESTER-1.conf

[Interface]
PrivateKey = kGqwq/+xy8CISBLfOZVOa8Za02MRzg5bN3Ddcf5KV2M=
# PublicKey = eVolUbiYj1kY8neKiDnA+NPB2hhCcsGs7LNIhMvUYj0=
Address = 10.200.200.2/32

[Peer]
PublicKey = fuCKVQU+x/jukZq3WH5yorJ4mE665dkv2HKN/0mH5hQ=
AllowedIPs = 192.168.5.0/24
Endpoint = 63.123.113.495:51820

[Interface] - section defining wireguard interface

  • PrivateKey - private key of the peer
  • # PublicKey - just a note, what is the public key of the private key
  • Address - IP address on the created wireguard network interface, /32 defines its mask as 255.255.255.255 - a single host

[Peer] - section defining a peer, in this case server peer_A

  • PublicKey - public key of the server
  • AllowedIPs - IP addresses that you want to reach at the other end of the tunnel.
    When wg-quick is run with these defined, a route is added in to the network stack that makes sure that if something wants IP address defined here, it is send through the wireguard tunnel and not the default gateway.
    Two peers can not have same IP set in there.
    In this client case, we want to be able to communicate with the entire local network at the end of the tunnel, so the entire range is added.
  • Endpoint - public IP at which to find the WireGuard server across the internet

windows-client

Troubleshooting

  • can connect to the server, but not the LAN machines
    make sure you set your network interface in PostUp/PostDown section on the server

Extra info

  • sudo wg show
    shows current wireguard interface status, latest handshake, and parts of the configuration.
  • PersistentKeepalive
    Set in clients [Peer] section to the number of seconds, PersistentKeepalive = 25
    Used for specific case where clients need to communicate with other clients which are behind NAT. This setting, present in a client config which is behind NAT, sends periodic traffic to the server, ensuring that NAT table on the router/firewall wont expire for this connection.

Vanity address generation.

The generated crypto keys are used all over in configuration. Would it not be nice if at a simple glance you would immediatly know which peer they represent?

Well, what if you generate few millions of keys and pick the ones that fit some rule of having a desired string somewhere in the first letters?

https://github.com/warner/wireguard-vanity-address

  • install rust programming language, that comes with cargo package manager

  • install wireguard-vanity-address as a non root user
    cargo install wireguard-vanity-address
    it will be installed in to ~/.cargo/bin

  • run it with the desired string
    ~/.cargo/bin/wireguard-vanity-address fuck

      private OLyU1XhtCXTGzO+8ifCKR8skRL5md4n25/kiERHb3Gk=
      public fuCK9s9wyjQ8u6eUGzthFUUP6oV9FdnNnIzDvlJboD8=
    

Update

During host linux packages update.

Backup and restore

Backup

Using borg that makes daily snapshot of the /etc directory which contains the config file.

restore

Replace the content of the config file with the one from the backup.