Setting up Wireguard on a home linux server

Wireguard is a peer-to-peer VPN solution with manual IP assignment and pre created keys, so it works well if you want to dial home to your home network, but is not really suited for something large scale that requires dynamic allocation and user management.

Step 1 - set up the server on Ubuntu


Enable IP forwarding

To have access the outside network through your server once you dial home.

Run first

sysctl -w net.ipv4.ip_forward=1

Then edit

/etc/sysctl.conf

and uncomment the next line to enable packet forwarding for IPv4

net.ipv4.ip_forward=1

Install Wireguard for Ubuntu

sudo add-apt-repository ppa:wireguard/wireguard
apt install wireguard

Generate private and public keys

# generate private key
wg genkey > example.key

# generate public key
wg pubkey < example.key > example.key.pub

Take note of the content of example.key.pub, you will need it for the client.

Enable the Wireguard network interface

sudo systemctl enable wg-quick@wg0


Start the Wireguard interface

wg-quick down wg0; wg-quick up wg0

Edit /etc/wireguard/wg0.conf to complete the missing sections

[Interface]
Address = 10.10.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o INTF0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o INTF0 -j MASQUERADE
ListenPort = 51820
PrivateKey = SHOULDBEHEREALREADY=

Replace INTF0 with your actual network card that faces the internet (e.g., enp3s0).

The address will be your server's address for wg0. PostUp and PostDown commands enable IP forwarding for the clients.

Step 2 - set up the client


Download an official Wireguard app from https://www.wireguard.com/install/

In the client app, modify the config to complete it to something like this

[Interface]
PrivateKey = SHOULDBEHEREALREADY=
Address = 10.10.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = SERVERSPUBLICKEYFROM_EXAMPLE_PUB_KEY=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myregistered.noip.com:51820

It's a good idea to register a dynamic DNS address for your endpoint and auto-update it with a script.

The address will be the client's address on the Wireguard's network, and the DNS will be used for that network for name resolution.

The peer is the server, so we need to add the server's public key to the client. AllowedIPs is telling the client what traffic to route through to the server (in this case, all traffic will be routed to the server).
The Endpoint is the server's public IP address or domain name.

Last important step - add the client's config to the server

On the server, run 

sudo wg set wg0 peer CLIENTSPUBLICKEY= allowed-ips 10.10.0.2/32

This will allow the server to accept the client and route the traffic back to it that belongs to it, once connected.


Step 3 - on client, route only local / LAN traffic to Wireguard

Calculate the correct network mask instead of using the 0/0 mask ,and put that into the AllowedIPs.
Remove the DNS entry, otherwise name resolution won't work.

Something like this:

[Interface]
PrivateKey = efghi12234=
Address = 10.10.0.10/32

[Peer]
PublicKey = abcd1234=
AllowedIPs = 10.0.0.0/24
Endpoint = vpn.your.domain.com:51820

Comments

Popular posts from this blog

MurMurHash3, an ultra fast hash algorithm for C# / .NET

ESP32 - send a push notification from the Arduino ESP32 device to your phone

Octoprint as a systemd service - running it with high priority