Setting up Wireguard on a home linux server

Wireguard is a peer-to-peer VPN solution with manual IP assignment and pre created keys, so it works well if you want to dial home to your home network, but is not really suited for something large scale that requires dynamic allocation and user management.

Step 1 - set up the server on Ubuntu


Enable IP forwarding

To have access the outside network through your server once you dial home.

Run first

sysctl -w net.ipv4.ip_forward=1

Then edit

/etc/sysctl.conf

and uncomment the next line to enable packet forwarding for IPv4

net.ipv4.ip_forward=1

Install Wireguard for Ubuntu

sudo add-apt-repository ppa:wireguard/wireguard
apt install wireguard

Generate private and public keys

# generate private key
wg genkey > example.key

# generate public key
wg pubkey < example.key > example.key.pub

Take note of the content of example.key.pub, you will need it for the client.

Enable the Wireguard network interface

sudo systemctl enable wg-quick@wg0


Start the Wireguard interface

wg-quick down wg0; wg-quick up wg0

Edit /etc/wireguard/wg0.conf to complete the missing sections

[Interface]
Address = 10.10.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o INTF0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o INTF0 -j MASQUERADE
ListenPort = 51820
PrivateKey = SHOULDBEHEREALREADY=

Replace INTF0 with your actual network card that faces the internet (e.g., enp3s0).

The address will be your server's address for wg0. PostUp and PostDown commands enable IP forwarding for the clients.

Step 2 - set up the client


Download an official Wireguard app from https://www.wireguard.com/install/

In the client app, modify the config to complete it to something like this

[Interface]
PrivateKey = SHOULDBEHEREALREADY=
Address = 10.10.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = SERVERSPUBLICKEYFROM_EXAMPLE_PUB_KEY=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myregistered.noip.com:51820

It's a good idea to register a dynamic DNS address for your endpoint and auto-update it with a script.

The address will be the client's address on the Wireguard's network, and the DNS will be used for that network for name resolution.

The peer is the server, so we need to add the server's public key to the client. AllowedIPs is telling the client what traffic to route through to the server (in this case, all traffic will be routed to the server).
The Endpoint is the server's public IP address or domain name.

Last important step - add the client's config to the server

On the server, run 

sudo wg set wg0 peer CLIENTSPUBLICKEY= allowed-ips 10.10.0.2/32

This will allow the server to accept the client and route the traffic back to it that belongs to it, once connected.

Step 3 - on client, route only local / LAN traffic to Wireguard

Calculate the correct network mask instead of using the 0/0 mask ,and put that into the AllowedIPs.
Remove the DNS entry, otherwise name resolution won't work.

Something like this:

[Interface]
PrivateKey = efghi12234=
Address = 10.10.0.10/32

[Peer]
PublicKey = abcd1234=
AllowedIPs = 10.0.0.0/24
Endpoint = vpn.your.domain.com:51820

Comments

Post a Comment

Popular posts from this blog

MurMurHash3, an ultra fast hash algorithm for C# / .NET

Image
Finding good hash functions for larger data sets is always challenging. The well know hashes, such as MD5, SHA1, SHA256 are fairly slow with large data processing and their added extra functions (such as being cryptographic hashes) isn’t always required either. Performance and low collision rate on the other hand is very important, so many new hash functions were inverted in the past few years. One of the most notable ones is MurMurHash3, which is an improved version of its predecessor (v2). The new version can create both 32 bit and 128 bit hash values, making it suitable for a wide range of applications. 64 bit architecture The 32 bit hash isn’t too important for large amount of data matching, so I only worked with and tested the 128 bit version. The latter one is optimized for x86-64 architecture, giving amazing speeds for data processing. As a 128 bit value consists of two 64 integers, the processor is fairly good with working with such large hash values – they are not byte
. . .

Read more »

Quick select algorithm - find the Kth element in a list in linear time

Image
Quick select algorithm (Hoare's selection algorithm) – select the Kth element or  the first K element  from a list in linear time Working with large datasets is always painful, especially when it needs to be displayed in a ‘human readable’ format. It is a very frequent task to display only the largest, newest, most expensive etc. items. While sorting the whole dataset definitely gives a correct result, it is much slower than it needs to be – it needs at least O(n*log(n)) time and an it often uses recursion for the sorting, so in practice it can be quite slow. The quick select algorithm can get the top K element from a list of N items in linear time, O(n), with a very reasonable multiplication factor. The quick select does not use recursion so the performance is great for even large datasets. Algorithm The idea of the quick select is quite simple: just like with quicksort, select a random element from the list, and place every item that is smaller to the first half of the
. . .

Read more »

Octoprint as a systemd service - running it with high priority

Image
Octoprint provides remote access to your 3D printer, and as it's written in Python, you can run it on practically any operating system. If you are using a standard Raspberry PI image (for instance, because you run it on an Orange PI ), rather than the customised Octoprint image, you can manually install it and create a systemd service to run it: Add this to /etc/systemd/system/octoprint.service  [Unit] Description=Octoprint After=network.target [Service] ExecStart=/home/pi/octoprint/bin/octoprint serve WorkingDirectory=/home/pi/octoprint StandardOutput=inherit StandardError=inherit Restart=always User=pi CPUSchedulingPolicy=rr CPUSchedulingPriority=80 [Install] WantedBy=multi-user.target Then run sudo systemctl daemon-reload sudo systemctl enable octoprint This will start Octoprint on every reboot with a high priority (so unlikely to stutter during printing).
. . .

Read more »