One place for hosting & domains

      WireGuard

      Set Up WireGuard VPN on Debian


      Updated by Linode

      Contributed by

      Linode

      What is WireGuard?

      WireGuard is a simple, fast, and secure VPN that utilizes state-of-the-art cryptography. With a small source code footprint, it aims to be faster and leaner than other VPN protocols such as OpenVPN and IPSec. WireGuard is still under development, but even in its unoptimized state it is faster than the popular OpenVPN protocol.

      WireGuard sets up standard network interfaces (such as wg0 and wg1), which behave much like the commonly found eth0 interface. This makes it possible to configure and manage WireGuard interfaces using standard tools such as ifconfig and ip. Currently, WireGuard is only available on Linux.

      Configuring WireGuard is as simple as setting up SSH. A connection is established by an exchange of public keys between server and client. Only a client that has its public key in its corresponding server configuration file is allowed to connect. A WireGuard server’s configuration file resembles the following example:

      /etc/wireguard/wg0.conf
       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      11
      12
      
      [Interface]
      PrivateKey = <Private Key>
      Address = 192.168.2.1/24, fd86:ea04:1115::1/64
      ListenPort = 51820
      PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
      PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
      SaveConfig = true
      
      [Peer]
      PublicKey = <Client Public Key>
      AllowedIPs = 192.168.2.2/24, fd86:ea04:1115::0/64
        

      In this guide you will learn how to:

      Caution

      Do not use WireGuard for critical applications. The project is still undergoing security testing and is likely to receive frequent major updates in the future.

      Before You Begin

      Install WireGuard

      1. Add the WireGuard repository to your sources list. Apt will automatically update the package cache.

        echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
        printf 'Package: *nPin: release a=unstablenPin-Priority: 150n' > /etc/apt/preferences.d/limit-unstable
        
      2. Update your packages and install WireGuard and WireGuard tools. DKMS (Dynamic Kernel Module Support) will build the WireGuard kernel module.

        apt update
        apt install wireguard-dkms wireguard-tools
        

        If successful, you’ll see the following output:

          
        wireguard:
        Running module version sanity check.
         - Original module
           - No original module exists within this kernel
         - Installation
           - Installing to /lib/modules/4.9.0-9-amd64/updates/dkms/
        
        depmod...
        
        DKMS: install completed.
        Processing triggers for libc-bin (2.24-11+deb9u4) ...
        
        

      Configure WireGuard Server

      1. Navigate to the /etc/wireguard directory and generate a private and public key pair for the WireGuard server:

        sudo umask 077
        sudo wg genkey | tee privatekey | wg pubkey > publickey
        

        This will save both the private and public keys; they can be viewed with cat privatekey and cat publickey respectively.

      2. Create the file /etc/wireguard/wg0.conf and add the contents indicated below. You’ll need to enter your server’s private key in the PrivateKey field, and its private IP addresses in the Address field. Refer to the list below the example for more details.

        /etc/wireguard/wg0.conf
        1
        2
        3
        4
        5
        6
        7
        
        [Interface]
        PrivateKey = <Private Key>
        Address = 192.168.2.1/24, fd86:ea04:1115::1/64
        ListenPort = 51820
        PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
        PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
        SaveConfig = true
        • PrivateKey the server’s private key generated in above.

        • Address defines the private IPv4 and IPv6 addresses for the WireGuard server. Each peer in the VPN network should have a unique value for this field. Typical values are 10.0.0.1/24, 192.168.1.1/24, or 192.168.2.1/24. This is not the same as a private IP address that Linode can assign to your Linode instance.

        • ListenPort specifies which port WireGuard will use for incoming connections. The default is 51820. What you set here you will need to reference in your firewall settings later.

        • PostUp and PostDown defines steps to be run after the interface is turned on or off, respectively. In this case, iptables is used to set Linux IP masquerade rules to allow all the clients to share the server’s IPv4 and IPv6 address. The rules will then be cleared once the tunnel is down.

        • SaveConfig tells the configuration file to automatically update whenever a new peer is added while the service is running.

      Set Up Firewall Rules

      1. Install UFW:

        sudo apt-get install ufw
        
      2. Allow SSH connections and WireGuard’s VPN port:

        sudo ufw allow 22/tcp
        sudo ufw allow 51820/udp
        sudo ufw enable
        
      3. Verify the settings:

        sudo ufw status verbose
        

      Start the WireGuard Service

      1. Start WireGuard:

        sudo wg-quick up wg0
        

        Note

        wg-quick is a convenient wrapper for many of the common functions in wg. You can turn off the wg0 interface with wg-quick down wg0

      2. Enable the WireGuard service to automatically restart on boot:

        sudo systemctl enable wg-quick@wg0
        
      3. Check if the VPN tunnel is running with the following two commands:

        sudo wg show
        

        You should see a similar output:

          
        user@debian:/# wg show
        interface: wg0
          public key: Nrl2nVQxSwrKrvz6jQcrsziuVRPWT9N1Q8/yaQkAXUg=
          private key: (hidden)
          listening port: 51820
        
        

        You may need to install net-tools to run ifconfig. Use sudo apt-get install net-tools if needed.

        sudo ifconfig wg0
        

        Your output should resemble the following:

          
        user@debian:/# ifconfig wg0
        wg0: flags=209  mtu 1420
                inet 192.168.2.1  netmask 255.255.255.0  destination 192.168.2.1
                inet6 fd86:ea04:1115::1  prefixlen 64  scopeid 0x0
                unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1  (UNSPEC)
                RX packets 0  bytes 0 (0.0 B)
                RX errors 0  dropped 0  overruns 0  frame 0
                TX packets 0  bytes 0 (0.0 B)
                TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        
        

      Configure WireGuard Client

      The process for setting up a client is similar to setting up the WireGuard server. When using Debian as your client’s operating system, the only difference between the client and the server is the configuration file. In this section, you will configure a WireGuard client on Debian 9.

      Note

      For installation instructions on other operating systems, see the WireGuard docs.
      1. Follow the steps in the Install WireGuard section of the guide.

      2. Once you have installed WireGuard, follow the steps in the Configure WireGuard Server section. Replace the example configuration file with the example file below.

        /etc/wireguard/wg0.conf
        1
        2
        3
        4
        
        [Interface]
        PrivateKey = <Client Private Key>
        Address = 192.168.2.2/24, fd86:ea04:1115::5/64
            

        The difference between the client and the server’s configuration file, wg0.conf, is it contains its own IP addresses and does not contain the ListenPort, PostUP, PostDown, or SaveConfig values.

      3. Set up Firewall rules on your WireGuard client.

      4. Start the WireGuard Service.

      Connect the Client and Server

      1. Stop the interface with sudo wg-quick down wg0 on both the client and the server.

      2. Edit the wg0.conf file on the client to add the server’s public key, public IP address, port, and allowed IPs.

        /etc/wireguard/wg0.conf
        1
        2
        3
        4
        
        [Peer]
        PublicKey = <Server Public key>
        Endpoint = <Server Public IP>:51820
        AllowedIPs = 192.168.2.2/24, fd86:ea04:1115::0/64
      3. Edit the wg0.conf file on the server to add the client’s public key and allowed IPs.

        /etc/wireguard/wg0.conf
        1
        2
        3
        
        [Peer]
        PublicKey = <Client Public Key>
        AllowedIPs = 192.168.2.2/24, fd86:ea04:1115::0/64
      4. Restart the wg service on both the server and the client:

        sudo wg-quick up wg0
        
      5. You can also add peers to the server from the command line. This information will be added to the config file automatically because of the SaveConfig option specified in the wg0.conf file.

        Run the following command from the server. Replace the example IP addresses with those of the client:

        sudo wg set wg0 peer <Client Public Key> allowed-ips 203.0.123.12/24,fd86:ea04:1115::5/64
        
      6. Verify the connection. The following command can be run from both the client or the server:

        sudo wg
        

        Regardless of which method you choose to add peer information to WireGuard, the Peer section appears in the output of the sudo wg command if the setup was successful.

          
        user@debian:/# sudo wg
        interface: wg0
          public key: Nrl2nVQxSwrKrvz6jQcrsziuVRPWT9N1Q8/yaQkAXUg=
          private key: (hidden)
          listening port: 51820
        
        peer: I8s7YGMuUbPvStb686JjxfUAa/tzqZhcLDgiqRKlbWs=
          endpoint: 173.255.226.233:59850
          allowed ips: 192.168.2.0/24, fd86:ea04:1115::/64
        
        

        This Peer section will be automatically added to wg0.conf when the service is restarted. If you would like to add this information immediately to the config file, you can run:

        sudo wg-quick save wg0
        

        Additional clients can be added using the same procedure.

      Test the Connection

      1. Return to the client and ping the server:

        ping 192.168.2.1
        

        Once you’ve successfully established the ability to ping the server from the client, run the following command:

        sudo wg
        

        The last two lines of the output from running the wg command should be similar to:

          
            latest handshake: 1 minute, 17 seconds ago
            transfer: 98.86 KiB received, 43.08 KiB sent
                
        

        This indicates that you now have a private connection between the server and client. If you did not successfully ping the server from the client you will not see these lines. You can also ping the client from the server to verify that the connection works both ways.

      Next steps

      The process used in this guide can be extended to configure network topologies. As mentioned previously, WireGuard is an evolving technology. If you use WireGuard, you should monitor the official documentation and todo list for critical updates and new/upcoming features.

      Find answers, ask questions, and help others.

      This guide is published under a CC BY-ND 4.0 license.



      Source link

      Deploy WireGuard with One-Click Apps


      Updated by Linode

      Contributed by

      Linode

      WireGuard One-Click App

      WireGuard is a simple, fast, and modern virtual private network (VPN) which utilizes state-of-the-art cryptography. It aims to be faster and leaner than other VPN protocols such as OpenVPN and IPSec, and it has a much smaller source code footprint.

      Configuring WireGuard is as simple as configuring SSH. A connection is established by an exchange of public keys between server and client, and only a client whose public key is present in the server’s configuration file is considered authorized. WireGuard sets up standard network interfaces which behave similarly to other common network interfaces, like eth0. This makes it possible to configure and manage WireGuard interfaces using standard networking tools such as ifconfig and ip.

      The WireGuard One-Click App will create a Linode instance and set up a WireGuard network device named wg0 on it. This device will have a simple configuration which can send and receive traffic to/from a single WireGuard peer (which will also be referred to as your WireGuard client).

      Note

      The peer configurations provided by the One-Click App and this guide will allow you to directly connect your WireGuard server and client. This configuration will not enable forwarding of all of your client’s traffic through the WireGuard server to the public Internet (though that arrangement is possible with WireGuard).

      Your WireGuard configuration can be adjusted after you first set up your One-Click App; review the WireGuard man page for more information about the options that are available.

      Deploy WireGuard with One-Click Apps

      One-Click Apps allow you to easily deploy software on a Linode using the Linode Cloud Manager. To access Linode’s One-Click Apps:

      1. Log in to your Linode Cloud Manager account.

      2. From the Linode dashboard, click on the Create button in the top left-hand side of the screen and select Linode from the dropdown menu.

      3. The Linode creation page will appear. Select the One-Click tab.

      4. Under the Select App section, select the app you would like to deploy:

        Select a One-Click App to deploy

      5. Once you have selected the app, proceed to the app’s Options section and provide values for the required fields.

      WireGuard Options

      The WireGuard One-Click form includes fields for your WireGuard client’s public key, and for your client’s endpoint IP (which is your client’s public IP address). If you have already set up your client and installed the WireGuard software on it prior to setting up your WireGuard One-Click App, then you may already have this information. If you do have the key and the endpoint IP for the client, you can enter them into the app’s creation form, and your server’s configuration will be pre-populated with those values.

      Note

      If you do not have the values for these fields, you can leave them empty. After the app is deployed, visit the Configure and Connect your WireGuard Client and Server section to set up your client and generate a key. The instructions in that section will also show you how to insert the key and the endpoint IP for your client into your server’s configuration.

      Field                                  Description
      SSH Key Your SSH public key. The public key will be stored in the /root/.ssh/authorized_keys file on your Linode, and you will be able to use it to login as root over SSH. Advanced Configuration.
      Port Set your WireGuard server’s listening port number. The default is: 51820. Advanced Configuration.
      Tunnel IP Your WireGuard server’s tunnel IP address and subnet in CIDR notation. The default is: 10.0.1.1/24. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates. Advanced Configuration.
      WireGuard Public Key (Client) Your WireGuard client’s public key. Advanced Configuration.
      Tunnel IP (Client) Your WireGuard client’s tunnel IP address and subnet in CIDR notation. The default is: 10.0.1.2/24. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates. Advanced Configuration.
      Endpoint IP (Client) The Internet address of your WireGuard client. If your WireGuard client is another Linode, then the Endpoint IP is the public IP of that Linode, which is visible in the Linode’s dashboard in the Linode Cloud Manager. Advanced Configuration.

      Linode Options

      After providing the app-specific options, provide configurations for your Linode server:

      Configuration Description
      Select an Image Debian 9 is currently the only image supported by the WireGuard One-Click App, and it is pre-selected on the Linode creation page. Required
      Region The region where you would like your Linode to reside. In general, it’s best to choose a location that’s closest to you. For more information on choosing a DC, review the How to Choose a Data Center guide. You can also generate MTR reports for a deeper look at the network routes between you and each of our data centers. Required.
      Linode Plan Your Linode’s hardware resources. You can use any size Linode for your WireGuard App. The Linode plan that you select should be appropriate for the amount of data transfer, users, and other stress that may affect the performance of your VPN. You can create your VPN on a Nanode 1GB or a Linode 2GB with low risk for performance hits, unless you expect intensive data transfer to happen on your VPN. Required
      Linode Label The name for your Linode, which must be unique between all of the Linodes on your account. This name will be how you identify your server in the Cloud Manager’s Dashboard. Required.
      Root Password The primary administrative password for your Linode instance. This password must be provided when you log in to your Linode via SSH. It must be at least 6 characters long and contain characters from two of the following categories: lowercase and uppercase case letters, numbers, and punctuation characters. Your root password can be used to perform any action on your server, so make it long, complex, and unique. Required

      When you’ve provided all required Linode Options, click on the Create button. Your WireGuard app will complete installation anywhere between 2-5 minutes after your Linode has finished provisioning.

      Getting Started after Deployment

      Configure and Connect your WireGuard Client and Server

      After your One-Click App has provisioned your WireGuard server, you can proceed with setting up your WireGuard client and establishing a connection to the server.

      If you did not provide a public key for WireGuard when you first set up your One-Click App, you will need to follow the next set of steps. These instructions will set up your client and inform your server of your client’s public key. If you did provide a public key when deploying the One-Click App and have set up your client, skip to the second collection of steps in this section.

      1. Follow the WireGuard Client section of our WireGuard guide to generate a public/private keypair for your client, and to set up the WireGuard network interface configuration on your client.

      2. Connect to your One-Click App’s Linode via SSH.

      3. Bring down the wg0 interface on the server:

        wg-quick down wg0
        
      4. Open the /etc/wireguard/wg0.conf file in a text editor (nano, for example).

      5. You will see a line that reads PublicKey = under the [Peer] section. Append your client’s public key to this line.

      6. You will also see a line that reads Endpoint =. Append your client’s Internet address to this line and then save the file. If your WireGuard client is also a Linode, user your Linode’s public IP. If your client is on your home computer, visit a site like whatismyip.com to get your address.

      7. Bring the wg0 interface back up on the server:

        wg-quick up wg0
        

        Note

        wg-quick is a convenient wrapper for many of the common functions in wg. To learn more about all the available commands for each utility, issue the wg --help and wg-quick --help commands from your Linode’s command line.

      You should now have your server configuration completed. At this point, you still need to complete your client’s configuration; specifically, you need to add your server as a peer to the client:

      1. Connect to your One-Click App’s Linode via SSH.

      2. Just like your client, your server also has a public/private keypair of its own. The One-Click App script leaves a copy of these keys in the root user’s home folder:

        ls /root
        
          
        wg-private.key	wg-public.key
        
        
      3. Use the cat command to get the value of the server’s WireGuard public key:

        cat /root/wg-public.key
        
      4. You should see a random string similar to:

          
        FngGVypEJ13KU8+OeBGG1sOd2i+aazsj7qPL3ZxacG8=
        
        
      5. Copy the output of your server’s public key, then use it to complete steps 1 and 2 of the Connect the Client and Server section of our WireGuard guide. These steps will tell you to append [Peer] section to your client’s existing WireGuard configuration and then how to enable the service on your client.

        Enter your server’s WireGuard tunnel IP (using the /24 CIDR notation) as the value for the AllowedIPs setting, and set the server’s public IP address and WireGuard port to be the Endpoint. Here’s an example template for a completed client configuration:

        1
        2
        3
        4
        5
        6
        7
        8
        
        [Interface]
        PrivateKey = <Your client WireGuard private key>
        Address = 10.0.1.2
        
        [Peer]
        PublicKey = <Your server WireGuard public key>
        AllowedIPs = 10.0.1.1
        Endpoint = <Your WireGuard server public IP>:51820

        After you complete steps 1 and 2 from that section, you will have established the server as the client’s peer.

      Test your WireGuard Client’s Connection

      This test should be performed once you have configured a WireGuard client and updated your WireGuard server to include the client’s peer information:

      1. Access your WireGuard client and ping the WireGuard server. Replace 10.0.1.1 with the tunnel IP address you assigned to the WireGuard server in the One-Click App creation form:

        ping 10.0.1.1
        
      2. Use the WireGuard utility to verify your client’s latest handshake:

        wg show
        

        The last two lines of the output from running the wg command should be similar to:

          
        latest handshake: 1 minute, 17 seconds ago
        transfer: 98.86 KiB received, 43.08 KiB sent
        
        

      Software Included

      More Information

      You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

      Find answers, ask questions, and help others.

      This guide is published under a CC BY-ND 4.0 license.



      Source link