Setting up WireGuard

install

ubuntu

apt install wireguard wireguard-tools nftables

slackware

only wireguard-tools is required, as -current contains the module already

#sbopkg -i wireguard-linux-compat
sbopkg -i wireguard-tools

key generation

required on any peer

mkdir ~/wg/
chmod 700 ~/wg/
cd ~/wg/

echo $HOSTNAME
wg genkey > $HOSTNAME.key
wg pubkey < $HOSTNAME.key > $HOSTNAME.pub

chmod 400 *

server setup

cd /etc/wireguard

cat > wg0.conf <<EOF
[Interface]
PrivateKey = `cat $HOME/wg/$HOSTNAME.key`
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = false

[Peer]
PublicKey = CLIENT-PUBKEY
AllowedIPs = 10.8.0.2/32
EOF

cp -pi /etc/sysctl.conf /etc/sysctl.conf.dist
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p

chmod -x /etc/nftables.conf
vi /etc/nftables.conf

table ip nat
flush table ip nat
table ip nat {
        # SNAT
        chain postrouting {
                type nat hook postrouting priority srcnat;
                ip saddr 10.8.0.0/24 oif INTERNAL-NIC snat INTERNAL-IP;
        }
}

client setup

cd /etc/wireguard

cat > wg0.conf <<EOF
[Interface]
PrivateKey = `cat $HOME/wg/$HOSTNAME.key`
Address = 10.8.0.2/24

[Peer]
PublicKey = SERVER-PUB-KEY-HERE
AllowedIPs = 10.8.0.0/24, ROUTED-INTERNAL-CIDR
Endpoint = SERVER-ADDRESS-HERE:51820

PersistentKeepalive = 15
EOF

ready to go

on any node

lsmod | grep wireguard

systemctl restart wg-quick@wg0.service
systemctl status wg-quick@wg0.service
systemctl enable wg-quick@wg0.service

systemctl restart wg-quick.target

wg show

on server node only

systemctl restart nftables
systemctl status nftables
systemctl enable nftables

acceptance

from some client

ping the server within the tunnel

ping 10.8.0.1

go through NAT on the other side

ping INTERNAL-IP

troubleshooting

on some client

nmap -sU -p 51820 SERVER-ADDRESS
netstat -rn --inet
tcpdump -ttttni eth0 udp port 51820

resources

https://www.wireguard.com/install/

https://www.wireguard.com/quickstart/

https://www.wireguard.com/quickstart/#key-generation

https://slackbuilds.org/repository/14.2/network/wireguard-linux-compat/

https://slackbuilds.org/repository/14.2/network/wireguard-tools/

https://wiki.archlinux.org/title/WireGuard –> file-based configs

tutorials

https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04

https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/

ops

https://vmwaremine.com/2020/10/01/how-to-check-vpn-link-status-on-wireguard/

troubles

https://www.reddit.com/r/WireGuard/comments/a0s6p2/troubleshooting_wireguard_any_logs_available/

https://www.procustodibus.com/blog/2021/03/wireguard-logs/

https://serverfault.com/questions/1020279/how-to-see-debug-logs-for-wireguard-e-g-to-see-authentication-attempts

https://stackoverflow.com/questions/61109400/wireguard-how-to-log-network-activity

https://lists.zx2c4.com/pipermail/wireguard/2019-March/004027.html

moar / dns

https://serverfault.com/questions/1058255/configure-dns-routing-in-wireguard

moar status

https://www.vmwaremine.com/2020/10/01/how-to-check-vpn-link-status-on-wireguard/

https://www.procustodibus.com/blog/2021/01/how-to-monitor-wireguard-activity/

moar nftables (server side)

https://procustodibus.com/blog/2021/11/wireguard-nftables/

moar allowed ips

https://try.popho.be/wg.html

NAT and Firewall Traversal Persistence https://www.stavros.io/posts/how-to-configure-wireguard/ https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04 -->
HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun