Setting up WireGuard

install

ubuntu

apt install wireguard wireguard-tools nftables

slackware

only wireguard-tools is required, as -current contains the module already

#sbopkg -i wireguard-linux-compat
sbopkg -i wireguard-tools

key generation

required on any peer

mkdir ~/wg/
chmod 700 ~/wg/
cd ~/wg/
wg genkey > $HOSTNAME.key
wg pubkey < $HOSTNAME.key > `uname -n`.pub
chmod 400 *

server setup

echo $HOSTNAME

cd /etc/wireguard
cat > wg0.conf <<EOF
[Interface]
PrivateKey = `cat $HOME/wg/$HOSTNAME.key`
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = false

[Peer]
PublicKey = CLIENT-PUBKEY
AllowedIPs = 10.8.0.2/32
EOF

cp -pi /etc/sysctl.conf /etc/sysctl.conf.dist
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p

chmod -x /etc/nftables.conf
vi /etc/nftables.conf

table ip nat
flush table ip nat
table ip nat {
        # SNAT
        chain postrouting {
                type nat hook postrouting priority srcnat;
                ip saddr 10.8.0.0/24 oif INTERNAL-NIC snat INTERNAL-IP;
        }
}

client setup

echo $HOSTNAME

cd /etc/wireguard
cat > wg0.conf <<EOF
[Interface]
PrivateKey = `cat $HOME/wg/$HOSTNAME.key`
Address = 10.8.0.2/24

[Peer]
PublicKey = SERVER-PUB-KEY-HERE
AllowedIPs = 10.8.0.0/24, ROUTED-INTERNAL-CIDR
Endpoint = SERVER-ADDRESS-HERE:51820
EOF

ready to go

on both peers

lsmod | grep wireguard

systemctl enable wg-quick@wg0.service
systemctl status wg-quick@wg0.service
systemctl restart wg-quick@wg0.service

systemctl enable nftables
systemctl status nftables
systemctl restart nftables

acceptance

on some peer

ping 10.8.0.1

troubleshooting

on some peer

nmap -sU -p 51820 SERVER-ADDRESS
netstat -rn --inet
tcpdump -ttttni xenbr0 udp port 51820

resources

https://www.wireguard.com/install/

https://www.wireguard.com/quickstart/

https://www.wireguard.com/quickstart/#key-generation

https://slackbuilds.org/repository/14.2/network/wireguard-linux-compat/

https://slackbuilds.org/repository/14.2/network/wireguard-tools/

https://wiki.archlinux.org/title/WireGuard –> file-based configs

tutorials

https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04

https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/

ops

https://vmwaremine.com/2020/10/01/how-to-check-vpn-link-status-on-wireguard/

troubles

https://www.reddit.com/r/WireGuard/comments/a0s6p2/troubleshooting_wireguard_any_logs_available/

https://www.procustodibus.com/blog/2021/03/wireguard-logs/

https://serverfault.com/questions/1020279/how-to-see-debug-logs-for-wireguard-e-g-to-see-authentication-attempts

https://stackoverflow.com/questions/61109400/wireguard-how-to-log-network-activity

https://lists.zx2c4.com/pipermail/wireguard/2019-March/004027.html

moar / dns

https://serverfault.com/questions/1058255/configure-dns-routing-in-wireguard

moar status

https://www.vmwaremine.com/2020/10/01/how-to-check-vpn-link-status-on-wireguard/

https://www.procustodibus.com/blog/2021/01/how-to-monitor-wireguard-activity/

moar nftables (server side)

https://procustodibus.com/blog/2021/11/wireguard-nftables/

moar allowed ips

https://try.popho.be/wg.html

NAT and Firewall Traversal Persistence https://www.stavros.io/posts/how-to-configure-wireguard/ https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04 -->
HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun