VPN with WireGuard
Introduction
Wireguard® was developed as an easier-to-understand alternative to complex solutions like IPSec or OpenVPN. Wireguard is developed as an Open Source project, with a code base that is currently even lighter and very efficient. For encryption, it uses the asymmetric cryptography system “Curve25519”, which is based on elliptic curves. Like the SSH remote terminal solution, Wireguard uses public and private keys. Wireguard was officially integrated into the Linux kernel source code in January 2020 and is directly available in newer kernel versions. Wireguard clients are available for all common desktop and mobile operating systems.
On a Linux system, Wireguard is integrated as a kernel module and then provides a network interface. Wireguard generally works as a layer 3 tunnel. It can carry IPv4 and IPv6 packets. As a transport medium, UDP over IPv4 or IPv6 is used.
The network interface then receives a public key and a private key, as well as the public key of the peer. Each interface receives an IPv4 and/or IPv6 address. Wireguard uses what is called cryptokey-routing. Packets received from a source IP will only be accepted if they can be identified with the public key registered for the peer.
Server Configuration on a Linux System
Here’s how to configure a hosting.fr Cloud server as a Debian Linux-based VPN gateway for Wireguard. Configuration on other Linux systems may be similar.
We use the wg-quick tool for a simple and quick tunnel configuration. The configuration file for wg-quick has an extended syntax compared to the normal Wireguard configuration, where, for example, IP addresses can also be specified, meaning they do not need to be configured elsewhere in the operating system.
Installing Wireguard on Debian
Please run the following commands to install Wireguard on Debian:
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard
Server Configuration
Next, you need to generate the private key and public key for the server. This can be easily done with the following commands:
cd /etc/wireguard
umask 077
wg genkey | tee server-private.key | wg pubkey > server-public.key
Now, create the configuration file /etc/wireguard/wg0.conf for the new Wireguard network interface wg0 with the following content:
[Interface]
Address = 10.42.0.1/24, fd8f:d4dc:9de9::1/64
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
To start the tunnel, you can use the command:
systemctl start wg-quick@wg0
After executing the command:
systemctl start wg-quick@wg0
Internet Access for Clients via VPN Tunnel and NAT with the Server as a Gateway
Of course, the VPN tunnel can be used only for communication between the client and the server, as well as between clients. However, often, you will also want to route all Internet traffic from clients through the VPN. This is particularly interesting for professional mobile devices that are often in unsecured Wi-Fi networks, for example in hotels or at clients. To do this, you can configure a “Network Address Translation” (NAT) on the server so that devices in the VPN can use the server’s IP addresses.
Now modify the /etc/sysctl.conf file and add the following lines:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
or, if it is already commented out, remove the # to enable the option. To make the configuration take effect, you must run the command:
sudo sysctl -p /etc/sysctl.conf
To configure a Network Address Translation (NAT), please proceed as follows. Starting with Debian Buster, nftables is used by default instead of iptables to configure the firewall. If nftables is not installed, you must first install it with:
sudo -s
apt install nftables
systemctl enable nftables.service
Then, please create the appropriate NAT rules by adding the following lines to the /etc/nftables.conf file:
table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
ip saddr 10.42.0.0/24 oif "ens3" snat to IPV4_IP_DES_SERVERS
}
}
table ip6 nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
ip6 saddr fd8f:d4dc:9de9::/64 oif "ens3" snat to IPV6_IP_DES_SERVERS
}
}
Replace IPV4_IP_DES_SERVERS with your server’s public IPv4 address and IPV6_IP_DES_SERVERS with the server’s public IPv6 address. The interface name ens3 may need to be adjusted to match the name of the interface on which the public IPs are configured. You can find out by using ifconfig. To activate the new rules, run the following commands:
sudo -s
systemctl enable nftables
nft -f /etc/nftables.conf
Using the values 0.0.0.0/0 and ::/0 for the AllowedIPs parameter on the client, the server’s IP address will automatically be set as the default gateway on the client. If you do not want the server to be used as the client’s default gateway, you can specify smaller subnets here, for example 10.42.0.0/24 and fd8f:d4dc:9de9::0/64, for which routes will be automatically established.
Adding a Client to the Server
Appropriate IP addresses are selected for each client, for example:
10.42.0.2/24fd8f:d4dc:9de9::2/64
(Each IP can of course only be used once per client.)
On the server, the following lines must be added to the /etc/wireguard/wg0.conf file to allow client access:
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.42.0.2/32, fd8f:d4dc:9de9::2/128
Replace CLIENT_PUBLIC_KEY with the client’s public key.
Now, the modified configuration must be loaded on the server. This can be done with the following command:
wg addconf wg0 <(wg-quick strip wg0)
Client Configuration
Key Generation
Keys for the Wireguard client can be generated with the following three commands:
umask 077
wg genkey | tee client-private.key | wg pubkey > client-public.key
This can be done either on the server or on the client. The client’s private key is only needed on the client. It is therefore generally safer to generate it directly on the client. Once the keys have been generated and entered into the Wireguard configuration file, the file containing the private key can be deleted.
Linux
Here is the configuration of a Linux client on Debian. Please install Wireguard as described in the server installation. Generate the keys on the client with the commands as described above. Become root by running sudo -s and entering your password.
Please create the configuration file /etc/wireguard/wg0.conf for the client:
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.42.0.2/24, fd8f:d4dc:9de9::2/64
ListenPort = 51820
DNS = 208.67.222.222,208.67.220.220
[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = demoserver.mustermann-domain.fr:51820
PersistentKeepalive = 25
Replace SERVER_PUBLIC_KEY with the server’s public key, which was generated, and CLIENT_PRIVATE_KEY with the private key, which was generated on the client. Replace demoserver.mustermann-domain.fr with the server’s hostname.
The tunnel on the client can now be started using systemd:
systemctl start wg-quick@wg0
To start the client at system startup, you can run the following command:
systemctl enable wg-quick@wg0
Android and iOS
The configuration file for Android and iOS can look like this:
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.42.0.3/24, fd8f:d4dc:9de9::3/48
ListenPort = 51820
DNS = 208.67.222.222,208.67.220.220
[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/24, ::/0
Endpoint = demoserver.mustermann-domain.fr:51820
PersistentKeepalive = 25
The configuration for the Android and iOS client is identical to that of the Linux desktop client. Please insert your generated keys and the appropriate IP addresses. Save the file for example under the name “wg0.conf”. If you want to import the file into the Android client, the configuration file name must comply with the Linux kernel network interface naming rules. This means the file name must end with “.conf” and can only contain up to 16 characters before the dot, without “/” and without spaces.
For easy transfer to a smartphone or tablet, you can create a QR code from the configuration file. On Linux, this can be done after installing the qrencode tool, for example on Debian with:
sudo apt install qrencode
by running the following command:
qrencode -t ansiutf8 < wg0.conf
Android
Please install the Wireguard app from the Play Store. Then scan the QR code with the app or import the configuration file by choosing one of the following options:
After importing the configuration via the QR code or as a file, the new interface appears and can be activated via the slider:
By clicking on the interface, you get detailed information about the connection:
iOS
Please install the app from the App Store. Then scan the QR code with the app or import the configuration file. Click on “Add a tunnel” or on the “+” and select the “Create from QR code” option:
You can then assign a name to the tunnel. After import, you can activate the tunnel via a slider. If you then click on the tunnel, you can also get additional information about it:
References
- Official Wireguard Website
- Wireguard Paper, Jason A. Donenfeld
- Documentation on wg-quick, Jason A. Donenfeld
- Quick Reference - nftables in 10 minutes, netfilter.org