This post covers how to configure the WireGuard VPN server. All of your clients/devices will connect to this machine first, then route out to the Internet.

After some researches I decided to use WireGuard since it is Free and open-source software. OK, to be honest my main reason could be this: Linus Torvalds merged WireGuard into the Linux kernel.

0. Entrée

WireGuard is a modern VPN (Virtual Private Network) technology with state-of-the-art cryptography.

It is a cross-platform and can run almost anywhere, including Linux, Windows, Android, macOS and iOS.

It is a peer-to-peer VPN; it does not use the client-server model.

It works by creating a network interface on each peer device that acts as a tunnel. Peers authenticate each other by exchanging and validating public keys, like SSH model. Public keys are mapped with a list of IP addresses that are allowed in the tunnel. The VPN traffic is encapsulated in UDP.

It is fast, easy to configure (especially compared to some of other alternatives), and lightweight.

For more detail you can check official website: WireGuard

1. Install

First we update the server then install WireGuard:

$ sudo apt update
$ sudo apt install wireguard

Info

You may see over the web that you should install WireGuard with ppa, like:

$ sudo add-apt-repository ppa:wireguard/wireguard

This is an outdated method and as we seen in https://launchpad.net/%7Ewireguard:

This formerly was responsible for producing a PPA for WireGuard on Ubuntu. That functionality has now been folded into Ubuntu itself, so our old PPA has been removed. Simply run apt install wireguard on all Ubuntus ≥ 16.04

2. Configure

2.0. Keys

WireGuard ships with two command-line tools: wg and wg-quick that allow you to configure and manage the WireGuard.

Run the following command to generate the public and private keys:

$ sudo mkdir -p /etc/wireguard/server
$ wg genkey | sudo tee /etc/wireguard/server/server.key | wg pubkey | sudo tee /etc/wireguard/server/server.key.pub

This places our keys under our /etc/wireguard/server directory that we just created. As usual, DO NOT share your private key with anyone else, otherwise your VPN will be compromised.

You can view these files with cat:

$ cat /etc/wireguard/server/server.key
$ cat /etc/wireguard/server/server.key.pub

2.1. conf File

Create configuration file,

$ sudoedit /etc/wireguard/wg0.conf

and add following settings:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true
  • Replace SERVER_PRIVATE_KEY with your private key in /etc/wireguard/server/server.key.

  • Make sure to replace both eth0 to match the name of your public network interface. You can easily find the interface by running the following command:

    $ ip -o -4 route show to default | awk '{print $5}'
    

2.2 chmod

The wg0.conf and server.key files should not be readable to normal users. Use chmod to set the permissions to 600:

$ sudo chmod 600 /etc/wireguard/wg0.conf
$ sudo chmod 600 /etc/wireguard/server/server.key

3. Start WireGuard

3.0. wg up

When everything done above, bring the wg0 interface up using the attributes specified in the configuration file:

$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

3.1. Start at Boot

Probably you want to start your WireGuard after every system reboot. In order to achieve that run:

$ sudo systemctl enable wg-quick@wg0

4.0 Firewall and Networking

4.1. IP Forwarding

We need to allow traffic forwarding in order for the VPN to work correctly.

We modify the /etc/sysctl.conf file: Uncomment the line icludes net.ipv4.ip_forward=1:

$ sudoedit /etc/sysctl.conf
##############################################################
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1

Save the file and apply the change:

$ sudo sysctl -p

4.1. Open WireGuard Server Port

Open the ListenPort we defined in our /etc/wireguard/wg0.conf file:

$ sudo ufw allow 51820/udp

Now enable the firewall:

$ sudo ufw enable

You can verify everything by checking the status

$ sudo ufw status verbose

That’s it. Your WireGuard server is now ready!

All done!


TODO:

  • Add client posts:
    • Add Ubuntu Desktop Client
    • Add Android Client
  • Add IPV6 conf as well