Quick bastion Wireguard VPN

_notes.md

Quick and dirty Wireguard bastion VPN

Enable IPv4 forwarding

sysctl -w net.ipv4.ip_forward=1 or echo 1 > /proc/sys/net/ipv4/ip_forward

/etc/sysctl.conf: net.ipv4.ip_forward = 1

Check IPv4 forwarding

sysctl net.ipv4.ip_forward or cat /proc/sys/net/ipv4/ip_forward

Install/enable Wireguard (Ubuntu 20.04)

sudo -i
apt update
apt install wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
<...setup wg0.conf>
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

Troubleshooting

Check UDP traffic

Need to apt install socat

On the server: socat UDP-LISTEN:51820 STDOUT

On the client: socat STDIN UDP:<...server>:51820

... then type some things and hit enter. It should show up on your server terminal

Sometimes UDP is blocked by NACLs and TCP isn't; The same thing works substituting UDP for TCP (but of course you'll need to get UDP working for wireguard)

client.conf

[Interface]
PrivateKey = <...private key; auto-generated on mac>
Address = 172.16.0.2/32

[Peer]
PublicKey = <...generated key /etc/wireguard/publickey on server>
AllowedIPs = 172.16.0.0/12, <...internal networks, 10.0.0.0/8, 0.0.0.0/0, etc>
Endpoint = <...server IP/host>:51820

wg0.conf

[Interface]
Address = 172.16.0.1/32
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <...generated key /etc/wireguard/privatekey>

[Peer]
PublicKey = <...public key from the client>
AllowedIPs = 172.16.0.2/12