Skip to content

Instantly share code, notes, and snippets.

@atomlab

atomlab/wigeguard_setup.md

Last active March 12, 2022 22:03
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save atomlab/403367605b9334e3172bf94cfb7f7451 to your computer and use it in GitHub Desktop.
Save atomlab/403367605b9334e3172bf94cfb7f7451 to your computer and use it in GitHub Desktop.
Download ZIP
Wireguard setup on Ubuntu 18.04
Raw
wigeguard_setup.md

Wireguard setup on Ubuntu 16.04/18.04

Install

# sudo add-apt-repository ppa:wireguard/wireguard
# sudo apt-get update
# sudo apt-get install wireguard

Generate keys

# cd /etc/wireguard/
# umask 077
# wg genkey > privatekey
# wg pubkey < privatekey > publickey

Check created keys

# cat privatekey
2B5zWbvkWxovKZsbdyLPLdxQlwGDDsocdhaP2w0nwnE=
# cap publickey
J5s0i4x9XuuNylQlfEGrZoFgV1Id48qZoPvjVS+sBDU=

Wireguard config

/etc/wireguard/wg0.conf

[Interface]
PrivateKey = 2B5zWbvkWxovKZsbdyLPLdxQlwGDDsocdhaP2w0nwnE=
ListenPort = 51820

Interface setup

/etc/network/interfaces.d/wg0.cfg

auto wg0
iface wg0 inet static
        address 192.168.120.1
        netmask 255.255.255.0
        pre-up ip link add $IFACE type wireguard
        pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
        post-down ip link del $IFACE

Reboot server after network setup, that make sure that interface wg0 append successful

Setup iptables and NAT on Wireguard server

For masquerading all traffic to internet we should setup iptables. For setup iptables we use ferm.

  1. Enable forward traffic
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# sysctl -p
net.ipv4.ip_forward = 1
  1. Install ferm
# apt install ferm

Create file

vim /etc/ferm/ferm.d/wg_nat.conf

/etc/ferm/ferm.d/wg_nat.conf


table nat {
    chain POSTROUTING {
        outerface eth0 MASQUERADE;
    }
}

table filter {
    chain INPUT {
        # Allow wireguard ports
        proto (tcp udp) dport 51820 ACCEPT;
    }
    chain FORWARD {
        # Allow forward only 192.168.120.0/24 clients networks
        saddr 192.168.120.0/24 daddr 0.0.0.0/0 ACCEPT;
    }
}

Apploy ferm setting

# ferm /etc/ferm/ferm.conf
#

Android client setup

Install wg client for Android

  1. Press button (+)
  2. Select Create from scratch
  3. Setup interface
Name: wg_vpn
Private key: (GENERATE)
Address: 192.168.120.2/32
DNS server: 1.1.1.1
  1. Press ADD PEER button bellow
Public key: J5s0i4x9XuuNylQlfEGrZoFgV1Id48qZoPvjVS+sBDU=
Allowed IPs: 0.0.0.0/0
Endpoint: 163.172.161.5:51820
  1. Press button Save on the bottom
  2. Enable vpn connection

Add peer to wireguard config on server

/etc/wireguard/wg0.conf

[Interface]
PrivateKey = 2B5zWbvkWxovKZsbdyLPLdxQlwGDDsocdhaP2w0nwnE=
ListenPort = 51820

[Peer]
PublicKey = cmfyWxlXbFKpdtnsI2a0WF2bu7/MZRcV+Kf6aF/osxY= # public key generated on client side
AllowedIPs = 192.168.120.2/32 # ip address allowed to connect with this public key

Apply configuration on server

# wg setconf wg0 /etc/wireguard/wg0.conf

Check connections

# wg
interface: wg0
  public key: J5s0i4x9XuuNylQlfEGrZoFgV1Id48qZoPvjVS+sBDU=
  private key: (hidden)
  listening port: 51820

peer: cmfyWxlXbFKpdtnsI2a0WF2bu7/MZRcV+Kf6aF/osxY=
  endpoint: 176.34.241.253:53745
  allowed ips: 192.168.120.2/32
  latest handshake: 26 seconds ago
  transfer: 2.20 MiB received, 47.72 MiB sent

Troubleshooting

# ip link add dev wg0 type wireguard
RTNETLINK answers: Operation not supported

Install kernel headers

# apt -y install linux-headers-$(uname -r)
# dpkg-reconfigure wireguard-dkms

Reboot system

Links

https://tunfish.org/doc/sandbox/troubleshooting.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment