- The network 192.168.1.0/24 is your LAN
- Your Ubuntu server is on your LAN at 192.168.1.10,
through the network interface
eth0
- The network 192.168.5.0/24 is non existent
- Your LAN DNS is at 192.168.1.1
-
Ensure IPv4 forwarding is enabled
sysctl -w net.ipv4.ip_forward=1
-
You might need to allow the VPN server port UDP 51820:
sudo ufw allow 51820/udp sudo ufw enable
-
Install Wireguard Kernel modules and CLI tools
sudo add-apt-repository ppa:wireguard/wireguard sudo apt-get update sudo apt-get install -y wireguard
-
Create the VPN interface configuration file
sudo nano /etc/wireguard/wg0.conf
with the following content
[Interface] Address = 192.168.5.1 ListenPort = 51820 PrivateKey = <server private key> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] # Your first client PublicKey = <client 1 public key> AllowedIPs = 192.168.5.2/32 # [Peer] # Your second client # PublicKey = <client 2 public key> # AllowedIPs = 192.168.5.3/32
-
Generate a keypair on the server
privateKey=`wg genkey` publicKey=`echo "$privateKey" | wg pubkey` echo "Private Key: $privateKey" echo "Public Key: $publicKey" unset -v privateKey
-
Copy the private key into /etc/wireguard/wg0.conf in the
[Interface]
section, replacing<server privatekey>
-
On your client, generate a key pair (see comment below to know how), and copy the client public key to the server's /etc/wireguard/wg0.conf in the
[Peer]
section and replace<client 1 public key>
. -
Finally, launch the interface on the server
wg-quick up wg0
If it complains about Wireguard not being a type of interface, you can try
modprobe wireguard
or you will have to reboot your server to load the new Kernel module.You can remove the VPN interface with
wg-quick down wg0
. -
On your client, use this configuration
[Interface] Address = 192.168.5.2 PrivateKey = <client 1 auto generated private key> DNS = 192.168.1.1 [Peer] PublicKey = <server public key> AllowedIPs = 0.0.0.0/0 Endpoint = 192.168.1.10:51820 PersistentKeepalive = 25
And replace
<server public key>
with the public key you generated. -
You can try now to connect, it should take 3-5 seconds to connect.
-
To access from outside, port forward for example port UDP 443 to 192.168.1.10:51820 and change the client endpoint to :443
Few days running Wireguard now and I must say I'm impressed! I run the server on a remote NanoPi NEO2 (H5) board, 1.2 Ghz, 512 RAM, gigabit Lan, and this small device is running it like it would a simple SSH session. Looking at htop, it is so low on resources, even if I stream high bitrate (12 Mbit/s) 1080i DVB-C stream from the remote Tvheadend server, ovet TCP, encapsulates over UDP of Wireguard. Perfecto!
An interesting way to use Wireguard and Docker together:
"Ready for Containers
WireGuard sends and receives encrypted packets using the network namespace in which the WireGuard interface was originally created. This means that you can create the WireGuard interface in your main network namespace, which has access to the Internet, and then move it into a network namespace belonging to a Docker container as that container's only interface. This ensures that the only possible way that container is able to access the network is through a secure encrypted WireGuard tunnel."
Based on this, Wireguard interface is created on system, but all the Docker containers can be routes over that connection. Actually no iptables needed, no routing, nothing (sure, iptables are there, but created by Docker automatically). This would be so easy. Docker containers can commumicate (hopefully) with each other using their name and ip comfigured by Docker.
I hope PIA will add Wireguard support soon. This can be run a medium category SoHo router. Sorry for being long, but I like this so much.
Btw, I had to use some other instructions to properly configure Wireguard, as ip4 forwarding has to be enabled, and iptables forwarding, masquarading is needed too (so simple).