Skip to content

Instantly share code, notes, and snippets.

@qdm12

qdm12/readme.md

Last active April 8, 2024 08:45
Show Gist options
  • Save qdm12/35ab96d6be470ce7a4314722a55a1859 to your computer and use it in GitHub Desktop.
Save qdm12/35ab96d6be470ce7a4314722a55a1859 to your computer and use it in GitHub Desktop.
Download ZIP
Wireguard setup for Ubuntu server with LAN access
Raw
readme.md

Wireguard setup for LAN access

Assumptions

  • The network 192.168.1.0/24 is your LAN
  • Your Ubuntu server is on your LAN at 192.168.1.10, through the network interface eth0
  • The network 192.168.5.0/24 is non existent
  • Your LAN DNS is at 192.168.1.1

Server installation

  1. Ensure IPv4 forwarding is enabled

    sysctl -w net.ipv4.ip_forward=1

  2. You might need to allow the VPN server port UDP 51820:

    sudo ufw allow 51820/udp
sudo ufw enable

  3. Install Wireguard Kernel modules and CLI tools

    sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install -y wireguard

  4. Create the VPN interface configuration file

    sudo nano /etc/wireguard/wg0.conf

    with the following content

    [Interface]
Address = 192.168.5.1
ListenPort = 51820
PrivateKey = <server private key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Your first client
PublicKey = <client 1 public key>
AllowedIPs = 192.168.5.2/32

# [Peer]
# Your second client
# PublicKey = <client 2 public key>
# AllowedIPs = 192.168.5.3/32

  5. Generate a keypair on the server

    privateKey=`wg genkey`
publicKey=`echo "$privateKey" | wg pubkey`
echo "Private Key: $privateKey"
echo "Public Key: $publicKey"
unset -v privateKey

  6. Copy the private key into /etc/wireguard/wg0.conf in the [Interface] section, replacing <server privatekey>

  7. On your client, generate a key pair (see comment below to know how), and copy the client public key to the server's /etc/wireguard/wg0.conf in the [Peer] section and replace <client 1 public key>.

  8. Finally, launch the interface on the server

    wg-quick up wg0

    If it complains about Wireguard not being a type of interface, you can try modprobe wireguard or you will have to reboot your server to load the new Kernel module.

    You can remove the VPN interface with wg-quick down wg0.

  9. On your client, use this configuration

    [Interface]
Address = 192.168.5.2
PrivateKey = <client 1 auto generated private key>
DNS = 192.168.1.1

[Peer]
PublicKey = <server public key>
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.1.10:51820
PersistentKeepalive = 25

    And replace <server public key> with the public key you generated.

  10. You can try now to connect, it should take 3-5 seconds to connect.

  11. To access from outside, port forward for example port UDP 443 to 192.168.1.10:51820 and change the client endpoint to :443

@Mladia
Copy link

Mladia commented Jan 11, 2023

That's right. UFW block network traffic from the docker container, since it comes from a different subnet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment