WireGuard Setup for Oracle Instance Ubuntu 20.04

oracle-cloud-instance-wireguard.md

Setup Oracle Cloud VM as a VPN Tunnel for connected clients on Ubuntu 20.04

Install dnsmasq

apt install dnsmasq -y

Find and add these items to /etc/dnsmasq.conf

server=1.1.1.1
server=1.0.0.1

bind-interfaces

Then disable the systemd resolver:

systemctl stop systemd-resolved
systemctl disable systemd-resolved

And you should be able to start dnsmasq

systemctl start dnsmasq
systemctl enable dnsmasq

If LXC or LXD is running you may have to shut them down and/or kill their processes first or the above will output an error To shutdown lxc and lxd you may have to hack your way through the following roughly:

lxd shutdown
# find the lxc process that is running dnsmasq and kill it
ps -aux | grep lxc
kill -9 [PID NUMBER FROM LAST COMMAND]

After hacking your way through the above retry start dnsmasq in the previous example. If all else fails you may have to restart the container and everything should work.

Check to make sure you are getting dns resolution with ping or dig:

root@test:~# ping google.com
PING google.com (142.251.45.14) 56(84) bytes of data.
64 bytes from iad66s01-in-f14.1e100.net (142.251.45.14): icmp_seq=1 ttl=121 time=0.712 ms
64 bytes from iad66s01-in-f14.1e100.net (142.251.45.14): icmp_seq=2 ttl=121 time=0.669 ms
64 bytes from iad66s01-in-f14.1e100.net (142.251.45.14): icmp_seq=3 ttl=121 time=0.635 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2007ms
rtt min/avg/max/mdev = 0.635/0.672/0.712/0.031 ms


root@test:~# dig google.com

; <<>> DiG 9.16.1-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21369
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             205     IN      A       142.251.45.14

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Feb 22 18:55:48 UTC 2022
;; MSG SIZE  rcvd: 55

root@test:~#

Setup dnsmasq to load after wire guard so that it will bind the wg0 interface. Modify these lines in the /lib/systemd/system/dnsmasq.service

[Unit]
After=wg-quick@wg0.service
Wants=wg-quick@wg0.service

add these to /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

Run sysctl -p to make the system reread the /etc/sysctl.conf file

Wireguard Setup

Config files on linux are located in /etc/wireguard This file should be named /etc/wireguard/wg0.conf

SERVER CONFIG FILE:

[Interface]
Address = 10.132.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
ListenPort = [SERVER_VPN_PORT]
PrivateKey = [PRIVATE KEY]

[Peer]
PublicKey = [PEER_1_PUBLIC_KEY]
AllowedIPs = 10.132.0.20/32

[Peer]
PublicKey = [PEER_2_PUBLIC_KEY]
AllowedIPs = 10.132.0.30/32

Config Files for windows can be imported/managed with the wireguard app

CLIENT CONFIG FILE:

[Interface]
PrivateKey = [CLIENT_PRIVATE_KEY]
ListenPort = 12345
Address = 10.132.0.20/24
DNS = 10.132.0.1

[Peer]
PublicKey = [SERVER_PUBLIC_KEY]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [SERVER_IP_ADDRESS]:[SERVER_VPN_PORT]
PersistentKeepalive = 25

Then run the following commands to setup systemd wireguard service:

sudo systemctl enable wg-quick@wg0.service
sudo systemctl daemon-reload
sudo systemctl start wg-quick@wg0