This post covers how to configure theWireGuard VPN server. All of your clients/devices will connect to this machine first, then route out to the Internet.

After some researches I decided to useWireGuard since it isFree and open-source software. OK, to be honest my main reason could be this:Linus Torvalds merged WireGuard into the Linux kernel.

0. Entrée

WireGuard is a modern VPN (Virtual Private Network) technology with state-of-the-art cryptography.

It is a cross-platform and can run almost anywhere, including Linux, Windows, Android, macOS and iOS.

It is a peer-to-peer VPN; it does not use the client-server model.

It works by creating a network interface on each peer device that acts as a tunnel. Peers authenticate each other by exchanging and validating public keys, like SSH model. Public keys are mapped with a list of IP addresses that are allowed in the tunnel. The VPN traffic is encapsulated in UDP.

It is fast, easy to configure (especially compared to some of other alternatives), and lightweight.

For more detail you can check official website:WireGuard

1. Install

First we update the server then installWireGuard:

$sudoapt update$sudoaptinstallwireguard

NOTE:

You may see over the web that you should install WireGuard withppa, like:

$ sudo add-apt-repository ppa:wireguard/wireguard

This is an outdated method and as we seen inhttps://launchpad.net/%7Ewireguard:

This formerly was responsible for producing a PPA for WireGuard on Ubuntu. That functionality has now been folded into Ubuntu itself, so our old PPA has been removed. Simply runapt install wireguard on all Ubuntus ≥ 16.04

2. Configure

2.0. Keys

WireGuard ships with two command-line tools:wg andwg-quick that allow you to configure and manage the WireGuard.

Run the following command to generate thepublic andprivate keys:

$sudo mkdir-p /etc/wireguard/server$wg genkey |sudo tee /etc/wireguard/server/server.key | wg pubkey |sudo tee /etc/wireguard/server/server.key.pub

This places our keys under our/etc/wireguard/server directory that we just created. As usual,DO NOT share yourprivate key with anyone else, otherwise your VPN will be compromised.

You can view these files withcat:

$cat /etc/wireguard/server/server.key$cat /etc/wireguard/server/server.key.pub

2.1. conf File

Create configuration file,

$sudoedit /etc/wireguard/wg0.conf

and add following settings:

[Interface]Address= 10.0.0.1/24ListenPort= 51820PrivateKey= SERVER_PRIVATE_KEYPostUp= iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEPostDown= iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADESaveConfig= true

• ReplaceSERVER_PRIVATE_KEY with yourprivate key in/etc/wireguard/server/server.key.

• Make sure to replace botheth0 to match the name of your public network interface. You can easily find the interface by running the following command:
  

$ip-o-4 route show to default |awk'{print $5}'

2.2 chmod

Thewg0.conf andserver.key files should not be readable to normal users.
Usechmod to set the permissions to600:

$sudo chmod600 /etc/wireguard/wg0.conf$sudo chmod600 /etc/wireguard/server/server.key

3. Start WireGuard

3.0. wg up

When everything done above, bring thewg0 interface up using the attributes specified in the configuration file:

$sudowg-quick up wg0[#] ip link add wg0 type wireguard[#] wg setconf wg0 /dev/fd/63[#] ip -4 address add 10.0.0.1/24 dev wg0[#] ip link set mtu 1420 up dev wg0[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

3.1. Start at Boot

Probably you want to start your WireGuard after every system reboot. In order to achieve that run:

$sudosystemctlenablewg-quick@wg0

4.0 Firewall and Networking

4.1. IP Forwarding

We need to allow traffic forwarding in order for the VPN to work correctly.

We modify the/etc/sysctl.conf file: Uncomment the line icludes
net.ipv4.ip_forward=1:

$sudoedit /etc/sysctl.conf

############################################################### Functions previously found in netbase## Uncomment the next two lines to enable Spoof protection (reverse-path filter)# Turn on Source Address Verification in all interfaces to# prevent some spoofing attacks#net.ipv4.conf.default.rp_filter=1#net.ipv4.conf.all.rp_filter=1# Uncomment the next line to enable TCP/IP SYN cookies# See http://lwn.net/Articles/277146/# Note: This may impact IPv6 TCP sessions too#net.ipv4.tcp_syncookies=1# Uncomment the next line to enable packet forwarding for IPv4net.ipv4.ip_forward=1# Uncomment the next line to enable packet forwarding for IPv6#  Enabling this option disables Stateless Address Autoconfiguration#  based on Router Advertisements for this host#net.ipv6.conf.all.forwarding=1

Save the file and apply the change:

$sudosysctl-p

4.1. Open WireGuard Server Port

Open theListenPort we defined in our/etc/wireguard/wg0.conf file:

$sudoufw allow 51820/udp

Now enable the firewall:

$sudoufwenable

You can verify everything by checking the status

$sudoufw status verbose

That's it. YourWireGuard server is now ready!

All done!

TODO:

• [X] Add client posts:
  • [X] Add Ubuntu Desktop Client
  • [X] Add Android Client
• [ ] AddIPV6 conf as well