a developer: Config Wireguard

Wireguard

Wireguard is a VPN software, which is included in Linux 5.6 kernel

https://www.wireguard.com/quickstart/

https://manpages.debian.org/unstable/wireguard-tools/wg-quick.8.en.html

https://zach-adams.com/2015/01/apt-get-cant-connect-to-security-ubuntu-fix/

Install ubuntu 18.04

$ sudo apt update

$ sudo apt upgrade

$ sudo apt install openssh-server

https://www.wireguard.com/install/

$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt-get update
$ sudo apt-get install wireguard

If add repository hang, follow: https://zach-adams.com/2015/01/apt-get-cant-connect-to-security-ubuntu-fix/

Open /etc/gai.conf

Uncomment following line

#
# For sites which prefer IPv4 connections change the last line to
#
precedence ::ffff:0:0/96 100

Enable ip forward in server and reboot, so that packet can be forwarded from default gateway to other interface with same subnet

https://stanislas.blog/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/

echo "net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf

Gen key for server and client

$ umask 077
$ sudo wg genkey > private
$ sudo wg pubkey < private > public

Deploy server config

File: /etc/wireguard/wg0.conf

MASQUERADE: packet’s ip header will be changed to private ip and restore to public ip when writing back

10.0.0.1 can be freely configured, only need to make sure peers are in the same subnet

[Interface]
Address = 10.0.0.1/24
#SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT && iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE && iptables -A INPUT -i wg0 -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT && iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE && iptables -D INPUT -i wg0 -p udp --dport 51820 -j ACCEPT
ListenPort = 51820
PrivateKey = aP7Y6f0ubHbweFSs5EouXsT+klvsp2iFRZsmuBz+IHQ=

[Peer]
PublicKey = utH967EMNmx3Of9Breqp27T8+ZCOs1nawsmk+HpCLCY=
AllowedIPs = 10.0.0.2/32

Deploy client config

File: /etc/wireguard/client.conf

[Interface]
Address = 10.0.0.2/24
PrivateKey = WHLj16xU6/dq59Qks8Zn14vCjk3PMc7o4Pjm6lktfmE=
DNS = 1.1.1.1

[Peer]
PublicKey = 3GODl2zWseKTpRRiArn00TEZHw9qs0oOxD1AF4gcv3c=
AllowedIPs = 0.0.0.0/0
Endpoint = 10.247.33.177:51820

Gen QRCode

$ sudo apt install qrencode
$ qrencode -t ansiutf8 < /etc/wireguard/client.conf

Start server

$ sudo wg-quick up wg0

Start client

$ sudo wg-quick up client

Wireguard do handshake through UDP protocol, so client connect successfully doesn’t mean VPN connection work.

Can debug by ip ping, route, traceroute commands to make sure peers can be connected.

a developer

Config Wireguard

沒有留言:

張貼留言

別名演算法 Alias Method

Visit

Translate