Introduction
WireGuard is a very simple, fast, and modern VPN solution that uses state-of-the-art cryptography. According to various benchmark tests, WireGuard is currently the fastest VPN solution compared to IPSec and OpenVPN. In this guide, you will learn how to establish a WireGuard connection between two servers.
Requirements
- Ubuntu or Debian
- Kernel 4.1 or newer
Video Tutorial
Install and Clone
Installing WireGuard itself is very simple and can be completed in just 4 steps. First, we need to install the kernel headers as well as the build essentials and various other required packages:
apt-get install libmnl-dev linux-headers-$(uname -r) build-essential make git
After completing this step, we can continue by pulling WireGuard from the Git repository:
git clone https://git.zx2c4.com/WireGuard
Build
At this point, we have installed all required packages and cloned WireGuard into WireGuard/. We can continue with the WireGuard build process and install it:
cd WireGuard/src/makemake install
If the make install process completes without errors, we can proceed to run the exact same steps on the other server. Once done, move on to the next section of this guide
– the configuration process.
Configuration
Creating a tunnel with WireGuard is very simple and can be done with just a few commands. We start by creating the VPN interface:
ip link add dev wg0 type wireguard
Next, we generate a private key, which is used to encrypt the data between both parties:
umask 077wg genkey > private
At this point, we have completed all the requirements for creating the tunnel itself:
wg set wg0 listen-port 51920 private-key ~/private peer <PEER_PUBLIC_KEY> allowed-ips 192.168.2.0/24 endpoint <OTHER_SERVER_IP>:51920
Note:You must run this command on both servers and adjust the following parameters: PEER_PUBLIC_KEY and OTHER_SERVER_IP.
In order to read the public key on both servers, we must run the following command to convert the private key into a public key and then read it:
wg pubkey < private > publiccat public
Finally, we can assign IP addresses to our interface (.1 for the first server, .2 for the second server):
ip link set up dev wg0ip addr add 192.168.2.1/24 dev wg0
Testing
Try pinging the other server from the first server using the following command:
ping 192.168.2.2
If you see a response from the server, it means your installation is correct and the VPN link is working. If you do not receive any response or encounter an error, review the commands you executed on both servers and make sure you adjusted the parameters accordingly.
Set up a VPN server
Wireguard comes with a tool, wg-quick, for quickly creating and destroying a VPN
server. Note that the configuration file used here is not a configuration file that can be validly used by wg setconf, and you will probably need to change eth0 to the interface you actually use.
Server
/etc/wireguard/wg0server.conf
[Interface] Address = 10.0.0.1/24 # This is the virtual IP address, with the subnet mask we will use for the VPN PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 51820 PrivateKey = [SERVER PRIVATE KEY] [Peer] PublicKey = [CLIENT PUBLIC KEY] AllowedIPs = 10.0.0.2/32 # This means the client has only one IP.
To make the iptables rules take effect, enable IPv4 forwarding:
# sysctl net.ipv4.ip_forward=1
To keep this change permanently, add net.ipv4.ip_forward = 1 to /etc/sysctl.d/99-sysctl.conf.
Use wg-quick up wg0server to enable the
interface, and wg-quick down wg0server to disable it.
Client (forward all traffic)
/etc/wireguard/wg0.conf
[Interface] Address = 10.0.0.2/24 # The client IP from wg0server.conf with the same subnet mask PrivateKey = [CLIENT PRIVATE KEY] DNS = 10.0.0.1 [Peer] PublicKey = [SERVER PUBLICKEY] AllowedIPs = 0.0.0.0/0, ::0/0 Endpoint = [SERVER ENDPOINT]:51820 PersistentKeepalive = 25
Use wg-quick up wg0 to enable the interface,
and wg-quick down wg0 to disable it.
Use systemctl enable to start it automatically.
[email protected]
If you use NetworkManager, it may be necessary to enable
NetworkManager-wait-online.service systemctl enable NetworkManager-wait-online.service
Or if you use systemd-networkd, enable
systemd-networkd-wait-online.service systemctl enable
systemd-networkd-wait-online.service
Wait until all devices are ready before attempting the wireguard connection
Conclusion
WireGuard is a very easy-to-use secure VPN solution. It is suitable for many network topologies, including (but not limited to): connections between servers, backbone networking, personal VPN networks, and roaming VPN networks. For additional documentation, please visit the official website. Happy hacking!