My WireGuard® Setup

November 26, 2021


Wireguard is a modern lightweight VPN protocol that has recently been included in the Linux kernel which is a big reason I chose to use this protocol.

It's relatively easy to set up compared to other VPN protocols, but the instructions on the website can be confusing to people who are learning (I was in the same position), so I decided to make a guide explaining things for newbies.

As with all my other projects I am using my Raspberry Pi 4b during this tutorial. I used this model because it's the only Pi I own with gigabit Ethernet onboard.

Running a VPN Server from home allows you to safely access your home network from laptops, tablets, or smartphones while not connected to your home internet.


Step-by-step

To see how to install WireGuard for your devices, visit the install page.

The WireGuard Network interface then needs to be added to your device.

$ sudo ip link add dev wg0 type wireguard

Next verify that the interface was added.

$ ip addr show wg0
31: wg0: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000
    link/none

Next we need to create the wireguard configuration file for the wg0 interface.

$ sudo touch /etc/wireguard/wg0.conf

To edit this file choose your favorite text editor, I prefer Vim, but recommend Nano for those who are new to the command line. We'll come back to this later however.

We then need to assign an IP address to wg0

$ sudo ip addr add 10.0.0.1/24 dev wg0

To make sure all keys are stored in the proper directory, we need to switch to the root user, and change directories to /etc/wireguard

$ su
# cd /etc/wireguard

This address is only internal to the WireGuard tunnel. the /24 denotes there are a possible 254 clients that can use this interface.

Before we generate our cryptographic keys, we need to change the permissions of the /etc/wireguard directory.

# umask 077
# wg genkey wg0-privatekey

We can then derive our public key from our private key

# wg pubkey < wg0-privatekey > wg0-publickey

Now we need to start filling in the wg0.conf file

Copy and paste the follwing template into your wg0.conf file:

[Interface]

Address = 10.0.0.1/24, fdc9:281f:04d7:9ee9::1/64

DNS = 10.0.0.1

SaveConfig = true

PrivateKey = {wg0-privatekey}

ListenPort = 51820

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE





[Peer]

PublicKey = {client-publickey}

PresharedKey =

AllowedIPs = 10.0.0.2/32, fdc9:281f:04d7:9ee9::2/128

The PostUp and PostDown lines are IP table rules that allow you to access your home's LAN from afar.

We can now create your client's keys. This time we are going to create the public key and private key at the same time.

# wg genkey | tee client-privatekey | wg pubkey > client-publickey

Feel free to change "client" in these file names to the name of the device you want to connect to the tunnel. In my case I chose phone-privatekey and phone-publickey

Now we need to create the first client's configuration file.

# touch client.conf

Copy and paste the client's template into client.conf

[Interface]
Address = 10.0.0.2/32, fdc9:281f:04d7:9ee9::2/128
DNS = 10.0.0.1
PrivateKey = {client-privatekey}


[Peer]
PublicKey = {wg0-publickey}
PresharedKey = 
AllowedIPs = 10.0.0.1/24, fdc9:281f:04d7:9ee9::1/64
Endpoint = {your.home.ip.here}:51820

Be sure to replace anything in curly braces with the correct information relative to your setup. You can find your home network's public IP address by going here. :51820 specifies the port number on which to communicate with the Endpoint IP. This is the standard WireGuard port.

Next we will generate the PresharedKey, which allegedly protects against decryption of tunnel traffic by quantum computers.

# wg genpsk

Copy and paste this output to the PresharedKey = line of both configuration files.

There are many ways to add your client configuration file to your client. I prefer scanning a QR code.

# qrencode -t ansiutf8 < client.conf

Open your WireGuard app on your phone and tap the + in the top right corner, and select Create from QR Code.

Before we turn on our tunnel for the first time, you need to enable port forwarding of port 51820 to your endpoint. There are too many varieties of router for me to cover each and every method to enable port forwarding. However there are plenty of resources online to use as reference for your specific router.

After enabling port forwarding, on your server, enter

$ sudo wg-quick up wg0

This turns on your interface inside your home network to access from the outside.
You can then verify the tunnel works on your phone by turning off WiFi and switching on the tunnel in the WireGuard app. If you go to this link and it's the same as your IP from the previous step, your tunnel is working properly.

You can close the connection on your server with the command sudo wg-quick down wg0

Take the following steps if you have no interntet connection:

  • Verify all keys correspond to the correct line in the configuration files.

  • Verify the DNS server is connected to the WireGuard tunnel, and it is the internal tunnel IP. In the case of this tutorial: 10.0.0.1

Sources

wireguard.com
Arch Wiki

My Links

  1. GitHub
  2. Linkedin