User Tools

Site Tools


setup_wireguard

Wireguard

I run wireguard as a VPN server so that my phone and ipad are safer when I'm running on sketchy wifi.

Server-side Setup

Install Wireguard for Ubuntu

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt install wireguard

Setup Wireguard server on Debian

To act as a VPN server we need to allow IPv4 forwarding. Edit the file /etc/sysctl.d/99-sysctl.conf to uncomment this line:

net.ipv4.ip_forward = 1

Create the server's public and private keys.

wg genkey | tee privatekey | wg pubkey > publickey

Now create a config file defining the server's private key and IP address.

[Interface]
Address = 172.16.0.1
ListenPort = 51820
PrivateKey = <key from privatekey file>
#SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

Make sure that your filewall will allow UDP traffic thru on port 51820. The method of doing this is an exercise for the reader and will differ by the firewall you use.

Now start the wg0 interface:

wg-quick up wg0

Setup Wireguard peer on Debian

A peer is another device connected over wireguard. Every device you plan to connect to your server via wireguard will need a Peer section in the wireguard config file.

We'll use the example of setting up a mobile phone as a peer. First we'll need to generate a key pair for the phone.

wg genkey | tee phone.privatekey | wg pubkey > phone.publickey

Now add a peer section to wg0.conf to describe the peer and assign it an IP address.

[Interface]
Address = 172.16.0.1
ListenPort = 51820
PrivateKey = <key from privatekey>
#SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
# Peer section for mobile phone
PublicKey = <key from phone.publickey>
AllowedIPs = 172.16.0.2/32

Now restart the wg0 interface:

wg-quick down wg0
wg-quick up wg0

Setup on Peer Devices

We've already created a public/private key pair on the server for our phone. We will now create the rest of the phone's configuration file on the server and transfer it to your phone via a QR code.

First create a config file for your phone. I'll call the config file phone.conf for this example. Use the private key you just generated, the public key for the server, and a unique address for the wg0 interface. Since risor uses address 172.16.0.1/32, I'm choosing to give the phone address 172.16.0.2/32.

[Interface]
# Setup for Jason's mobile phone
Privatekey = <private key in phone.privatekey>
Address = 172.16.0.2/32

[Peer]
# Info about wireguard at risor.jtcol.com
PublicKey = <risor's public key in file publickey>
Endpoint = 198.50.179.81:51820
AllowedIPs = 0.0.0.0/0

Next use qrencode to display the file phone.conf as a QR code in your terminal.

qrencode -t ansiutf8 < phone.conf

Start the Android wireguard client, choose to add a tunnel, and “create from QR code”. Point your phone at the terminal to scan the QR code and your phone should be set up.

Troubleshooting

I've had the experience on two different machines where I installed and configured wireguard and it simply didn't work. My phone could connect to it – both the phone and the wg command would indicate that they were connected – but nothing of the internet made it to the phone.

I think forwarding wasn't happening somehow between the eth0 and wg0 network interfaces. I couldn't see the masquerade rules that wg0.conf was supposed to add and remove when it starts and stops (wg-quick up and down).

I learned that I can see the masquerade rules by listing the NAT table:

iptables -t nat -S

The problem was eventually resolved by restarting each machine. I don't know what part of wireguard or iptables or some DKMS kernel module needed the reboot to start working, but it did.

setup_wireguard.txt · Last modified: 2019/09/20 07:35 by jason