Difference between revisions of "Wireguard VPN"
| Line 75: | Line 75: | ||
</pre> | </pre> | ||
| − | You can now start and stop the Wireguard VPN with the following commands: | + | You can now start and stop the Wireguard VPN, on the server and then the client, with the following commands: |
sudo wg-quick up wg0 | sudo wg-quick up wg0 | ||
Revision as of 07:45, 7 September 2020
In this lab we will investigate Wireguard VPN, which aims to be faster, simpler, leaner, and more useful than IPsec.
Install Wireguard
sudo apt install wireguard
and
sudo apt install resolvconf
If you get problems installing wireguard then you may have to add the repo manually but this should no longer be necessary. Only if required Add the Wireguard repository to your sources list
sudo add-apt-repository ppa:wireguard/wireguard
Now that you have installed wireguard, you can generate the public and private keys below. You should follow these steps for both machines.
sudo wg genkey > private.key sudo wg pubkey > public.key < private.key
If you still have your tap0 interface from a previous activity, make sure you take it down with a:
sudo ifconfig tap0 down
Server Configuration
Create a configuration file on the server:
sudo nano /etc/wireguard/wg0.conf
Adapt the following for your circumstances. The address is going to be private address space. You can modify the port, the number to whatever you like, just be aware that Wireguard will use UDP so ensure the appropriate firewall hole is open.
[Interface] Address = 192.168.99.1/24 ListenPort = 3500 PrivateKey = sJgz1S8eJS1[never_reveal_private_keys]8oAR/lDYz+LfWg= PreUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o [interface_facing_internet] -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o [interface_facing_internet] -j MASQUERADE [Peer] PublicKey = ZgfBeiyyTxR1LSaMA0OE8rfd8ReS3nA2wmE7g9Wc6wU= AllowedIPs = 192.168.99.2/32
You can work out the private key with, the command below. Note that you cannot and should not try to mimic the keys in a how to:
less private.key
Also make sure you enable packet forwarding. This is a sysctl setting which tells the server's kernel to forward traffic from client devices out to the Internet. Otherwise, the traffic will stop at the server. Enable packet forwarding during runtime by entering this command:
sudo su root echo 1 > /proc/sys/net/ipv4/ip_forward exit
We need to make this permanent so the server still forwards traffic after rebooting. Uncomment the appropriate line in the file below then save and exit.
sudo nano /etc/sysctl.conf
Client Configuration
Create the same configuration file on the client:
sudo nano /etc/wireguard/wg0.conf
[Interface] PrivateKey = YHJ+pkvzSN[never_reaveal_private_keys]gwhQsfQEM= Address = 192.168.99.2/24 DNS = 8.8.8.8 [Peer] Endpoint = 10.64.0.1:3500 PublicKey = S25QuCVpLgIVzMXxMTHIVHjmLTaCRgfzyHGsnn7vZQM= AllowedIPs = 0.0.0.0/0
You can now start and stop the Wireguard VPN, on the server and then the client, with the following commands:
sudo wg-quick up wg0 sudo wg-quick down wg0
Make sure you test. Monitor using wireshark on your physical network adapter. You can also test your connection here to check for common DNS leaks https://www.dnsleaktest.com/
