Difference between revisions of "Wireguard VPN"

From csn
Jump to navigation Jump to search
 
(12 intermediate revisions by the same user not shown)
Line 8: Line 8:
  
 
  sudo apt install resolvconf
 
  sudo apt install resolvconf
 
If you get problems installing wireguard then you may have to add the repo manually but this should no longer be necessary. Only if required Add the Wireguard repository to your sources list
 
 
sudo add-apt-repository ppa:wireguard/wireguard
 
  
 
Now that you have installed wireguard, you can generate the public and private keys below. You should follow these steps for both machines.  
 
Now that you have installed wireguard, you can generate the public and private keys below. You should follow these steps for both machines.  
Line 21: Line 17:
  
 
  sudo ifconfig tap0 down
 
  sudo ifconfig tap0 down
 +
 +
In this example, we will work with two virtual machines. For the example, you see below, both my Wireguard client and Server sit in bridged mode in Virtual box. The server sits on 192.168.1.38 and we will use the 10.0.0.0/24 network as our "private" address space.
  
 
== Server Configuration ==
 
== Server Configuration ==
Line 41: Line 39:
 
PublicKey = ZgfBeiyyTxR1LSaMA0OE8rfd8ReS3nA2wmE7g9Wc6wU=
 
PublicKey = ZgfBeiyyTxR1LSaMA0OE8rfd8ReS3nA2wmE7g9Wc6wU=
 
AllowedIPs = 10.0.0.2/32
 
AllowedIPs = 10.0.0.2/32
 +
PersistentKeepalive = 25
 
</pre>
 
</pre>
  
Line 49: Line 48:
 
Also make sure you enable packet forwarding. This is a sysctl setting which tells the server's kernel to forward traffic from client devices out to the Internet. Otherwise, the traffic will stop at the server. Enable packet forwarding during runtime by entering this command:
 
Also make sure you enable packet forwarding. This is a sysctl setting which tells the server's kernel to forward traffic from client devices out to the Internet. Otherwise, the traffic will stop at the server. Enable packet forwarding during runtime by entering this command:
  
  sudo su root
+
  sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
echo 1 > /proc/sys/net/ipv4/ip_forward
+
 
exit
+
If you are interested in why the command above looks a little special you can read here: https://askubuntu.com/questions/783017/bash-proc-sys-net-ipv4-ip-forward-permission-denied
  
 
We need to make this permanent so the server still forwards traffic after rebooting. Uncomment the appropriate line in the file below then save and exit.
 
We need to make this permanent so the server still forwards traffic after rebooting. Uncomment the appropriate line in the file below then save and exit.
Line 66: Line 65:
 
[Interface]
 
[Interface]
 
PrivateKey = YHJ+pkvzSN[never_reaveal_private_keys]gwhQsfQEM=
 
PrivateKey = YHJ+pkvzSN[never_reaveal_private_keys]gwhQsfQEM=
Address = 192.168.99.2/24
+
Address = 10.0.0.2/24
 
DNS = 8.8.8.8
 
DNS = 8.8.8.8
  
 
[Peer]
 
[Peer]
Endpoint = 10.64.0.1:3500
+
Endpoint = 192.168.1.38:3500
 
PublicKey = S25QuCVpLgIVzMXxMTHIVHjmLTaCRgfzyHGsnn7vZQM=
 
PublicKey = S25QuCVpLgIVzMXxMTHIVHjmLTaCRgfzyHGsnn7vZQM=
 
AllowedIPs = 0.0.0.0/0
 
AllowedIPs = 0.0.0.0/0
 +
PersistentKeepalive = 25
 
</pre>
 
</pre>
  
Line 80: Line 80:
 
  sudo wg-quick down wg0
 
  sudo wg-quick down wg0
  
Make sure you test. Monitor using wireshark on your physical network adapter. You can also test your connection here to check for common DNS leaks https://www.dnsleaktest.com/
+
You can test that you have successfully configured the wireguard VPN when you can ping 10.0.0.1 from your client machine.
 +
 
 +
Open Wireshark on your client or server. Have a careful look at the difference when you monitor your eth0 or enp0s3 OR your wg0 interface what is the difference and why?
 +
 
 +
== Starting at boot ==
 +
 
 +
Often you may want Wirguard to start at boot. You can use the following to make this happen:
 +
 
 +
sudo systemctl enable wg-quick@wg0.service
 +
sudo systemctl daemon-reload
 +
 
 +
Start the new service immediately:
 +
 
 +
sudo systemctl start wg-quick@wg0
 +
 
 +
Reboot your computer system to verify the automatic connection on startup works as expected.
 +
 
 +
Check the service status:
 +
 
 +
systemctl status wg-quick@wg0
 +
 
 +
Reboot and test on your server and client. Remember that if you are starting at boot then you probably want to ensure that you are only using IP addresses and not domain names.
 +
 
 +
To restart the service you can:
 +
 +
systemctl restart wg-quick@wg0
 +
 
 +
== Advanced ==
 +
 
 +
See if you can work out how to connect another client. Make sure that your two remote clients can ping each other.
 +
 
 +
Check out the following git hub page to see if you can modify this to suit your circumstances:
 +
 
 +
https://gist.github.com/mattkasun/9a0e90d9d31b2c935d3f6d6e71dbece9

Latest revision as of 05:01, 29 June 2021

In this lab we will investigate Wireguard VPN, which aims to be faster, simpler, leaner, and more useful than IPsec.

Install Wireguard

sudo apt install wireguard 

and

sudo apt install resolvconf

Now that you have installed wireguard, you can generate the public and private keys below. You should follow these steps for both machines.

sudo wg genkey > private.key
sudo wg pubkey > public.key < private.key

If you still have your tap0 interface from a previous activity, make sure you take it down with a:

sudo ifconfig tap0 down

In this example, we will work with two virtual machines. For the example, you see below, both my Wireguard client and Server sit in bridged mode in Virtual box. The server sits on 192.168.1.38 and we will use the 10.0.0.0/24 network as our "private" address space.

Server Configuration

Create a configuration file on the server:

sudo nano /etc/wireguard/wg0.conf 

Adapt the following for your circumstances. The address is going to be private address space. You can modify the port, the number to whatever you like, just be aware that Wireguard will use UDP so ensure the appropriate firewall hole is open.

[Interface]
Address = 10.0.0.1/24
ListenPort = 3500
PrivateKey = sJgz1S8eJS1[never_reveal_private_keys]8oAR/lDYz+LfWg=
PreUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o [interface_facing_internet] -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o [interface_facing_internet] -j MASQUERADE

[Peer]
PublicKey = ZgfBeiyyTxR1LSaMA0OE8rfd8ReS3nA2wmE7g9Wc6wU=
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25

You can work out the private key with, the command below. Note that you cannot and should not try to mimic the keys in a how to:

less private.key

Also make sure you enable packet forwarding. This is a sysctl setting which tells the server's kernel to forward traffic from client devices out to the Internet. Otherwise, the traffic will stop at the server. Enable packet forwarding during runtime by entering this command:

sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

If you are interested in why the command above looks a little special you can read here: https://askubuntu.com/questions/783017/bash-proc-sys-net-ipv4-ip-forward-permission-denied

We need to make this permanent so the server still forwards traffic after rebooting. Uncomment the appropriate line in the file below then save and exit.

sudo nano /etc/sysctl.conf

Client Configuration

Create the same configuration file on the client:

sudo nano /etc/wireguard/wg0.conf 
[Interface]
PrivateKey = YHJ+pkvzSN[never_reaveal_private_keys]gwhQsfQEM=
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
Endpoint = 192.168.1.38:3500
PublicKey = S25QuCVpLgIVzMXxMTHIVHjmLTaCRgfzyHGsnn7vZQM=
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

You can now start and stop the Wireguard VPN, on the server and then the client, with the following commands:

sudo wg-quick up wg0
sudo wg-quick down wg0

You can test that you have successfully configured the wireguard VPN when you can ping 10.0.0.1 from your client machine.

Open Wireshark on your client or server. Have a careful look at the difference when you monitor your eth0 or enp0s3 OR your wg0 interface what is the difference and why?

Starting at boot

Often you may want Wirguard to start at boot. You can use the following to make this happen:

sudo systemctl enable wg-quick@wg0.service
sudo systemctl daemon-reload

Start the new service immediately:

sudo systemctl start wg-quick@wg0

Reboot your computer system to verify the automatic connection on startup works as expected.

Check the service status:

systemctl status wg-quick@wg0 

Reboot and test on your server and client. Remember that if you are starting at boot then you probably want to ensure that you are only using IP addresses and not domain names.

To restart the service you can:

systemctl restart wg-quick@wg0

Advanced

See if you can work out how to connect another client. Make sure that your two remote clients can ping each other.

Check out the following git hub page to see if you can modify this to suit your circumstances:

https://gist.github.com/mattkasun/9a0e90d9d31b2c935d3f6d6e71dbece9