Configuring WireGuard VPN Server
Add an unstable repository to the apt package manager. Changing the priority for unstable packages. We do OS updates and install the wireguard package.
But problems may occur, the type lacks an open pgp key:
Don't panic and just import it with the command:
And as we can see, the error is gone:
If there is no kernel module, put it
Once everything is ready, we check that the module is loaded:
We create public and private keys for the server and for the client.
As a result, we will create four files:
Including forwarding in sysctl.conf:
Create a directory / etc / wireguard, and in it the configuration file /etc/wireguard/wg0.conf with the following content:
Of course, instead of SERVER_PRIVATE_KEY and CLIENT_PUBLIC_KEY, we register the keys that were created before the files. Further, comments on the config:
Address - the address of the virtual interface wg0 on the server.
PostUp and PostDown are commands that will be executed when the interface is turned on and off.
ListenPort - the port on which the VPN will work.
AllowedIPs - virtual IP of clients that will connect to our server.
We save the changes, make the file available only to root, turn on and start the service:
Setting up a wireguard client
Add the Wireguard repository to your source list. Then Apt will automatically update the package cache.
Install Wireguard. The package will install all the necessary dependency.
Go to the / etc / wireguard directory, and in it create the /etc/wireguard/wg0-client.conf configuration file with the following content:
In this case, instead of CLIENT_PRIVATE_KEY and SERVER_PUBLIC_KEY, we again substitute the keys generated earlier, and instead of SERVER_REAL_IP we specify the IP address of our server on which the VPN is installed.
Save the file and try to connect with the wg-quick up wg0-client command:
We check the connection, and if everything is done correctly, then all our traffic will now go through the VPN server.
To disconnect from the VPN, simply execute the wg-quick down wg0-client command:
If necessary, we can manage the service through systemd:
Bash:
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguardDon't panic and just import it with the command:
Code:
sudo apt update 2>&1 1>/dev/null | sed -ne 's/.*NO_PUBKEY //p' | while read key; do if ! [[ ${keys[*]} =~ "$key" ]]; then sudo apt-key adv --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys "$key"; keys+=("$key"); fi; doneIf there is no kernel module, put it
Bash:
apt-get install wireguard-dkms wireguard-tools linux-headers-$(uname -r)
Bash:
modprobe wireguard && lsmod | grep wireguard
wireguard 225280 0
ip6_udp_tunnel 16384 1 wireguard
udp_tunnel 16384 1 wireguard
Bash:
mkdir ~/wireguard
cd ~/wireguard
umask 077
wg genkey | tee server_private_key | wg pubkey > server_public_key
wg genkey | tee client_private_key | wg pubkey > client_public_key
Bash:
cat server_private_key
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz=
cat server_public_key
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz=
cat client_private_key
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz=
cat client_public_key
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz=
Bash:
nano /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
Bash:
nano /etc/wireguard/wg0.conf
[Interface]
Address = 10.8.0.1/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.8.0.2/32Address - the address of the virtual interface wg0 on the server.
PostUp and PostDown are commands that will be executed when the interface is turned on and off.
ListenPort - the port on which the VPN will work.
AllowedIPs - virtual IP of clients that will connect to our server.
We save the changes, make the file available only to root, turn on and start the service:
Bash:
chmod 600 /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl restart wg-quick@wg0.serviceAdd the Wireguard repository to your source list. Then Apt will automatically update the package cache.
Bash:
sudo add-apt-repository ppa:wireguard/wireguard
Bash:
sudo apt install wireguard
Bash:
cd /etc/wireguard
nano wg0-client.conf
[Interface]
Address = 10.8.0.2/32
PrivateKey = CLIENT_PRIVATE_KEY
DNS = 8.8.8.8
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_REAL_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21Save the file and try to connect with the wg-quick up wg0-client command:
Bash:
wg-quick up wg0-client
[#] ip link add wg0-client type wireguard
[#] wg setconf wg0-client /dev/fd/63
[#] ip address add 10.8.0.2/32 dev wg0-client
[#] ip link set mtu 1420 dev wg0-client
[#] ip link set wg0-client up
[#] mount `8.8.8.8' /etc/resolv.conf
[#] wg set wg0-client fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0-client table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0To disconnect from the VPN, simply execute the wg-quick down wg0-client command:
Bash:
wg-quick down wg0-client
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0-client
[#] umount /etc/resolv.conf
Bash:
systemctl restart wg-quick@wg0-client.service
Commentaires