lukas/wiki-js
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
wiki-js/home/server/wireguard.md

3.1 KiB
Raw Blame History

title, description, published, date, tags, editor, dateCreated
title description published date tags editor dateCreated
Wire Guard Configuration for Wire Guard VPN to safely connect to the local network from the internet true 2025-01-05T00:15:00.505Z markdown 2025-01-02T21:40:36.626Z

Wine Guard

Server Public Key

dcirpeTw5+nAJMsuqmtqIa92N4NFozMiPaIXoj/PbwM=

Setup

Installtion

sudo pacman -S wireguard-tools

Inside /etc/wineguard/ generate the private and public keys for the server

umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Setup Client

Each client should be allocated a new IP address in the format 10.0.0.X. The peers public key is also needed to be added to the config file one the server. Create a config file, on linux /etc/wireguard/wg0.conf with the following structure:

[Interface]
PrivateKey = <client-private-key>
Address = 10.0.0.X/24

[Peer]
PublicKey = dcirpeTw5+nAJMsuqmtqIa92N4NFozMiPaIXoj/PbwM=
Endpoint = <server-public-ip>:41194
AllowedIPs = 0.0.0.0/0

Start the wireguard client with

sudo wg-quick up wg0

Terminate the wireguard client with

sudo wg-quick down wg0

On linux the wireguard client can be set up with this useful alias in the user .bashrc file

alias vpn='sudo wg-quick up wg0 && sudo ip route add 192.168.1.101 via 10.0.0.1 dev wg0'

Setup Server

  1. Create a file configuration file /etc/wireguard/wg0.conf with the following contents. The config file needs to be updated with a new peer when a new client needs to be configured.
[Interface]
## IP address for VPN ##
Address = 10.0.0.1/24

## VPN server port ##
ListenPort = 41194

## VPN server's private key i.e. /etc/wireguard/privatekey ##
PrivateKey = <PRIVATE KEY>

# Firewall settings 
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s31f6 -j MASQUERADE

[Peer]
# Public key for Lukas Laptop
PublicKey = ONNwgEwchCb1c2vrBOjIfYP4HuMjpC7AyJkRkEfr8lU=
AllowedIPs = 10.0.0.2/32

[Peer]
# Public key for Lukas Mobile 
PublicKey = MEZN0+oKD3cv1uOgpvO4fHarUQKKCAGSx4o/podONh4=
AllowedIPs = 10.0.0.3/32
  1. Enable port forwarding for IPv4 and IPv6 by edit the /etc/sysctl.d/10-wireguard.conf file
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.d/10-wireguard.conf
echo 'net.ipv6.conf.all.forwarding=1' | sudo tee -a /etc/sysctl.d/10-wireguard.conf
  1. And then reload the changes
sysctl -p /etc/sysctl.d/10-wireguard.conf
  1. Enable and start as systemd service
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
  1. Adding a new peer To add a new peer the config file needs to be uptades with the peers public key. The the wireguard server needs to be restarted.
sudo wg-quick down wg0
sudo wg-quick up wg0

Setup Router

The router was set up with the following port forwarding settings

Service Name: WireGuard WAN Interface: default Server IP Address: 192.168.1.101 Protocol: UDP (WireGuard uses UDP). External Port Start/End: 41194 Internal Port Start/End: 41194