lukas/wiki-js
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
wiki-js/home/server/wireguard.md

126 lines
3.1 KiB
Markdown
Raw Blame History

---
title: Wire Guard
description: Configuration for Wire Guard VPN to safely connect to the local network from the internet
published: true
date: 2025-01-05T00:15:00.505Z
tags:
editor: markdown
dateCreated: 2025-01-02T21:40:36.626Z
---
# Wine Guard
## Server Public Key
dcirpeTw5+nAJMsuqmtqIa92N4NFozMiPaIXoj/PbwM=
## Setup
### Installtion
```
sudo pacman -S wireguard-tools
```
Inside /etc/wineguard/ generate the private and public keys for the server
```
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
```
### Setup Client
Each client should be allocated a new IP address in the format 10.0.0.X.
The peers public key is also needed to be added to the config file one the server.
Create a config file, on linux /etc/wireguard/wg0.conf with the following structure:
```
[Interface]
PrivateKey = <client-private-key>
Address = 10.0.0.X/24
[Peer]
PublicKey = dcirpeTw5+nAJMsuqmtqIa92N4NFozMiPaIXoj/PbwM=
Endpoint = <server-public-ip>:41194
AllowedIPs = 0.0.0.0/0
```
Start the wireguard client with
```
sudo wg-quick up wg0
```
Terminate the wireguard client with
```
sudo wg-quick down wg0
```
On linux the wireguard client can be set up with this useful alias in the user .bashrc file
```
alias vpn='sudo wg-quick up wg0 && sudo ip route add 192.168.1.101 via 10.0.0.1 dev wg0'
```
### Setup Server
1. Create a file configuration file /etc/wireguard/wg0.conf with the following contents.
The config file needs to be updated with a new peer when a new client needs to be configured.
```
[Interface]
## IP address for VPN ##
Address = 10.0.0.1/24
## VPN server port ##
ListenPort = 41194
## VPN server's private key i.e. /etc/wireguard/privatekey ##
PrivateKey = <PRIVATE KEY>
# Firewall settings
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s31f6 -j MASQUERADE
[Peer]
# Public key for Lukas Laptop
PublicKey = ONNwgEwchCb1c2vrBOjIfYP4HuMjpC7AyJkRkEfr8lU=
AllowedIPs = 10.0.0.2/32
[Peer]
# Public key for Lukas Mobile
PublicKey = MEZN0+oKD3cv1uOgpvO4fHarUQKKCAGSx4o/podONh4=
AllowedIPs = 10.0.0.3/32
```
2. Enable port forwarding for IPv4 and IPv6 by edit the /etc/sysctl.d/10-wireguard.conf file
```
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.d/10-wireguard.conf
echo 'net.ipv6.conf.all.forwarding=1' | sudo tee -a /etc/sysctl.d/10-wireguard.conf
```
3. And then reload the changes
```
sysctl -p /etc/sysctl.d/10-wireguard.conf
```
4. Enable and start as systemd service
```
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
```
5. Adding a new peer
To add a new peer the config file needs to be uptades with the peers public key.
The the wireguard server needs to be restarted.
```
sudo wg-quick down wg0
sudo wg-quick up wg0
```
### Setup Router
The router was set up with the following port forwarding settings
**Service Name:** WireGuard
**WAN Interface:** default
**Server IP Address:** 192.168.1.101
**Protocol:** UDP (WireGuard uses UDP).
**External Port Start/End:** 41194
**Internal Port Start/End:** 41194
Reference in New Issue View Git Blame Copy Permalink