updated 7JUN19@1023

Installing WireGuard VPN on Debian Based Linux Servers with Ubuntu Based Linux Clients

WireGuard is a kernel-based VPN solution that features speeds several times faster than normal IPSEC based VPN solutions.

This Guide is Subject To Change at Any Point given improvements in the usability and configuration of WireGuard.

Steps to Install & Configure WireGuard

Install WireGuard on Server

Install WireGuard on Client

Generate Private/Public Key Sets

Write Server Conf

Write Client Conf

Set iptables and ipv4 forward

and Install iptables-persistent

Open necessary firewalls ports

Stand up WireGuard on server

Stand up WireGuard on client

Install WireGuard on Server

Given a Debian install, run the following commands.

# echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list # printf 'Package: *

Pin: release a=unstable

Pin-Priority: 90

' > /etc/apt/preferences.d/limit-unstable # apt update # apt install wireguard

Verify install by running sudo ls /etc/ . Your etc directory should include a wireguard/ directory.

Install WireGuard on Client

Given a Ubuntu-based *nix distro, run the following commands.

$ sudo add-apt-repository ppa:wireguard/wireguard $ sudo apt-get update $ sudo apt-get install wireguard

Verify install by running sudo ls /etc/ . Your etc directory should include a wireguard/ directory.

Generate Private/Public Keys

Run the following on the server/clients separately:

$ wg genkey > PrivateKey # This generates a public key and send the output to a file called PrivateKey $ wg pubkey < PrivateKey > PublicKey # This reads PrivateKey to generate a public key, which is then written to a file called PublicKey

Create a wg0.conf in /etc/wireguard/

Server

[Interface] Address = 192.168.16.1/32 #Chosen IP/CIDR for Tunnel PrivateKey = #PrivateKey for Server ListenPort = 51820 #ListeningPort [Peer] PublicKey = #PublicKey of Client AllowedIPs = 192.168.16.2/32 #Chosen IP/CIDR of Client

Client

[Interface] Address = 192.168.16.2 #Clients Chosen IP, Must match Server side PrivateKey = #Clients PrivateKey ListenPort = 51820 #Matching Ports, Possibly can be asynchronous DNS = 8.8.8.8 #LAN or WAN DNS Server [Peer] PublicKey = #Server Public Key AllowedIPs = 0.0.0.0/0 #Allowed IP of Endpoints EndPoint = vpn.mcafeemediasolutions.com:51820 #Peer or Servers FQDN or IP Address PersistentKeepAlive = 25 #Keeps Firewall open when one client is behind a NAT

Set IP Tables and Port Forward on Server

Run sudo cat /proc/sys/net/ipv4/ip_forward . If a 0 is returned, run sudo nano /etc/sysctl.conf and uncomment as in the below example.

# Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1

Save using CTRL+O , ENTER , CTRL+X .

Run sudo iptables -t nat -A POSTROUTING -o $DEVICENAME -j MASQUERADE where $DEVICENAME is the name of the interfaces you’d like packets to be forwarded through. Note: this is likely eth0 . This interfaces can be located using the command ip a s to see a list of active and installed interfaces.

Install iptables-persistent using apt .

Forward Ports on WAN Routers/Firewall

This is setup specific. Utilize standard procedures to forward your routers traffic on the above ports to your server. ONLY UDP traffic is necessary as WireGuard does not utilized TCP.

Stand Up WireGuard on Server

Run sudo wg-quick up wg0 .

Run ip a s or sudo wg show . Output should match the below.

user@Server $ sudo wg show interface: wg0 public key: #Your PublicKey should appear hear. private key: (hidden) listening port: 51820 peer: #Any Identified Peer's Public Keys endpoint: #Peers WAN address allowed ips: 0.0.0.0/0 latest handshake: 1 minute, 7 seconds ago transfer: 15.33 GiB received, 574.08 MiB sent

Stand Up WireGuard on Client

user@client $ sudo wg show interface: wg0 public key: #Your PublicKey should appear hear. private key: (hidden) listening port: 51820 fwmark: 0xca6c peer: #Servers Public Key endpoint: #Servers IP Address allowed ips: 0.0.0.0/0 latest handshake: 1 minute, 7 seconds ago transfer: 15.33 GiB received, 574.08 MiB sent persistent keepalive: every 25 seconds

Verify connection from client

Using ssh ping and/or netcat attempt to contact the server.

SSH Example:

ssh user@IP.Address.of.Server Note: IP should be the one listed in wg0.conf, NOT the actual public WAN IP.

PING Example:

ping IP.Address.of.Server Note: IP should be the one listed in wg0.conf, NOT the actual public WAN IP.

netcat Example:

On Server:

nc -l -p 5001

On Client:

echo "TEST" | nc IP.Address.of.Server 5001

Note: IP should be the one listed in wg0.conf, NOT the actual public WAN IP.

TEST should appear on Server cli.

Verify Port Forwarding

Google what is my ip? . If the WAN address of the Client appears, port forwarding is NOT setup correctly. Revisit the IPTables.

Additional verification steps