Really quick and dirty guide to get wireguard up and running between two machines.
Wireguard (wireguard.io) is an amazing new VPN solution that is simple/secure/performant
Goal is to have a roadwarrior setup, were we can connect from a moving laptop to a central server. All the traffic from the laptop will be routed through the wireguard tunnel and NATed on the central server, this way the client will be able to access its infrastructure remotely and also the Internet.
Install wireguard according to the upstream documentation: https://www.wireguard.io/install/
On the server add a new wireguard device, add an IP address on it and bring it up
$ sudo ip link add dev wg0 type wireguard
$ sudo ip address add dev wg0 192.168.100.1/24
$ sudo ip link set wg0 up
on the server and the client generate your public and private keys
$ umask 077
$ wg genkey | tee privatekey | wg pubkey > publickey
On the server we will create the following file: /etc/wireguard/wg0.conf:
[Interface]
ListenPort = 51820
PrivateKey = private_key_previously_generated
[Peer]
PublicKey = public_key_of_the_client
AllowedIPs = 0.0.0.0/0
then we will load the configuration:
$ sudo wg setconf wg0 /etc/wireguard/wg0.conf
we should now be able to get the configuration:
$ sudo wg
interface: wg0
public key: server_public_key
private key: (hidden)
listening port: 51820
peer: peer_public_key
endpoint: public_ip:port
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 1 second ago
transfer: 24.96 KiB received, 32.00 KiB sent
Last thing to do on the server is to configure iptables to NAT the outgoing traffic out of one of its interfaces (the one that is Internet facing in my case). And also activate routing.
$ sudo apt install iptables-persistent
$ sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
$ sudo sysctl net.ipv4.ip_forward = 1
$ sudo echo "sysctl net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
On the client now we will set the configuration in /etc/wireguard/vpn0.conf
[Interface]
Address = 192.168.100.3/24
PrivateKey = client_private_key
PostUp = ip route replace default dev vpn0
PostUp = ip route add remote_server_ip via 10.0.0.1
PostDown = ip route replace default via 10.0.0.1
PostDown = ip route del remote_server_ip via 10.0.0.1 # 10.0.0.1 is my gateway
[Peer]
PublicKey = server_public_key
AllowedIPs = 0.0.0.0/0 # Allow all IPs to be routed through the tunnel
Endpoint = remote_server_ip:51820
PersistentKeepalive = 25 # NAT and Firewall Traversal Persistence
Finally on the client we can enable the tunnel:
$ sudo wg-quick up vpn0
and all the traffic should now be routed through the tunnel and NATed on the server lets see what a traceroute towards 8.8.8.8 looks like.
My traceroute [v0.87]
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. 192.168.100.1 0.0% 7 12.0 11.0 10.2 12.0 0.6
2. public_ip_of_my_server 0.0% 6 12.2 11.1 10.5 12.2 0.4
3. a_hop 0.0% 6 11.1 11.6 10.5 15.4 1.8
4. another_hop 0.0% 6 22.3 16.0 10.8 25.9 6.4
5. hop_hop 0.0% 6 11.5 12.6 11.1 18.1 2.7
6. hip_hop 0.0% 6 12.5 24.9 11.5 89.3 31.6
7. google-public-dns-a.google.com 0.0% 6 11.6 12.0 11.2 13.7 0.6
I’ll polish a bit this blog-post over-time. It’s a bit rough for now… Comments are welcome by email