Really quick and dirty guide to get wireguard up and running between two machines.
Wireguard (wireguard.io) is an amazing new VPN solution that is simple/secure/performant
Goal is to have a roadwarrior setup, were we can connect from a moving laptop to a central server. All the traffic from the laptop will be routed through the wireguard tunnel and NATed on the central server, this way the client will be able to access its infrastructure remotely and also the Internet.
Install wireguard according to the upstream documentation: https://www.wireguard.io/install/
On the server add a new wireguard device, add an IP address on it and bring it up
$ sudo ip link add dev wg0 type wireguard $ sudo ip address add dev wg0 192.168.100.1/24 $ sudo ip link set wg0 up
on the server and the client generate your public and private keys
$ umask 077 $ wg genkey | tee privatekey | wg pubkey > publickey
On the server we will create the following file: /etc/wireguard/wg0.conf:
[Interface] ListenPort = 51820 PrivateKey = private_key_previously_generated [Peer] PublicKey = public_key_of_the_client AllowedIPs = 0.0.0.0/0
then we will load the configuration:
$ sudo wg setconf wg0 /etc/wireguard/wg0.conf
we should now be able to get the configuration:
$ sudo wg interface: wg0 public key: server_public_key private key: (hidden) listening port: 51820 peer: peer_public_key endpoint: public_ip:port allowed ips: 0.0.0.0/0 latest handshake: 1 minute, 1 second ago transfer: 24.96 KiB received, 32.00 KiB sent
Last thing to do on the server is to configure iptables to NAT the outgoing traffic out of one of its interfaces (the one that is Internet facing in my case). And also activate routing.
$ sudo apt install iptables-persistent $ sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE $ sudo sysctl net.ipv4.ip_forward = 1 $ sudo echo "sysctl net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
On the client now we will set the configuration in
[Interface] Address = 192.168.100.3/24 PrivateKey = client_private_key PostUp = ip route replace default dev vpn0 PostUp = ip route add remote_server_ip via 10.0.0.1 PostDown = ip route replace default via 10.0.0.1 PostDown = ip route del remote_server_ip via 10.0.0.1 # 10.0.0.1 is my gateway [Peer] PublicKey = server_public_key AllowedIPs = 0.0.0.0/0 # Allow all IPs to be routed through the tunnel Endpoint = remote_server_ip:51820 PersistentKeepalive = 25 # NAT and Firewall Traversal Persistence
Finally on the client we can enable the tunnel:
$ sudo wg-quick up vpn0
and all the traffic should now be routed through the tunnel and NATed on the server lets see what a traceroute towards 126.96.36.199 looks like.
My traceroute [v0.87] Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. 192.168.100.1 0.0% 7 12.0 11.0 10.2 12.0 0.6 2. public_ip_of_my_server 0.0% 6 12.2 11.1 10.5 12.2 0.4 3. a_hop 0.0% 6 11.1 11.6 10.5 15.4 1.8 4. another_hop 0.0% 6 22.3 16.0 10.8 25.9 6.4 5. hop_hop 0.0% 6 11.5 12.6 11.1 18.1 2.7 6. hip_hop 0.0% 6 12.5 24.9 11.5 89.3 31.6 7. google-public-dns-a.google.com 0.0% 6 11.6 12.0 11.2 13.7 0.6
I’ll polish a bit this blog-post over-time. It’s a bit rough for now… Comments are welcome by email