WireGuard: Difference between revisions
Created page with "Hot new VPN with many features * Handles handoff between connections (WiFi and Cellular) * Much faster connections * Smaller codebase ==Server== How to setup a WireGuard VPN..." |
|||
| (10 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
==Server== | ==Server== | ||
How to setup a WireGuard VPN server on Ubuntu | How to setup a WireGuard VPN server on Ubuntu. | ||
This is based on [https://linuxize.com/post/how-to-set-up-wireguard-vpn-on-ubuntu-18-04/ linuxize]. | |||
<ul> | <ul> | ||
<li> | <li> | ||
Install WireGuard. | |||
<pre> | |||
sudo apt install wireguard | |||
</pre> | |||
</li> | |||
<li>Generate server private and public keys. | |||
<pre> | <pre> | ||
sudo | wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey | ||
</pre> | </pre> | ||
</li> | </li> | ||
<li> | |||
<li>Write the config file <code>/etc/wireguard/wg0.conf</code>. | |||
<pre> | <pre> | ||
[Interface] | |||
Address = 10.0.0.1/24 | |||
SaveConfig = true | |||
ListenPort = 51820 | |||
PrivateKey = SERVER_PRIVATE_KEY | |||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE | |||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE | |||
</pre> | </pre> | ||
* Replace <code>ens3</code> with your network interface <code>ip -o -4 route show to default | awk '{print $5}'</code> | |||
</li> | </li> | ||
<li> | <li>Fix permissions and start the interface. | ||
<pre> | |||
sudo chmod 600 /etc/wireguard/{privatekey,wg0.conf} | |||
sudo wg-quick up wg0 | |||
sudo wg show wg0 | |||
</pre> | |||
</li> | </li> | ||
<li> Open up and forward port 51820 | <li>Open up and forward port 51820. | ||
<pre> | <pre> | ||
sudo ufw allow 51820/udp | sudo ufw allow 51820/udp comment wireguard | ||
# For DNS purposes if you use subspace | |||
sudo ufw allow from 10.99.97.0/24 to any port 53 comment dns | |||
</pre> | </pre> | ||
</li> | </li> | ||
<li>Enable WireGuard systemd service | <li>Enable WireGuard systemd service. | ||
<pre> | <pre> | ||
sudo systemctl enable wg-quick@wg0 | sudo systemctl enable wg-quick@wg0 | ||
| Line 40: | Line 61: | ||
;References | ;References | ||
* | * [https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/ https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/] | ||
* | * [https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/ https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/] | ||
* [https://www.cyberciti.biz/faq/ubuntu-20-04-set-up-wireguard-vpn-server/ https://www.cyberciti.biz/faq/ubuntu-20-04-set-up-wireguard-vpn-server/] | |||
===Front-ends=== | |||
Managing connections manually is a large pain. | |||
[https://github.com/subspacecommunity/subspace Subspace] provides a front end you can use. | |||
Below is my setup. I have subspace running on port 52395. Apache and certbot manages SSL/TLS and proxies to this local port. | |||
<pre> | |||
mkdir -p /home/$USER/wireguard/data | |||
docker create \ | |||
--name subspace \ | |||
--restart always \ | |||
--network host \ | |||
--cap-add NET_ADMIN \ | |||
--volume /home/$USER/wireguard/data:/data \ | |||
--env SUBSPACE_HTTP_HOST=wireguard.davidl.me \ | |||
--env SUBSPACE_NAMESERVER="1.1.1.1" \ | |||
--env SUBSPACE_HTTP_ADDR="localhost:52395" \ | |||
--env SUBSPACE_HTTP_INSECURE="true" \ | |||
--env SUBSPACE_LETSENCRYPT="false" \ | |||
subspacecommunity/subspace:latest | |||
sudo docker start subspace | |||
sudo docker logs subspace | |||
</pre> | |||
To stop subspace: | |||
<pre> | |||
sudo docker stop subspace | |||
sudo docker rm subspace | |||
</pre> | |||