WireGuard: Difference between revisions

From David's Wiki
 
Line 47: Line 47:
<pre>
<pre>
sudo ufw allow 51820/udp comment wireguard
sudo ufw allow 51820/udp comment wireguard
# For DNS purposes if you use subspace
sudo ufw allow from 10.99.97.0/24 to any port 53 comment dns
</pre>
</pre>
</li>
</li>

Latest revision as of 20:37, 23 March 2021

Hot new VPN with many features

  • Handles handoff between connections (WiFi and Cellular)
  • Much faster connections
  • Smaller codebase

Server

How to setup a WireGuard VPN server on Ubuntu. This is based on linuxize.

  • Install WireGuard.
    sudo apt install wireguard
    
  • Generate server private and public keys.
    wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
    
  • Write the config file /etc/wireguard/wg0.conf.
    [Interface]
    Address = 10.0.0.1/24
    SaveConfig = true
    ListenPort = 51820
    PrivateKey = SERVER_PRIVATE_KEY
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
    
    • Replace ens3 with your network interface ip -o -4 route show to default | awk '{print $5}'
  • Fix permissions and start the interface.
    sudo chmod 600 /etc/wireguard/{privatekey,wg0.conf}
    sudo wg-quick up wg0
    sudo wg show wg0
    
  • Open up and forward port 51820.
    sudo ufw allow 51820/udp comment wireguard
    # For DNS purposes if you use subspace
    sudo ufw allow from 10.99.97.0/24 to any port 53 comment dns
    
  • Enable WireGuard systemd service.
    sudo systemctl enable wg-quick@wg0
    
References

Front-ends

Managing connections manually is a large pain.

Subspace provides a front end you can use.

Below is my setup. I have subspace running on port 52395. Apache and certbot manages SSL/TLS and proxies to this local port.

mkdir -p /home/$USER/wireguard/data
docker create \
    --name subspace \
    --restart always \
    --network host \
    --cap-add NET_ADMIN \
    --volume /home/$USER/wireguard/data:/data \
    --env SUBSPACE_HTTP_HOST=wireguard.davidl.me \
    --env SUBSPACE_NAMESERVER="1.1.1.1" \
    --env SUBSPACE_HTTP_ADDR="localhost:52395" \
    --env SUBSPACE_HTTP_INSECURE="true" \
    --env SUBSPACE_LETSENCRYPT="false" \
    subspacecommunity/subspace:latest

sudo docker start subspace
sudo docker logs subspace

To stop subspace:

sudo docker stop subspace
sudo docker rm subspace