WireGuard

From David's Wiki
\( \newcommand{\P}[]{\unicode{xB6}} \newcommand{\AA}[]{\unicode{x212B}} \newcommand{\empty}[]{\emptyset} \newcommand{\O}[]{\emptyset} \newcommand{\Alpha}[]{Α} \newcommand{\Beta}[]{Β} \newcommand{\Epsilon}[]{Ε} \newcommand{\Iota}[]{Ι} \newcommand{\Kappa}[]{Κ} \newcommand{\Rho}[]{Ρ} \newcommand{\Tau}[]{Τ} \newcommand{\Zeta}[]{Ζ} \newcommand{\Mu}[]{\unicode{x039C}} \newcommand{\Chi}[]{Χ} \newcommand{\Eta}[]{\unicode{x0397}} \newcommand{\Nu}[]{\unicode{x039D}} \newcommand{\Omicron}[]{\unicode{x039F}} \DeclareMathOperator{\sgn}{sgn} \def\oiint{\mathop{\vcenter{\mathchoice{\huge\unicode{x222F}\,}{\unicode{x222F}}{\unicode{x222F}}{\unicode{x222F}}}\,}\nolimits} \def\oiiint{\mathop{\vcenter{\mathchoice{\huge\unicode{x2230}\,}{\unicode{x2230}}{\unicode{x2230}}{\unicode{x2230}}}\,}\nolimits} \)

Hot new VPN with many features

  • Handles handoff between connections (WiFi and Cellular)
  • Much faster connections
  • Smaller codebase

Server

How to setup a WireGuard VPN server on Ubuntu. This is based on linuxize.

  • Install WireGuard.
    sudo apt install wireguard
    
  • Generate server private and public keys.
    wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
    
  • Write the config file /etc/wireguard/wg0.conf.
    [Interface]
    Address = 10.0.0.1/24
    SaveConfig = true
    ListenPort = 51820
    PrivateKey = SERVER_PRIVATE_KEY
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
    
    • Replace ens3 with your network interface ip -o -4 route show to default | awk '{print $5}'
  • Fix permissions and start the interface.
    sudo chmod 600 /etc/wireguard/{privatekey,wg0.conf}
    sudo wg-quick up wg0
    sudo wg show wg0
    
  • Open up and forward port 51820.
    sudo ufw allow 51820/udp comment wireguard
    # For DNS purposes if you use subspace
    sudo ufw allow from 10.99.97.0/24 to any port 53 comment dns
    
  • Enable WireGuard systemd service.
    sudo systemctl enable wg-quick@wg0
    
References

Front-ends

Managing connections manually is a large pain.

Subspace provides a front end you can use.

Below is my setup. I have subspace running on port 52395. Apache and certbot manages SSL/TLS and proxies to this local port.

mkdir -p /home/$USER/wireguard/data
docker create \
    --name subspace \
    --restart always \
    --network host \
    --cap-add NET_ADMIN \
    --volume /home/$USER/wireguard/data:/data \
    --env SUBSPACE_HTTP_HOST=wireguard.davidl.me \
    --env SUBSPACE_NAMESERVER="1.1.1.1" \
    --env SUBSPACE_HTTP_ADDR="localhost:52395" \
    --env SUBSPACE_HTTP_INSECURE="true" \
    --env SUBSPACE_LETSENCRYPT="false" \
    subspacecommunity/subspace:latest

sudo docker start subspace
sudo docker logs subspace

To stop subspace:

sudo docker stop subspace
sudo docker rm subspace