Wireguard

tip

It was sometime ago that I setup Wireguard as my VPN server. I have configured my mobile to use it and it works flawlessly.
But, every now and then, I want to add a client and I have to search how to do it every time…

This time I decided to write down some notes to make it easier the next time…

Understanding client-server

When setting up a Wireguard client and server, the essential part to understand I found was that the client and server need to know each others public keys:

• client encrypts using server’s public key and server decrypts using its private key
• server encrypts using client’s public key and client decrypts using its private key

Another thing to recognize is that a Wireguard client and server are really not that different (if at all). Both configurations are very similar. A server is usually associated to multiple clients, where a client is mostly associated to a single (or few at most) servers.

Configuration

Three items are needed on each side to configure the VPN connection:

• private key

• public key

• wg0.conf

    CLIENT:                             SERVER:
  
  
    [Interface]                         [Interface]
    PrivateKey = <CLIENT_PRIVATE_KEY>   PrivateKey = <SERVER_PRIVATE_KEY>
    Address = 10.0.0.5/32               Address = 10.0.0.1
    DNS = 10.0.0.1                      ListenPort = 51820
                                        PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
                                        PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
  
    [Peer]                              [Peer]
    PublicKey = <SERVER_PUBLIC_KEY>     PublicKey = <CLIENT_PUBLIC_KEY>
    EndPoint = <SERVER_IP>:51820        AllowedIPs = 10.0.0.5/32
    AllowedIPs = 0.0.0.0/0              
  

A remark:

• In my situation using my domain name resolves in an IPv6 address, but that is not working. So, I had to use my server’s public IPv4 address instead.

Client installations

Windows

To install on Windows, I found this tutorial and downloaded the Windows client from the Wireguard site.

Linux

For installation on Linux, I combined the Windows tutorial with this page with instructions.

On Linux all can be done from the command-line. All commands below are executed as root (sudo -i):

    apt install wireguard

Create the private and public keys:

    wg genkey | tee client.key | wg pubkey | tee client.key.pub

Create the client configuration (see chapter configuration above):

    nano /etc/wireguard/wg0.conf

Wireguard needs to access resolvconf, but my distribution uses resolvectl. Using a symbolic link solves this issue:

    ln -s /usr/bin/resolvectl /usr/local/bin/resolvconf

Start Wireguard using the configuration just created:

    wg-quick up wg0

Check the status of the connection:

    wg

Expect something like:

    > sudo wg
    interface: wg0
    public key: <CLIENT_PUBLIC_KEY>
    private key: (hidden)
    listening port: 60774
    fwmark: 0xca6c

    peer: <SERVER_PUBLIC_KEY>
    endpoint: <SERVER_IP>:51820
    allowed ips: 0.0.0.0/0
    latest handshake: 1 minute, 43 seconds ago
    transfer: 42.59 MiB received, 8.91 MiB sent

Disable the connection:

    wg-quick down wgo

The server

To install the server I’m using the linuxserver/wireguard image with a docker-compose.yaml file:

    version: "2.1"
    services:
    wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
    - NET_ADMIN
    - SYS_MODULE
    environment:
    - PUID=1000
    - PGID=1000
    - TZ=Europe/Amsterdam
    - SERVERURL=<SERVER_URL>
    - SERVERPORT=51820
    - PEERS=4
    - PEERDNS=10.0.0.1
    - INTERNAL_SUBNET=10.0.0.0
    volumes:
    - ./config:/config
    - /lib/modules:/lib/modules
    ports:
    - 51820:51820/udp
    sysctls:
    - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

December 22, 2021