Skip to content

WIREGUARD

Wireguard is the new VPN solution. Fast and lightweight.

Setup is done in two main parts:

  • Server
  • Peers

The docs below are for Red Hat and SuSE products, others can be found on the Wireguard website or distro's documentation. The instructions will be for server setup, peer setup, and some final touches. It would be advised to read over things first then step thru and get things working.

This documentation is indeed rough and will be cleaned up as I find better ways to word and organize things.

SERVER SETUP

INSTALL PACKAGES

If your distribution isn't listed below, feel free to hitup the Wireguard Installation Page for instructions. I will always have here EL, Fedora, and OpenSuSE, as these distros I both use and reccommend to others.

  • RHEL 7 / CentOS 7

    sudo yum install epel-release elrepo-release
    sudo yum install yum-plugin-elrepo
    sudo yum install kmod-wireguard wireguard-tools
    
  • RHEL 8

    sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
    sudo yum install kmod-wireguard wireguard-tools
    
  • CentOS 8

    sudo yum install elrepo-release epel-release
    sudo yum install kmod-wireguard wireguard-tools
    
  • Fedora 31

    sudo dnf copr enable jdoss/wireguard
    sudo dnf install wireguard-dkms wireguard-tools
    
  • Fedora >=32

    sudo dnf install wireguard
    
  • OpenSUSE

    sudo zypper install wireguard-tools
    

GENERATE KEYS

    mkdir /etc/wireguard
    cd /etc/wireguard
    umask 077
    sudo wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey

NAT SETUP

    sudo echo "net.ipv4.ip_forward = 1"
    sudo echo "net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf
    sudo sysctl --system

FIREWALLD CONFIG

Here is the firewalld commands to open up the port (fix if you decide to use a different listen port below) and to enable NAT traversal. If you do NOT want to enable NAT, do not execure the second command enabling masquerading.

    sudo firewall-cmd --permanent --add-port=51820/udp --zone=public
  sudo firewall-cmd --permanent --zone=public --add-masquerade

THE /etc/wireguard/wg0.conf FILE

The wg0.conf is where most errors are made. Take note of the subnetting. The VPN network in the examples here are 10.0.0.0/24. In some areas we use that subnet, others its a /32 we need to use. If you need a subnet other than /24, only modify that. Getting this wrong will result in a broken setup. Following the example configs (peers and server) will yield a VPN that allows for safe internet browsing on the peers via the server. If you cannot use the internet or ping your dns or server, you likely have a configuration issue below, provided that you issued the NAT setup instructions above.

Also, Wireguard uses UDP, not TCP. Any edge device that is NATting or routing traffic will need to have your Listen port below, forwarded. So, as the below example is using the standard port, the appropriate port assignment would be 52820/UDP forwarded to the server's LAN IP address.

[Interface]
Address = 10.0.0.1/24
PrivateKey = <server private key>
ListenPort = 51820

[Peer] #First peer
PublicKey = <first peer's public key>
AllowedIPs = 10.0.0.2/32

[Peer] #Second peer
PublicKey = <second peer's public key>
AllowedIPs = 10.0.0.3/32

QR CODE GENERATION

To create a QR code for the configuration (useful for mobile applications), you need to create for each client a key pair and a stock client config. Here is a sample of what to do:

First we create the key pair:

   sudo wg genkey | tee /etc/wireguard/mobileuser1-privatekey | wg pubkey > /etc/wireguard/mobileuser1-publickey

Then create mobileuser1.conf:

    [Interface]
    PrivateKey = <mobileuser1 private key from above>
    Address = 10.0.0.20/32
    DNS = 1.1.1.1

    [Peer]
    PublicKey = <server public key>
    Endpoint = <server public ip or hostname>:51820
    AllowedIPs = 0.0.0.0/0
    PersistentKeepalive = 25

Next we add the appropriate section in the server wg0.conf file for the publickey and the assigned IP address we have in the newly created mobileuser1.conf (or whatever you decide to name it).

Lastly, to generate the QR code, first example creates a png, second dumps it to the CLI:

    qrencode -o mobileuser1.png -t png < mobileuser1.conf


qrencode -t ansiutf8 < mobileuser1.conf

Now, in the mobile application, you can use the QR code option to scan said generated image. You should do this for each device and likely use more intelligent naming.

PEER SETUP

INSTALL PACKAGES

  • RHEL 7 / CentOS 7

    sudo yum install epel-release elrepo-release sudo yum install yum-plugin-elrepo sudo yum install kmod-wireguard wireguard-tools

  • RHEL 8

    sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm sudo yum install kmod-wireguard wireguard-tools

  • CentOS 8

    sudo yum install elrepo-release epel-release sudo yum install kmod-wireguard wireguard-tools

  • Fedora <32

    sudo dnf copr enable jdoss/wireguard
    sudo dnf install wireguard-dkms wireguard-tools
    
  • Fedora >=32

    sudo dnf install wireguard
    
  • OpenSUSE

    sudo zypper install wireguard-tools
    

GENERATE KEYS

  mkdir /etc/wireguard
cd /etc/wireguard
umask 077
sudo wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey

GNU/LINUX /etc/wireguard/wg0.conf

Refer to the server wg0.conf part above for your addresses for each peer.

[Interface]
Address = 10.0.0.2/24
PrivateKey = <peer private key>

[Peer]
PublicKey = <server public key>
Endpoint = <server public ip or hostname>:51820
AllowedIPs = 0.0.0.0/0

KILLSWITCH

Add to the client's side config Interface section the following two lines:

    PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

    PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Should the Wireguard tunnel die for whatever reason, there will be no network traffic anymore. You will need to bring down the connection via wg-quick down wg0 to recover. Handy in very insecure areas, such as Defcon (had to say it) and really any other public wifi.

MOBILE APP

Install the Android Wireguard app from the Play Store or Apple Appstore.

Then ensure to fill out the appropriate fields.

Interface Section:

Name = The name you wish to call the connection.
PrivateKey = your private key
PublicKey = your public key
Addresses = your client's IP as defined in the server

Peer Section:

PublicKey = Server's PublicKey Pre-Shared Key = if you have a PSK, you can enter it here. Otherwise this is an optional field. AllowedIPs = your ips to push thru the application. Set to 0.0.0.0/0 to use the Wireguard tunnel for all traffic. There is an option in the UI to add application exceptions (Netflix and BlazeTV.com are two known entities that block VPN traffic). Endpoint = hostname:port or ip:port Persistent Keepalive = Useful for keeping natted connections alive

FINISHING TOUCHES

SECURE THE FILES

sudo chown -R root:root /etc/wireguard/

sudo chmod -R og-rwx /etc/wireguard/*

AUTOSTART wg0 ON BOOT

Recommended for server

sudo systemctl enable wg-quick@wg0.service

sudo systemctl daemon-reload sudo systemctl start wg-quick@wg0

For manual starts, or usage on a client computer

STATS SCREEN

sudo watch -n 1 wg show wg0