WIREGUARD
Wireguard is the new VPN solution. Fast and lightweight.
Setup is done in two main parts:
- Server
- Peers
The docs below are for Red Hat and SuSE products, others can be found on the Wireguard website or distro's documentation. The instructions will be for server setup, peer setup, and some final touches. It would be advised to read over things first then step thru and get things working.
This documentation is indeed rough and will be cleaned up as I find better ways to word and organize things.
SERVER SETUP
INSTALL PACKAGES
If your distribution isn't listed below, feel free to hitup the Wireguard Installation Page for instructions. I will always have here EL, Fedora, and OpenSuSE, as these distros I both use and reccommend to others.
-
RHEL 7 / CentOS 7
sudo yum install epel-release elrepo-release sudo yum install yum-plugin-elrepo sudo yum install kmod-wireguard wireguard-tools
-
RHEL 8
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm sudo yum install kmod-wireguard wireguard-tools
-
CentOS 8
sudo yum install elrepo-release epel-release sudo yum install kmod-wireguard wireguard-tools
-
Fedora 31
sudo dnf copr enable jdoss/wireguard sudo dnf install wireguard-dkms wireguard-tools
-
Fedora >=32
sudo dnf install wireguard
-
OpenSUSE
sudo zypper install wireguard-tools
GENERATE KEYS
mkdir /etc/wireguard
cd /etc/wireguard
umask 077
sudo wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
NAT SETUP
sudo echo "net.ipv4.ip_forward = 1"
sudo echo "net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf
sudo sysctl --system
FIREWALLD CONFIG
Here is the firewalld commands to open up the port (fix if you decide to use a different listen port below) and to enable NAT traversal. If you do NOT want to enable NAT, do not execure the second command enabling masquerading.
sudo firewall-cmd --permanent --add-port=51820/udp --zone=public
sudo firewall-cmd --permanent --zone=public --add-masquerade
THE /etc/wireguard/wg0.conf FILE
The wg0.conf is where most errors are made. Take note of the subnetting. The VPN network in the examples here are 10.0.0.0/24. In some areas we use that subnet, others its a /32 we need to use. If you need a subnet other than /24, only modify that. Getting this wrong will result in a broken setup. Following the example configs (peers and server) will yield a VPN that allows for safe internet browsing on the peers via the server. If you cannot use the internet or ping your dns or server, you likely have a configuration issue below, provided that you issued the NAT setup instructions above.
Also, Wireguard uses UDP, not TCP. Any edge device that is NATting or routing traffic will need to have your Listen port below, forwarded. So, as the below example is using the standard port, the appropriate port assignment would be 52820/UDP forwarded to the server's LAN IP address.
[Interface]
Address = 10.0.0.1/24
PrivateKey = <server private key>
ListenPort = 51820
[Peer] #First peer
PublicKey = <first peer's public key>
AllowedIPs = 10.0.0.2/32
[Peer] #Second peer
PublicKey = <second peer's public key>
AllowedIPs = 10.0.0.3/32
QR CODE GENERATION
To create a QR code for the configuration (useful for mobile applications), you need to create for each client a key pair and a stock client config. Here is a sample of what to do:
First we create the key pair:
sudo wg genkey | tee /etc/wireguard/mobileuser1-privatekey | wg pubkey > /etc/wireguard/mobileuser1-publickey
Then create mobileuser1.conf:
[Interface]
PrivateKey = <mobileuser1 private key from above>
Address = 10.0.0.20/32
DNS = 1.1.1.1
[Peer]
PublicKey = <server public key>
Endpoint = <server public ip or hostname>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Next we add the appropriate section in the server wg0.conf file for the publickey and the assigned IP address we have in the newly created mobileuser1.conf (or whatever you decide to name it).
Lastly, to generate the QR code, first example creates a png, second dumps it to the CLI:
qrencode -o mobileuser1.png -t png < mobileuser1.conf
qrencode -t ansiutf8 < mobileuser1.conf
Now, in the mobile application, you can use the QR code option to scan said generated image. You should do this for each device and likely use more intelligent naming.
PEER SETUP
INSTALL PACKAGES
-
RHEL 7 / CentOS 7
sudo yum install epel-release elrepo-release sudo yum install yum-plugin-elrepo sudo yum install kmod-wireguard wireguard-tools
-
RHEL 8
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm sudo yum install kmod-wireguard wireguard-tools
-
CentOS 8
sudo yum install elrepo-release epel-release sudo yum install kmod-wireguard wireguard-tools
-
Fedora <32
sudo dnf copr enable jdoss/wireguard sudo dnf install wireguard-dkms wireguard-tools
-
Fedora >=32
sudo dnf install wireguard
-
OpenSUSE
sudo zypper install wireguard-tools
GENERATE KEYS
mkdir /etc/wireguard
cd /etc/wireguard
umask 077
sudo wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
GNU/LINUX /etc/wireguard/wg0.conf
Refer to the server wg0.conf part above for your addresses for each peer.
[Interface]
Address = 10.0.0.2/24
PrivateKey = <peer private key>
[Peer]
PublicKey = <server public key>
Endpoint = <server public ip or hostname>:51820
AllowedIPs = 0.0.0.0/0
KILLSWITCH
Add to the client's side config Interface section the following two lines:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
Should the Wireguard tunnel die for whatever reason, there will be no network traffic anymore. You will need to bring down the connection via wg-quick down wg0 to recover. Handy in very insecure areas, such as Defcon (had to say it) and really any other public wifi.
MOBILE APP
Install the Android Wireguard app from the Play Store or Apple Appstore.
Then ensure to fill out the appropriate fields.
Interface Section:
Name = The name you wish to call the connection.
PrivateKey = your private key
PublicKey = your public key
Addresses = your client's IP as defined in the server
Peer Section:
PublicKey = Server's PublicKey Pre-Shared Key = if you have a PSK, you can enter it here. Otherwise this is an optional field. AllowedIPs = your ips to push thru the application. Set to 0.0.0.0/0 to use the Wireguard tunnel for all traffic. There is an option in the UI to add application exceptions (Netflix and BlazeTV.com are two known entities that block VPN traffic). Endpoint = hostname:port or ip:port Persistent Keepalive = Useful for keeping natted connections alive
FINISHING TOUCHES
SECURE THE FILES
sudo chown -R root:root /etc/wireguard/
sudo chmod -R og-rwx /etc/wireguard/*
AUTOSTART wg0 ON BOOT
Recommended for server
sudo systemctl enable wg-quick@wg0.service
sudo systemctl daemon-reload sudo systemctl start wg-quick@wg0
For manual starts, or usage on a client computer
STATS SCREEN
sudo watch -n 1 wg show wg0