notes:setup-wireguard-vpn-on-debian9
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
notes:setup-wireguard-vpn-on-debian9 [2018/09/06 11:31] – admin | notes:setup-wireguard-vpn-on-debian9 [2019/02/02 21:48] (current) – admin | ||
---|---|---|---|
Line 3: | Line 3: | ||
-- //Tested with **Debian 9** (server side) and **Ubuntu 18.04** (client side) on **September 2018**// -- | -- //Tested with **Debian 9** (server side) and **Ubuntu 18.04** (client side) on **September 2018**// -- | ||
+ | ===== Server Setup ====== | ||
- | ==== Server | + | ==== Install WireGuard on the Server ==== |
- | + | ||
- | === Install WireGuard | + | |
Install WireGuard from Debian packages | Install WireGuard from Debian packages | ||
Line 18: | Line 17: | ||
sudo modprobe wireguard | sudo modprobe wireguard | ||
- | === Generate Server Keys === | + | ==== Generate Server Keys ==== |
- | Generate server private | + | Generate server private |
wg genkey | wg genkey | ||
- | Copy and note down the generated key (should be something like '' | + | Copy and note down the generated key (should be something like '' |
Then, generate the corresponding public key with: | Then, generate the corresponding public key with: | ||
- | echo "SeRvErPrIvAtESeRvErPrIvAtESeRvErPrIvAte=" | wg pubkey | + | echo "SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=" | wg pubkey |
- | and note down the generated public key (in our example will be '' | + | and note down the generated public key (in our example will be '' |
- | Now, create a | + | ==== Generate User Keys ==== |
+ | Generate user private key (one per user!) with | ||
+ | wg genkey | ||
+ | Copy and note down the generated key (should be something like | ||
+ | '' | ||
+ | |||
+ | Then, generate the corresponding public key with: | ||
+ | echo " | ||
+ | and note down the generated public key (in our example will be '' | ||
+ | |||
+ | ==== Configure the Server ==== | ||
+ | |||
+ | Check the name of the network interface with | ||
+ | ip l | ||
+ | |||
+ | 1: lo: < | ||
+ | link/ | ||
+ | 2: ens32: < | ||
+ | link/ether 00: | ||
+ | |||
+ | In our case the public network interface is ens32. Note down the public IP address of the server associated to the interface. In our example will be 1.2.3.4 (no, I'm not from APNIC) - you can check yours with | ||
+ | ip a show dev ens32 | ||
+ | |||
+ | Now, create a file for the wireguard interface ('' | ||
+ | sudo vim / | ||
+ | and add the following content (replace the sample keys with your actually generated keys and ens32 with your server' | ||
+ | |||
+ | [Interface] | ||
+ | Address = 172.16.16.1/ | ||
+ | PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens32 -j MASQUERADE | ||
+ | PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens32 -j MASQUERADE | ||
+ | ListenPort = 5544 | ||
+ | PrivateKey = SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA= | ||
| | ||
- | and note | + | [Peer] |
+ | PublicKey = UsEr1PUBLICkEyUsEr1PUBLICkEyUsEr1PUBLICkey= | ||
+ | AllowedIPs = 172.16.16.2/ | ||
+ | |||
+ | You can also change the ListenPort from 5544 to a different, unused port (and open the corresponding port on the server' | ||
+ | |||
+ | ==== Start the server ==== | ||
+ | |||
+ | Start Wireguard on the server with | ||
+ | sudo wg-quick up wg0s | ||
+ | and check if the VPN tunnel is up and running with | ||
+ | wg show | ||
+ | |||
+ | If needed, you can kill the tunnel with | ||
+ | sudo wg-quick down wg0s | ||
+ | |||
+ | ===== Client Setup ====== | ||
+ | |||
+ | ==== Install WireGuard on the Client ==== | ||
+ | |||
+ | Install wireguard on your Ubuntu client with | ||
+ | sudo add-apt-repository ppa: | ||
+ | sudo apt-get update | ||
+ | sudo apt-get install wireguard | ||
+ | |||
+ | ==== Configure the Client ==== | ||
+ | |||
+ | Now, create a file for the wireguard interface ('' | ||
+ | sudo vim / | ||
+ | and add the following content (remember replace the IP address of the Endpoint with server public address and the keys). | ||
+ | |||
+ | [Interface] | ||
+ | Address = 172.16.16.2/ | ||
+ | SaveConfig = true | ||
+ | ListenPort = 47824 | ||
+ | FwMark = 0x1234 | ||
+ | PrivateKey = UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE | ||
+ | |||
+ | [Peer] | ||
+ | PublicKey = SeRvErPUBLICkEySeRvErPUBLICkEySeRvErPUBLICk | ||
+ | AllowedIPs = 0.0.0.0/0, ::/0 | ||
+ | Endpoint = 1.2.3.4: | ||
+ | PersistentKeepalive = 10 | ||
+ | |||
+ | ==== Start the client ==== | ||
+ | |||
+ | Start Wireguard on with | ||
+ | sudo wg-quick up wg0c | ||
+ | and check if the VPN tunnel is up and running with | ||
+ | wg show | ||
+ | |||
+ | If needed, you can kill the tunnel with | ||
+ | sudo wg-quick down wg0c | ||
+ | |||
+ | ===== Throubleshooting ===== | ||
+ | - Do not mess up the keys - it's quite easy to switch client and server, public and private (and break the tunnel) | ||
+ | - If you have a firewall running on your server, open the corresponding UDP port (5544 in the example above) | ||
+ | - If you are behind the Great Firewall, probably it will not work |
notes/setup-wireguard-vpn-on-debian9.1536233488.txt.gz · Last modified: 2018/09/06 11:31 by admin