Build a VPN Tunnel with WireGuard
Building an Interface
The next step is to create one virtual network interface per device for WireGuard. This is the equivalent of eth0
or wlan0
. However, since traffic is tunneled separately with WireGuard, the system requires one interface for routing. The default for the first interface in WireGuard is wg0
(which we will use for simplicity's sake). If you prefer a different name, this is not a problem as long as you use it consistently.
The interface you created requires a specific IP range. In order to distinguish it from the 192.168.<x>.<y> common on LANs, use IPs from the private network address range 10.0.10.x [7] for wg0
, which you then make available to the outside world via masquerading [8]. For the configuration, save Listing 4 (server) and Listing 5 (client) in the /etc/wireguard/wg0.conf
file.
Listing 4
Server Configuration
[Interface] Address = 10.0.10.1/24,fd42:42:42::1/64 SaveConfig = true PrivateKey = <Key from client1.key> ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -j MASQUERADE; iptables -A FORWARD -o wg0 -j ACCEPT PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -A FORWARD -o wg0 -j ACCEPT PostDown = iptables -F; iptables -t nat -F PostDown = ip6tables -F; ip6tables -t nat -F DNS = <IP Address of the WLAN Router> [Peer] PublicKey = <Key from client2.pub> AllowedIPs = 10.0.10.2/32,fd42:42:42::/64
Listing 5
Client Configuration
[Interface] Address = 10.0.10.2/32,fd42:42:42::2/64 PrivateKey = <Key from client2.key> DNS = 10.0.10.1 [Peer] PublicKey = <Key from client1.pub> Endpoint = <beispiel.dyndns.com>:51820 AllowedIPs = 0.0.0.0/0,::/0 PersistentKeepalive = 20
Be sure to enter the cryptographic keys from the key files. You will also want to tell the server to use the WLAN router as a DNS server using the DNS = [...]
line. The WireGuard client, on the other hand, needs to use the DNS = 10.0.10.1
option to query the WireGuard computer as its DNS server. The server configuration includes the same rules for starting up and shutting down the interface.
WireGuard uses port 51820 as the default port. If you want to use a different port, adjust the ListenPort = 51820
line accordingly. You then control the connection setup with the command:
sudo wg-quick up wg0
You can shut down the VPN again by typing:
sudo wg-quick down wg0
The sudo wg
command tells WireGuard to display information on the current status (Figure 3). To activate wg0
automatically at system startup time, type the following command on both computers:
sudo systemctl enable wg-quick@wg0
UFW
The easiest way to configure the port sharing settings is via the Uncomplicated Firewall (UFW) iptables front end (Listing 6), which is preinstalled on Ubuntu and included in most distributions' package sources. There is also the Gufw graphical interface. After installation, if necessary, allow port 22/TCP for SSH on both devices and open 51820/UDP or your chosen port (Figure 4).
Listing 6
Configuring Port Sharing with UFW
$ sudo ufw allow 22/tcp $ sudo ufw allow <51820>/udp ### Or the port chosen by the system $ sudo ufw enable $ sudo ufw status verbose Status: Active Logging: on (low) Default: deny (incoming), allow (outbound), deny (sent) New profiles: skip To Action From -- ------ --- 22/tcp ALLOW IN Anywhere 51820/udp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 51820/udp (v6) ALLOW IN Anywhere (v6)
Conclusions
If you have no errors in the configuration, you should be able to ping the other IP address. From our personal experience, we found that configuration errors can happen easily. However, WireGuard can be set up quite quickly with about an hour of concentrated work. You can then extend the configuration to include additional clients, such as Android smartphones, using the same principle.
Infos
- WireGuard: https://www.wireguard.com/
- "Linux Torvalds Is Hoping WireGuard Will Be Merged Sooner Rather Than Later" by Michael Larabel, August 3, 2018, https://www.phoronix.com/scan.php?page=news_item&px=Linus-Likes-WireGuard
- ChaCha20: https://cr.yp.to/chacha.html
- Curve25519: https://cr.yp.to/ecdh.html
- Installation: https://www.wireguard.com/install
- DynDNS Service: https://dyndnss.net/eng/
- Private IP addresses: https://en.wikipedia.org/wiki/Private_network
- Masquerading: https://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/ipmasq-background2.1.html
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.