Build a VPN Tunnel with WireGuard
Tunneled
After completing the setup, the laptop, which acts as a server in our case, will take responsibility for transporting the network packets and will reside between the client and, for example, any websites it visits, accepting requests and returning responses. This connection is encrypted in both directions. Visited websites only see the server's IP address, not your own.
Setting up a VPN with WireGuard is easier than with its competitors (which sometimes require a demanding configuration that is easily beyond a beginner's capabilities). With the recent addition of WireGuard to the mainline kernel, its adoption is expected to continue to grow; over time, the configuration is likely to be simplified with additional tools.
Installing WireGuard
Unlike its competitors, WireGuard uses the same software on the server and the clients. After installing the wireguard package via the server's and the clients' package managers, start the process of generating private and public keys; this is comparable to the same procedure in SSH. You need to create a key pair for each device that will have access to the VPN. The two computers on either end of the WireGuard tunnel each need the public keys from the other end. WireGuard does not care whether the server is on the Internet or a local network.
If you are using Ubuntu 20.04, the best way to install WireGuard is to type the following at the command line
sudo apt install wireguard
rather than using the graphical package manager, which only gives you an outdated third-party snap package (Figure 1). Also make sure that the header files are installed to match the kernel.
After installing the package, you still need to enable IP forwarding on the designated WireGuard server. As root, open the /etc/sysctl.conf
file in an editor and uncomment the lines #net.ipv4.ip_forward=1
for IPv4 or #net.ipv6.conf.all.forwarding=1
for IPv6 (Listing 1). Then reload the system configuration (Listing 2) by typing:
sudo sysctl -p
Listing 1
Enabling IP Forwarding
[...] # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 [...] # Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host net.ipv6.conf.all.forwarding=1 [...]
Listing 2
Reloading WireGuard
### Install Wireguard $ sudo apt update $ sudo apt install wireguard resolvconf ### Only on the Wireguard server: $ sudo nano /etc/sysctl.conf $ sudo sysctl -p
Key Services
Now create the required private and public keys on the server and clients (shown in Listing 3). Finally, check that the keys have been created with the ls
command (Figure 2). It is best to copy both public keys into a text file and save them on a USB stick for later configuration.
Listing 3
Creating Private and Public Keys
$ sudo -s $ cd /etc/wireguard ### Generate key on server: $ umask 077; wg genkey | tee <client1>.key | wg pubkey > <client1>.pub ### Generate key on client: $ umask 077; wg genkey | tee <client2>.key | wg pubkey > <client2>.pub ### Check key on server: $ ls -al total 24 drwx------ 2 root root 4096 Apr 30 19:49 . drwxr-xr-x 131 root root 12288 Apr 30 19:47 .. -rw------- 1 root root 45 Apr 30 19:49 client1.key -rw------- 1 root root 45 Apr 30 19:49 client1.pub $ cat /etc/wireguard/client1.key YBwK1N1O7OwOEtWCFnxwF9aVB0GK5YUNxEtU1pyVuUs= $ cat /etc/wireguard/client1.pub LnEReQTHUY7FIMaAR6qVcCfk95ucPY6O/zb4OfdfYh4=
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)