org-roam/20230504120424-wireguard.org

wireguard

• Installation and key setup
• Configuration
  • Peer Configuration
    • [Interface]
    • PrivateKey
    • Address
    • ListenPort
    • [Peer]
    • PublicKey
    • Endpoint
    • AllowedIP
  • Server Configuration

WireGuard® is an simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry. (from wireguard website)

it is on of the two vpn technologies applied at Madrigal Inc. The other one is open-vpn

Installation and key setup

WireGuard can be install on Protectli or install just use pacman or one of the other AUR-Helpers to install from the repo. The package name is wireguard-tools so if you want to install it, type:

  yay wireguard-tools

in the command line

After the installation has taken place make a wireguard folder in the home directory of the main user (admin only). Because of security reasons, the configuration for the wireguard connection has to go into the /etc/wireguard/ directory and there it can't be handled by normal users without the sudo rights. the main process can be done without the rights, but it is not recommended. use the command mkdir wireguard in your home folder to create an new directory.

After the direcory creation use the cd command to change into the new directory. For wireguard to be able to connect to your client you first need to create a set of keys for authentification/authentication, a Private and a public key. The private key you have to keep private, beecaus it is your main tool for authentication. You can create the private key with the installed wireguard tools programme:

  wg genkey > <name-of-key>.key

If you do this command the shell reminds you, that this is a plain text document viewable by eveyone und to consider usind uname 0077 or uname 077 . You can ignore this message, because we are going to change rights in the next step. The Key is created even tho the warning message is displayed. Keep this key secret and do not hand it to anyone. You can alter the viewing rigths of the key with the commands with root priviliges or sudo :

  sudo chown root:root <name-of-key>.key
  sudo chmod 600 <name-of-key>.key

use this key to generate the public key:

  wg pubkey < <name-of-key>.key > <name-of-pubic-key>.pub

How you name those keys is not relevant and is only for your differentiation in case you want to use multiple different wireguard connections, which is possible. The public key is as the name implies a public key und does not need to be specially protected. If you are setting up a server or multiple clients, recreate those commands for every member participating in the Network.

Configuration

To configure the connection you have to create a configuration file. Use the touch command to create a config file. The name of this file represents the name of the wireguard interface you want to create. So if you want your interface to be named specially, you have to name the config after that. In this example we are going to name it w0 because this is the standard wireguard interface name. Keep in mind, that names of interfaces already in use (e.g. eth0 and l0) are not possible because of naming conflicts.

  touch w0.conf

Peer Configuration

As wireguard usual is a peer to peer connection between users the peers can be configured identical for a simple point to point connection. And even for more complicated variants the configuration for one client does not change dramatically The client can be configured as follows:

   2   │ 
   3   │ # local settings for Endpoint A (client)
   4   │ [Interface]
   5   │ PrivateKey = <private key of client A>
   6   │ Address = 10.0.0.1/32
   7   │ ListenPort = 51821
       | PreUp = iptables -I INPUT -p udp --dport 51821 -j ACCEPT
       | PostDown = iptables -D INPUT -p udp --dport 51821 -j ACCEPT
   9   │ 
  10   │ 
  11   │ # remote settings for Client B (Or the Server Host)
  12   │ [Peer]
  13   │ PublicKey = <public key of client B>
  14   │ Endpoint = <IP you want to connect with>:<port at which the other part listens on>
  15   │ AllowedIPs = <allowed IP of the other part>

[Interface]

This is your part of the connection

PrivateKey

This is your private key you generated beforehand

Address

This is the Address you want to have in the connection subnet, NOT the IP you have right now.

ListenPort

The port your connection listens on. If you do not specify a port here astandard port should be given for your connection. To eradicate errors beforehand you should choose a port nontheless.

[Peer]

This is the distant part of your connection. If you have a second or third peer you want to connect point to point to, just list another [peer] if you have listed all the data to the first one.

PublicKey

This is the public key of the peer you want to connect to

Endpoint

This is the public (not the inernal) IP of the peer you want to connect to

AllowedIP

This entry specifies which type of IP type is allowed to connect and which type of connection this IP does get (like full and spit tunneling).

Server Configuration

If there are more than two peers that need to connect to each other the wireguard vpn can be configured to tunnel all connections through a single entry point (site-server). This entry point sets the rules to allow peers to connect to ech other and use the hosted services of all connected peers.