Wireguard is the new kid on the block to open source VPN servers, let’s check it out.
The code base is described as slim, quick, and easy to set up.
I’m starting off with a new and ready to go Ubuntu 20.04 installation, let’s check out Wireguard
I start things off with installing the WireGuard package
sudo apt install wireguard
I switch to the root user and navigate to the /etc/wireguard folder, we can’t access the /etc/wireguard folder being just a normal user. That’s for a good reason too.
Now that we are in the folder, we want to create our private key and public key.
The private and public keys make up the main security border to getting access to the Wireguard server so we will want to be careful with these.
We restrict access with our certificates by creating them with special file permissions to allow the ‘root’ user to only have access.
By setting the command umask 077; only the owner and group ‘root’ will have access to these certificates
We can now safely generate our private and public keys, we accomplish this by running the command below:
wg genkey | tee privatekey | wg pubkey > publickey
This command generates a private key, sends that output to a file ‘privatekey’ and also sends it to another Wireguard command to generate a public key.
A key part to remember here is that that the private key is to be kept private!
Let’s create a configuration file for Wireguard within /etc/wireguard with nano
Populate the file with the information below
# A seperate IP range for your VPN clients
Address = 10.X.X.254/24
# VPN Server Port
ListenPort = 51820
# The Servers Private Key
PrivateKey = Enter the value from the privatekey file here
We’ll likely want the server to run at boot time which can be enabled with this command
sudo systemctl enable wg-quick@wg0
And we can switch Wireguard on now with this command:
sudo systemctl start wg-quick@wg0
To verify the server has started OK, check that it’s IP address shows with network status:
# ip a show wg0
3: wg0: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.X.X.254/24 scope global wg0
valid_lft forever preferred_lft forever
Great! The server is running. Port forwarding to the server is outside of the scope of this post, but I have forwarded UDP 51820 on my router to the private IP address of the Ubuntu system.
Let’s set up a client to test with, I’ll use my Android Phone with the WireGuard app below:
After setting up the WireGuard app on the phone, creating a new profile will require copying the public key from the server to the phone.
The settings I went for on the phone app are as follows:
Name – Whatever
Private Key – Tapped a few times to generate
Public Key – Copy this and keep it safe for your server configuration
Addresses: Enter the clients IP address here
DNS Servers: Enter the DNS server you want to use whilst connected to the VPN
There is an option to add a peer, this is where the server details go:
Public Key – Public key from the server
Pre-shared key – Blank
Persistent keepalive – Blank
Endpoint – Enter the VPN server address, if you have port forwarded this will be the WAN IP
Allowed IP/s – Traffic that should be routed to the VPN server, if you want to route all traffic enter 0.0.0.0/0
The phone will generate it’s own public key which will need to be copied back to the server.
Add the section of the client to the wg0.conf file with nano:
# The Public Key Provided By The Client
PublicKey = ThePublicKeyCopiedFromTheClient
# The Clients IP Address
AllowedIPs = 10.X.X.1/32
Once that is done we can restart the client:
sudo systemctl stop wg-quick@wg0
sudo systemctl start wg-quick@wg0
At this stage if you connect the client to the server, both sides should be able to ping each other.
As I’ll be using this to access the rest of my LAN, it will be good to allow the Ubuntu OS to forward packets onwards. This is quite easy to do by running this command:
sysctl -w net.ipv4.ip_forward=1
This concludes the set-up of WireGuard server, a lot easier than OpenVPN for sure!