Categories
Network Security Ubuntu

Checking out Wireguard – Server Installation

Wireguard is the new kid on the block to open source VPN servers, let’s check it out.

The code base is described as slim, quick, and easy to set up.

I’m starting off with a new and ready to go Ubuntu 20.04 installation, let’s check out Wireguard

I start things off with installing the WireGuard package

sudo apt install wireguard

I switch to the root user and navigate to the /etc/wireguard folder, we can’t access the /etc/wireguard folder being just a normal user. That’s for a good reason too.

sudo -i
cd /etc/wireguard

Now that we are in the folder, we want to create our private key and public key.

The private and public keys make up the main security border to getting access to the Wireguard server so we will want to be careful with these.

We restrict access with our certificates by creating them with special file permissions to allow the ‘root’ user to only have access.

By setting the command umask 077; only the owner and group ‘root’ will have access to these certificates

umask 077

We can now safely generate our private and public keys, we accomplish this by running the command below:

wg genkey | tee privatekey | wg pubkey > publickey

This command generates a private key, sends that output to a file ‘privatekey’ and also sends it to another Wireguard command to generate a public key.

A key part to remember here is that that the private key is to be kept private!

Let’s create a configuration file for Wireguard within /etc/wireguard with nano

nano wg0.conf

Populate the file with the information below

[Interface]
# A seperate IP range for your VPN clients
Address = 10.X.X.254/24
# VPN Server Port
ListenPort = 51820
# The Servers Private Key
PrivateKey = Enter the value from the privatekey file here

We’ll likely want the server to run at boot time which can be enabled with this command

sudo systemctl enable wg-quick@wg0

And we can switch Wireguard on now with this command:

sudo systemctl start wg-quick@wg0

To verify the server has started OK, check that it’s IP address shows with network status:

# ip a show wg0

3: wg0: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.X.X.254/24 scope global wg0
valid_lft forever preferred_lft forever

Great! The server is running. Port forwarding to the server is outside of the scope of this post, but I have forwarded UDP 51820 on my router to the private IP address of the Ubuntu system.

Let’s set up a client to test with, I’ll use my Android Phone with the WireGuard app below:

https://play.google.com/store/apps/details?id=com.wireguard.android&hl=en_GB

After setting up the WireGuard app on the phone, creating a new profile will require copying the public key from the server to the phone.

The settings I went for on the phone app are as follows:

Name – Whatever

Private Key – Tapped a few times to generate

Public Key – Copy this and keep it safe for your server configuration

Addresses: Enter the clients IP address here

DNS Servers: Enter the DNS server you want to use whilst connected to the VPN

There is an option to add a peer, this is where the server details go:

Public Key – Public key from the server

Pre-shared key – Blank

Persistent keepalive – Blank

Endpoint – Enter the VPN server address, if you have port forwarded this will be the WAN IP

Allowed IP/s – Traffic that should be routed to the VPN server, if you want to route all traffic enter 0.0.0.0/0

The phone will generate it’s own public key which will need to be copied back to the server.

Add the section of the client to the wg0.conf file with nano:

[Peer]
# The Public Key Provided By The Client
PublicKey = ThePublicKeyCopiedFromTheClient
# The Clients IP Address
AllowedIPs = 10.X.X.1/32

Once that is done we can restart the client:

sudo systemctl stop wg-quick@wg0
sudo systemctl start wg-quick@wg0

At this stage if you connect the client to the server, both sides should be able to ping each other.

As I’ll be using this to access the rest of my LAN, it will be good to allow the Ubuntu OS to forward packets onwards. This is quite easy to do by running this command:

sysctl -w net.ipv4.ip_forward=1

This concludes the set-up of WireGuard server, a lot easier than OpenVPN for sure!

Leave a Reply

Your email address will not be published. Required fields are marked *