diff options
Diffstat (limited to 'src/content/post/configure-wireguard-vpn-behind-nat.md')
| -rw-r--r-- | src/content/post/configure-wireguard-vpn-behind-nat.md | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/src/content/post/configure-wireguard-vpn-behind-nat.md b/src/content/post/configure-wireguard-vpn-behind-nat.md new file mode 100644 index 0000000..3b59c71 --- /dev/null +++ b/src/content/post/configure-wireguard-vpn-behind-nat.md @@ -0,0 +1,100 @@ +--- +title: "Configure Wireguard VPN" +description: "wireguard VPN behind NAT" +publishDate: "2020-02-10" +tags: ["archived", "network", "en"] +author: "Dawid" +--- + +[Wireguard](https://www.wireguard.com/) is fast, simple (around 4k lines of code) and secure VPN. From my perspective as a user, a configuration is as simple as in SSH. + +## Installation + +Add repository and install package (for other systems go to [official docs](https://www.wireguard.com/install/)) + +```bash +add-apt-repository ppa:wireguard/wireguard +apt-get update +apt-get install -y wireguard +``` + +Ensure that you enabled forwarding in sysctl. + +```bash +echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/wg.conf +echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.d/wg.conf +sysctl --system +``` + +## Configuration + +1. Create server and client keys + + ```sh + wg genkey | tee server.private.key | wg pubkey > server.public.key + wg genkey | tee client.private.key | wg pubkey > client.public.key + ``` + +2. `touch /etc/wireguard/wg0.conf` and put config for VPN interface: + + ```ini + [Interface] + Address=<server VPN ip>/24 + PrivateKey = <server private key> + ListenPort = 51820 + PostUp = iptables -t nat -A POSTROUTING -o <server NAT interface> -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o <server NAT interface> -j MASQUERADE + PostDown = iptables -t nat -D POSTROUTING -o <server NAT interface> -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o <server NAT interface> -j MASQUERADE + + [Peer] + PublicKey = <client public key> + AllowedIPs = <client VPN ip>/32 + ``` + + Example: + + ```ini + [Interface] + Address=192.168.101.1/24 + PrivateKey = mHjrLYUTKbrGqJViVOHfQX9dN0Sn49gJNoof68nbJHA= + ListenPort = 51820 + PostUp = iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE + PostDown = iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE + + [Peer] + PublicKey = XKT1Ctj5b+gjXc1gMtOdxNEpc9UUM2TsXaFdAyABd3w= + AllowedIPs = 192.168.101.2/32 + ``` + +3. Run VPN server with `wg-quick up` + +4. Create config for client + + ```ini + [Interface] + Address = <client VPN ip>/24 + PrivateKey = <Client Private Key> + ListenPort = 21841 + DNS = <dns ip 1>,<dns ip 2> + + [Peer] + PublicKey = <server public key> + Endpoint = <server bridge interface address>:51820 + AllowedIPs = 0.0.0.0/0 + ``` + + Example: + + ```ini + [Interface] + Address = 192.168.101.2/32 + PrivateKey = 0AQI65ehzszpXf9f2FWEABX90PX+gv5DJH3/mkZ/eW8= + ListenPort = 21841 + DNS = 1.1.1.1,1.1.0.0 + + [Peer] + PublicKey = ccDLW5zKussL3ejxMqWpx1uZMfN09bkGAirCWXZWp0s= + Endpoint = 192.168.1.5:51820 + AllowedIPs = 0.0.0.0/0 + ``` + +5. Install client software https://www.wireguard.com/install/ and paste client config |