src/content/post/configure-wireguard-vpn-behind-nat.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

---
title: "Configure Wireguard VPN"
description: "wireguard VPN behind NAT"
publishDate: "2020-02-10"
tags: ["archived", "network", "en"]
author: "Dawid"
---

[Wireguard](https://www.wireguard.com/) is fast, simple (around 4k lines of code) and secure VPN. From my perspective as a user, a configuration is as simple as in SSH.

## Installation

Add repository and install package (for other systems go to [official docs](https://www.wireguard.com/install/))

```bash
add-apt-repository ppa:wireguard/wireguard
apt-get update
apt-get install -y wireguard
```

Ensure that you enabled forwarding in sysctl.

```bash
echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/wg.conf
echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.d/wg.conf
sysctl --system
```

## Configuration

1. Create server and client keys

    ```sh
    wg genkey | tee server.private.key | wg pubkey > server.public.key
    wg genkey | tee client.private.key | wg pubkey > client.public.key
    ```

2. `touch /etc/wireguard/wg0.conf` and put config for VPN interface:

   ```ini
    [Interface]
    Address=<server VPN ip>/24
    PrivateKey = <server private key>
    ListenPort = 51820
    PostUp = iptables -t nat -A POSTROUTING -o <server NAT interface> -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o <server NAT interface> -j MASQUERADE
    PostDown = iptables -t nat -D POSTROUTING -o <server NAT interface> -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o <server NAT interface> -j MASQUERADE

    [Peer]
    PublicKey = <client public key>
    AllowedIPs = <client VPN ip>/32
   ```

    Example:

   ```ini
    [Interface]
    Address=192.168.101.1/24
    PrivateKey = mHjrLYUTKbrGqJViVOHfQX9dN0Sn49gJNoof68nbJHA=
    ListenPort = 51820
    PostUp = iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
    PostDown = iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE

    [Peer]
    PublicKey = XKT1Ctj5b+gjXc1gMtOdxNEpc9UUM2TsXaFdAyABd3w=
    AllowedIPs = 192.168.101.2/32
   ```

3. Run VPN server with `wg-quick up`

4. Create config for client

    ```ini
    [Interface]
    Address = <client VPN ip>/24
    PrivateKey = <Client Private Key>
    ListenPort = 21841
    DNS = <dns ip 1>,<dns ip 2>

    [Peer]
    PublicKey = <server public key>
    Endpoint = <server bridge interface address>:51820
    AllowedIPs = 0.0.0.0/0
    ```

    Example:

    ```ini
    [Interface]
    Address = 192.168.101.2/32
    PrivateKey = 0AQI65ehzszpXf9f2FWEABX90PX+gv5DJH3/mkZ/eW8=
    ListenPort = 21841
    DNS = 1.1.1.1,1.1.0.0

    [Peer]
    PublicKey = ccDLW5zKussL3ejxMqWpx1uZMfN09bkGAirCWXZWp0s=
    Endpoint = 192.168.1.5:51820
    AllowedIPs = 0.0.0.0/0
    ```

5. Install client software https://www.wireguard.com/install/ and paste client config