Since WireGuard future core Linux 5.6, I decided to see how best to integrate this VPN with my .
Equipment
- Raspberry Pi 3 with LTE module and public IP. There will be a VPN server (hereinafter referred to as edgewalker)
- Phone on Android, which must use a VPN for all communications
- A laptop Linux, which should only use VPN within the network
Every device that connects to a VPN must be able to connect to every other device. For example, a phone should be able to connect to a web server on a laptop if both devices are part of a VPN network. If the setup is simple enough, then you can think about connecting to a VPN and a desktop (via Ethernet).
Considering that wired and wireless connections are becoming less secure over time (, и ), I am seriously considering using WireGuard for all my devices, no matter what environment they run in.
Software installation
WireGuard provides for most distributions Linux, Windows и macOSApplications for Android and iOS are delivered through app stores.
I have the latest Fedora Linux 31, and before installing I was too lazy to read the manual. I just found the packages. wireguard-tools, installed them, and then couldn't figure out why nothing was working. Further investigation revealed that I did not have the package installed wireguard-dkms (with a network driver), and it was not in the repository of my distribution.
If I had read the instructions, I would have taken the right steps:
$ sudo dnf copr enable jdoss/wireguard
$ sudo dnf install wireguard-dkms wireguard-tools I have the Raspbian Buster distribution installed on my Raspberry Pi, there is already a package wireguard, install it:
$ sudo apt install wireguardOn the phone Android I installed the application from the official catalog of the Google App Store.
Installing keys
To authenticate nodes Wireguard Uses a simple private/public key scheme to authenticate VPN nodes. You can easily generate VPN keys with the following command:
$ wg genkey | tee wg-laptop-private.key | wg pubkey > wg-laptop-public.key
$ wg genkey | tee wg-server-private.key | wg pubkey > wg-server-public.key
$ wg genkey | tee wg-mobile-private.key | wg pubkey > wg-mobile-public.keyThis gives us three key pairs (six files). We will not refer to files in configs, but copy the contents here: each key is one line in base64.
Creating a Configuration File for a VPN Server (Raspberry Pi)
The configuration is quite simple, I created the following file /etc/wireguard/wg0.conf:
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = <copy private key from wg-server-private.key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wwan0 -j MASQUERADE
[Peer]
# laptop
PublicKey = <copy public key from wg-laptop-public.key>
AllowedIPs = 10.200.200.2/32
[Peer]
# mobile phone
PublicKey = <copy public key from wg-mobile-public.key>
AllowedIPs = 10.200.200.3/32A couple of notes:
- In the appropriate places you need to insert the lines from the files with the keys
- My VPN is using internal range
10.200.200.0/24 - For teams
PostUp/PostDownI have an external network interface wwan0, you may have a different one (for example, eth0)
The VPN network is easily brought up with the following command:
$ sudo wg-quick up wg0 One small detail: as a DNS server, I used dnsmasq connected to network interface br0, I also added devices wg0 to the list of allowed devices. In dnsmasq, this is done by adding a new line with the network interface to the configuration file /etc/dnsmasq.conf, For example:
interface=br0
interface=wg0Also, I added an iptable rule to allow traffic to the listening UDP port (51280):
$ sudo iptables -I INPUT -p udp --dport 51820 -j ACCEPTNow that everything is working, we can register the automatic launch of the VPN tunnel:
$ sudo systemctl enable wg-quick@wg0.serviceLaptop client configuration
On the laptop, create a configuration file /etc/wireguard/wg0.conf with the same settings:
[Interface]
Address = 10.200.200.2/24
PrivateKey = <copy private key from wg-laptop-private.key>
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 10.200.200.0/24
Endpoint = edgewalker:51820Notes:
- Instead of edgewalker, you need to specify a public IP or VPN server host
- By setting
AllowedIPs+10.200.200.0/24, we only use the VPN to access the internal network. Traffic to all other IP addresses/servers will continue to go through "regular" open channels. The pre-configured DNS server on the laptop will also be used.
For testing and automatic launch, we use the same commands wg-quick и systemd:
$ sudo wg-quick up wg0
$ sudo systemctl enable wg-quick@wg0.serviceSetting up the client for Android-phone
For phone Android We create a very similar configuration file (let's call it mobile.conf):
[Interface]
Address = 10.200.200.3/24
PrivateKey = <copy private key from wg-mobile-private.key>
DNS = 10.200.200.1
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 0.0.0.0/0
Endpoint = edgewalker:51820 Unlike the laptop configuration, the phone should use our VPN server as its DNS server (string DNS), as well as pass all traffic through the VPN tunnel (AllowedIPs = 0.0.0.0/0).
Instead of copying the file to your mobile device, you can convert it to a QR code:
$ sudo apt install qrencode
$ qrencode -t ansiutf8 < mobile.confThe QR code will be output to the console as ASCII. It can be scanned from the app. Android VPN and automatically configure the VPN tunnel.
Final World
Setting WireGuard simply magical compared to OpenVPN.
Source: habr.com
