Ubuntu - VPN with Wireguard server and client setup

Here's how to install wireguard on Ubuntu, and to configure it as a server.
And setup the iOS wireguard client....


Setup the server on Ubuntu

1. Install wireguard
sudo apt install wireguard -y

2. Create directories for the server config
sudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard
sudo -i 
cd /etc/wireguard

3. Generate the server-side private and public keys 
wg genkey | sudo tee server_private.key | wg pubkey | sudo tee server_public.key

4. Setup the server-side wireguard config 
#The keys generated above will need copying into the config:
cat server_public.key 
cat server_private.key 

#Create the config
vi /etc/wireguard/wg0.conf

Contents:

[Interface]
Address = 10.10.11.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = <type here server_private.key>

[Peer] #Peer 1
PublicKey = <type here client1_public.key>
AllowedIPs = 10.10.11.2/32

[Peer] #Peer 2
PublicKey = <type here client2_public.key>
AllowedIPs = 10.10.11.3/32 

5. Bring up the wireguard server
sudo wg-quick up wg0

6. Enable the wirguard server as a service
sudo systemctl enable wg-quick@wg0

7. Setup the router firewall to port forward port 51820/udp

8. Setup the server firewall to allow wireguard client to access the wireguard server
sudo ufw allow 51820/udp

9. Setup the server firewall for wireguard roadwarrior

#Any packet arriving on the WireGuard interface can reach the server itself

iptables -A INPUT -i wg0 -j ACCEPT

#NAT to the LAN interface i.e.Packets from the WireGuard subnet (wg0) going out to the Internet will appear to come from the server’s WAN IP. Without this, replies from the Internet would not know how to get back to the WireGuard client.

iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE

#Allow clients on the WireGuard network to send traffic to other networks (LAN or Internet) through the server.

iptables -A FORWARD -i wg0 -j ACCEPT

#Allows responses or forwarded packets to return to the WireGuard clients. Combined with the previous FORWARD rule, it enables bidirectional routing for the tunnel.

iptables -A FORWARD -o wg0 -j ACCEPT

10. Setup packet forwarding
sudo vi /etc/sysctl.conf

Set:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

11. Check the routing
#Ensure that no other subnet overlaps with the wireguard subnet 10.10.11.1/24
ip route show


Setup the client on iOS

12. Install wireguard from the app store

13. Setup conf from scratch

Interface
Name: anything you want
Private & public key: click generate pair
Addresses: 10.10.11.X/32   where X is the peer number
Listen port: automatic
MTU: automatic
DNS servers

Peer
Public key: copy the servers public key in
Preshared key: blank
Endpoint: <server fqdn>:51820
Allowed IPs: 0.0.0.0/0, ::/0     #for full tunnelling
Exclude private IPs: disabled
Persistent keepalive: 25

14. Activate the tunnel from the iPhone

Client side check: You should see "Latest handshake" show up in the iOS wireguard client
Server side check: you should see the "latest handshake" via the command 
wg show

15. Check you can ping the server from the client
ping 10.10.11.1

16. Check you can ping the client (peer 1) from the server
ping 10.10.11.2


N.B. To make edits to the wireguard config, bring the wireguard interface down first before editing, otherwise edits will be overwritten when the wireguard server is brought up. 

i.e.
sudo wg-quick down wg0
sudo vi /etc/wireguard/wg0.conf
sudo wg-quick up wg0

No comments:

Post a Comment

Note: only a member of this blog may post a comment.