Difference between revisions of "WireGuard"

From Indie IT Wiki
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
== Introduction ==
 
== Introduction ==
  
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
+
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
  
 
https://www.wireguard.com/
 
https://www.wireguard.com/
  
 
== Installation ==
 
== Installation ==
 +
 +
=== Docker ===
 +
 +
https://github.com/wg-easy/wg-easy
 +
 +
=== Normal ===
 +
 +
https://www.wireguard.com/install/
  
 
=== Server ===
 
=== Server ===
  
 +
https://wiki.indie-it.com/wiki/Docker#WireGuard
  
 
=== Client ===
 
=== Client ===
 +
 +
==== Windows ====
 +
 +
https://duckduckgo.com/?q=wireguard+windows+10+admin&t=chromentp&ia=web
 +
 +
https://serversideup.net/how-to-configure-a-wireguard-windows-10-vpn-client/
 +
 +
https://github.com/WireGuard/wireguard-windows/blob/master/docs/adminregistry.md#registry-keys-for-admins
 +
 +
==== Linux ====
  
 
  sudo apt-get -y install wireguard
 
  sudo apt-get -y install wireguard
 +
 +
qrencode -t ansiutf8 < /etc/wireguard/clients/mobile.conf
  
 
TO BE COMPLETED PROPERLY
 
TO BE COMPLETED PROPERLY
 
  
 
   548  2021-05-21 17:08:32  nmcli connection import type wireguard file /etc/wireguard/wg0.conf
 
   548  2021-05-21 17:08:32  nmcli connection import type wireguard file /etc/wireguard/wg0.conf
Line 34: Line 54:
 
  1015  2021-06-07 11:17:05  nmcli connection modify wg0 connection.autoconnect no
 
  1015  2021-06-07 11:17:05  nmcli connection modify wg0 connection.autoconnect no
 
  1016  2021-06-07 11:17:22  nmcli connection show wg0
 
  1016  2021-06-07 11:17:22  nmcli connection show wg0
 +
 +
== Routing ==
 +
 +
By default, the config will route ALL traffic through the wireguard interface using table 51820.
 +
 +
To disable this, or make custom routes, just add some '''PostUp''' lines to the config file.
 +
 +
In the example below, I have added a route to a particular server and then deleted the default routing.
 +
 +
This works really well, because it means I can connect to the VPN then go through the same server through the wireguard interface in order to connect via SSH  :)
 +
 +
<code>/etc/wg0.conf</code>
 +
 +
[Interface]
 +
Address = 10.6.0.2
 +
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxx
 +
ListenPort = 51820
 +
'''PostUp = ip route add 1.23.456.789/32 dev wg0 table 51820'''
 +
'''PostUp = ip route del 0.0.0.0/0 dev wg0 table 51820'''
 +
 +
[Peer]
 +
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 +
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxx
 +
Endpoint = wireguard.domain.uk:51820
 +
AllowedIPs = 0.0.0.0/0
 +
 +
To put back the default setting of routing all your traffic through the WireGuard tunnel ...
 +
 +
sudo ip route add 0.0.0.0/0 dev wg0 table 51820
 +
 +
Here are some examples of showing, testing and changing routes ...
 +
 +
'''Showing'''
 +
 +
ip link
 +
ip a
 +
ip route show table 51820
 +
 +
'''Testing'''
 +
 +
ip route get 1.1.1.1
 +
ip route get myserver.uk
 +
 +
== Command Line ==
 +
 +
alias wireguard-down='sudo wg-quick down wg0'
 +
alias wireguard-show='sudo wg show'
 +
alias wireguard-up='sudo wg-quick up wg0'
 +
 +
== Troubleshooting ==
 +
 +
=== ERROR: /usr/bin/wg-quick: line 32: resolvconf: command not found ===
 +
 +
Create symlinks to the new resolvectl for the "old" software '''systemd-resolve''' and '''resolvconf''' ...
 +
 +
sudo ln /usr/bin/resolvectl /usr/bin/systemd-resolve
 +
sudo ln /usr/bin/resolvectl /usr/bin/resolvconf
 +
sudo ldconfig
 +
sudo wg-quick up wg0
 +
sudo resolvectl status
 +
 +
== Management ==
 +
 +
https://github.com/wg-easy/wg-easy
 +
 +
https://github.com/gravitl/netmaker
 +
 +
== Network Manager GUI ==
 +
 +
https://www.xmodulo.com/wireguard-vpn-network-manager-gui.html

Latest revision as of 12:28, 13 September 2024

Introduction

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

https://www.wireguard.com/

Installation

Docker

https://github.com/wg-easy/wg-easy

Normal

https://www.wireguard.com/install/

Server

https://wiki.indie-it.com/wiki/Docker#WireGuard

Client

Windows

https://duckduckgo.com/?q=wireguard+windows+10+admin&t=chromentp&ia=web

https://serversideup.net/how-to-configure-a-wireguard-windows-10-vpn-client/

https://github.com/WireGuard/wireguard-windows/blob/master/docs/adminregistry.md#registry-keys-for-admins

Linux

sudo apt-get -y install wireguard
qrencode -t ansiutf8 < /etc/wireguard/clients/mobile.conf

TO BE COMPLETED PROPERLY

 548  2021-05-21 17:08:32  nmcli connection import type wireguard file /etc/wireguard/wg0.conf
 552  2021-05-21 17:09:22  nmcli connection import type wireguard file wg0.conf
 553  2021-05-21 17:09:50  nmcli connection show wg0
 554  2021-05-21 17:10:06  nmcli connection up wg0
 555  2021-05-21 17:10:27  nmcli --overview connection show wg0 | zenity --text-info --width 600 --height 800
 557  2021-05-21 17:10:54  nmcli connection down wg0
 987  2021-06-07 09:34:47  nmcli connection show wg0
 988  2021-06-07 09:35:02  nmcli connection down wg0
1008  2021-06-07 11:11:00  nmcli 
1009  2021-06-07 11:11:25  nmcli device show
1010  2021-06-07 11:12:14  nmcli connection 
1011  2021-06-07 11:12:28  nmcli connection --help
1012  2021-06-07 11:14:58  nmcli connection 
1013  2021-06-07 11:15:08  nmcli connection show 
1014  2021-06-07 11:15:13  nmcli connection show wg0
1015  2021-06-07 11:17:05  nmcli connection modify wg0 connection.autoconnect no
1016  2021-06-07 11:17:22  nmcli connection show wg0

Routing

By default, the config will route ALL traffic through the wireguard interface using table 51820.

To disable this, or make custom routes, just add some PostUp lines to the config file.

In the example below, I have added a route to a particular server and then deleted the default routing.

This works really well, because it means I can connect to the VPN then go through the same server through the wireguard interface in order to connect via SSH :)

/etc/wg0.conf

[Interface]
Address = 10.6.0.2
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxx
ListenPort = 51820
PostUp = ip route add 1.23.456.789/32 dev wg0 table 51820
PostUp = ip route del 0.0.0.0/0 dev wg0 table 51820

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Endpoint = wireguard.domain.uk:51820
AllowedIPs = 0.0.0.0/0

To put back the default setting of routing all your traffic through the WireGuard tunnel ...

sudo ip route add 0.0.0.0/0 dev wg0 table 51820

Here are some examples of showing, testing and changing routes ...

Showing

ip link
ip a
ip route show table 51820

Testing

ip route get 1.1.1.1
ip route get myserver.uk

Command Line

alias wireguard-down='sudo wg-quick down wg0'
alias wireguard-show='sudo wg show'
alias wireguard-up='sudo wg-quick up wg0'

Troubleshooting

ERROR: /usr/bin/wg-quick: line 32: resolvconf: command not found

Create symlinks to the new resolvectl for the "old" software systemd-resolve and resolvconf ...

sudo ln /usr/bin/resolvectl /usr/bin/systemd-resolve
sudo ln /usr/bin/resolvectl /usr/bin/resolvconf
sudo ldconfig
sudo wg-quick up wg0
sudo resolvectl status

Management

https://github.com/wg-easy/wg-easy

https://github.com/gravitl/netmaker

Network Manager GUI

https://www.xmodulo.com/wireguard-vpn-network-manager-gui.html