Difference between revisions of "WireGuard"
Plittlefield (talk | contribs) |
Plittlefield (talk | contribs) |
||
(10 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Introduction == | == Introduction == | ||
− | + | WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry. | |
https://www.wireguard.com/ | https://www.wireguard.com/ | ||
== Installation == | == Installation == | ||
+ | |||
+ | === Docker === | ||
+ | |||
+ | https://github.com/wg-easy/wg-easy | ||
+ | |||
+ | === Normal === | ||
+ | |||
+ | https://www.wireguard.com/install/ | ||
=== Server === | === Server === | ||
+ | https://wiki.indie-it.com/wiki/Docker#WireGuard | ||
=== Client === | === Client === | ||
+ | |||
+ | ==== Windows ==== | ||
+ | |||
+ | https://duckduckgo.com/?q=wireguard+windows+10+admin&t=chromentp&ia=web | ||
+ | |||
+ | https://serversideup.net/how-to-configure-a-wireguard-windows-10-vpn-client/ | ||
+ | |||
+ | https://github.com/WireGuard/wireguard-windows/blob/master/docs/adminregistry.md#registry-keys-for-admins | ||
+ | |||
+ | ==== Linux ==== | ||
sudo apt-get -y install wireguard | sudo apt-get -y install wireguard | ||
+ | |||
+ | qrencode -t ansiutf8 < /etc/wireguard/clients/mobile.conf | ||
TO BE COMPLETED PROPERLY | TO BE COMPLETED PROPERLY | ||
− | |||
548 2021-05-21 17:08:32 nmcli connection import type wireguard file /etc/wireguard/wg0.conf | 548 2021-05-21 17:08:32 nmcli connection import type wireguard file /etc/wireguard/wg0.conf | ||
Line 34: | Line 54: | ||
1015 2021-06-07 11:17:05 nmcli connection modify wg0 connection.autoconnect no | 1015 2021-06-07 11:17:05 nmcli connection modify wg0 connection.autoconnect no | ||
1016 2021-06-07 11:17:22 nmcli connection show wg0 | 1016 2021-06-07 11:17:22 nmcli connection show wg0 | ||
+ | |||
+ | == Routing == | ||
+ | |||
+ | By default, the config will route ALL traffic through the wireguard interface using table 51820. | ||
+ | |||
+ | To disable this, or make custom routes, just add some '''PostUp''' lines to the config file. | ||
+ | |||
+ | In the example below, I have added a route to a particular server and then deleted the default routing. | ||
+ | |||
+ | This works really well, because it means I can connect to the VPN then go through the same server through the wireguard interface in order to connect via SSH :) | ||
+ | |||
+ | <code>/etc/wg0.conf</code> | ||
+ | |||
+ | [Interface] | ||
+ | Address = 10.6.0.2 | ||
+ | PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxx | ||
+ | ListenPort = 51820 | ||
+ | '''PostUp = ip route add 1.23.456.789/32 dev wg0 table 51820''' | ||
+ | '''PostUp = ip route del 0.0.0.0/0 dev wg0 table 51820''' | ||
+ | |||
+ | [Peer] | ||
+ | PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | ||
+ | PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxx | ||
+ | Endpoint = wireguard.domain.uk:51820 | ||
+ | AllowedIPs = 0.0.0.0/0 | ||
+ | |||
+ | To put back the default setting of routing all your traffic through the WireGuard tunnel ... | ||
+ | |||
+ | sudo ip route add 0.0.0.0/0 dev wg0 table 51820 | ||
+ | |||
+ | Here are some examples of showing, testing and changing routes ... | ||
+ | |||
+ | '''Showing''' | ||
+ | |||
+ | ip link | ||
+ | ip a | ||
+ | ip route show table 51820 | ||
+ | |||
+ | '''Testing''' | ||
+ | |||
+ | ip route get 1.1.1.1 | ||
+ | ip route get myserver.uk | ||
+ | |||
+ | == Command Line == | ||
+ | |||
+ | alias wireguard-down='sudo wg-quick down wg0' | ||
+ | alias wireguard-show='sudo wg show' | ||
+ | alias wireguard-up='sudo wg-quick up wg0' | ||
+ | |||
+ | == Troubleshooting == | ||
+ | |||
+ | === ERROR: /usr/bin/wg-quick: line 32: resolvconf: command not found === | ||
+ | |||
+ | Create symlinks to the new resolvectl for the "old" software '''systemd-resolve''' and '''resolvconf''' ... | ||
+ | |||
+ | sudo ln /usr/bin/resolvectl /usr/bin/systemd-resolve | ||
+ | sudo ln /usr/bin/resolvectl /usr/bin/resolvconf | ||
+ | sudo ldconfig | ||
+ | sudo wg-quick up wg0 | ||
+ | sudo resolvectl status | ||
+ | |||
+ | == Management == | ||
+ | |||
+ | https://github.com/wg-easy/wg-easy | ||
+ | |||
+ | https://github.com/gravitl/netmaker | ||
+ | |||
+ | == Network Manager GUI == | ||
+ | |||
+ | https://www.xmodulo.com/wireguard-vpn-network-manager-gui.html |
Latest revision as of 12:28, 13 September 2024
Introduction
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
Installation
Docker
https://github.com/wg-easy/wg-easy
Normal
https://www.wireguard.com/install/
Server
https://wiki.indie-it.com/wiki/Docker#WireGuard
Client
Windows
https://duckduckgo.com/?q=wireguard+windows+10+admin&t=chromentp&ia=web
https://serversideup.net/how-to-configure-a-wireguard-windows-10-vpn-client/
Linux
sudo apt-get -y install wireguard
qrencode -t ansiutf8 < /etc/wireguard/clients/mobile.conf
TO BE COMPLETED PROPERLY
548 2021-05-21 17:08:32 nmcli connection import type wireguard file /etc/wireguard/wg0.conf 552 2021-05-21 17:09:22 nmcli connection import type wireguard file wg0.conf 553 2021-05-21 17:09:50 nmcli connection show wg0 554 2021-05-21 17:10:06 nmcli connection up wg0 555 2021-05-21 17:10:27 nmcli --overview connection show wg0 | zenity --text-info --width 600 --height 800 557 2021-05-21 17:10:54 nmcli connection down wg0 987 2021-06-07 09:34:47 nmcli connection show wg0 988 2021-06-07 09:35:02 nmcli connection down wg0 1008 2021-06-07 11:11:00 nmcli 1009 2021-06-07 11:11:25 nmcli device show 1010 2021-06-07 11:12:14 nmcli connection 1011 2021-06-07 11:12:28 nmcli connection --help 1012 2021-06-07 11:14:58 nmcli connection 1013 2021-06-07 11:15:08 nmcli connection show 1014 2021-06-07 11:15:13 nmcli connection show wg0 1015 2021-06-07 11:17:05 nmcli connection modify wg0 connection.autoconnect no 1016 2021-06-07 11:17:22 nmcli connection show wg0
Routing
By default, the config will route ALL traffic through the wireguard interface using table 51820.
To disable this, or make custom routes, just add some PostUp lines to the config file.
In the example below, I have added a route to a particular server and then deleted the default routing.
This works really well, because it means I can connect to the VPN then go through the same server through the wireguard interface in order to connect via SSH :)
/etc/wg0.conf
[Interface] Address = 10.6.0.2 PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxx ListenPort = 51820 PostUp = ip route add 1.23.456.789/32 dev wg0 table 51820 PostUp = ip route del 0.0.0.0/0 dev wg0 table 51820 [Peer] PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxx Endpoint = wireguard.domain.uk:51820 AllowedIPs = 0.0.0.0/0
To put back the default setting of routing all your traffic through the WireGuard tunnel ...
sudo ip route add 0.0.0.0/0 dev wg0 table 51820
Here are some examples of showing, testing and changing routes ...
Showing
ip link ip a ip route show table 51820
Testing
ip route get 1.1.1.1 ip route get myserver.uk
Command Line
alias wireguard-down='sudo wg-quick down wg0' alias wireguard-show='sudo wg show' alias wireguard-up='sudo wg-quick up wg0'
Troubleshooting
ERROR: /usr/bin/wg-quick: line 32: resolvconf: command not found
Create symlinks to the new resolvectl for the "old" software systemd-resolve and resolvconf ...
sudo ln /usr/bin/resolvectl /usr/bin/systemd-resolve sudo ln /usr/bin/resolvectl /usr/bin/resolvconf sudo ldconfig sudo wg-quick up wg0 sudo resolvectl status
Management
https://github.com/wg-easy/wg-easy
https://github.com/gravitl/netmaker
Network Manager GUI
https://www.xmodulo.com/wireguard-vpn-network-manager-gui.html