HowTo Quickly Setup A VPN Using WireGuard On NST
Overview
This page provides a quick start reference on how to setup a fast, modern, secure VPN tunnel using WireGuard on NST.
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It tends to outperform OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
WireGuard aims to be as easy to configure and deploy as SSH. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between IP Addresses, just like Mosh. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.
WireGuard Detailed Command-Line Setup
One can follow the detailed setup for a WireGuard VPN on its main site: Quick Start. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.
NST Quick WireGuard VPN Setup
NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "/etc/wireguard".
[root@shopper2 wireguard]# ls -al /etc/wireguard total 28 drwx------ 2 root root 92 Nov 20 08:22 . drwxr-xr-x 229 root root 12288 Nov 20 08:22 .. -rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf -rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys -rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf
Example VPN Setup Steps
In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a NATed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.
NST Server Side:
- Server Address: "10.55.55.1"
- Host Name: "shopper2"
- Public IP Address: "102.5.221.22"
- WireGuard UDP VPN Listen Port: "51820"
- WireGuard Virtual Interface: "wg0"
NST Clent Side:
- Client Address: "10.55.55.2"
- Host Name: "pktcap28"
- WireGuard Virtual Interface: "wg0"
WireGuard Server Endpoint Setup
Do the following steps on the NST server side (shopper2):
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:
[root@shopper2 ~]# cd /etc/wireguard
2) Copy the Server template file to a "wg0" WireGuard configuration file for this virtual network interface:
[root@shopper2 wireguard]# cp wg-server.template.conf wg0.conf [root@shopper2 wireguard]# ls -al total 36 drwx------ 2 root root 108 Nov 20 08:46 . drwxr-xr-x 235 root root 16384 Nov 19 08:45 .. -rw------- 1 root root 174 Nov 20 08:50 wg0.conf -rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf -rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys -rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf
[root@shopper2 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = -SERVER PRIVATE KEY- [Peer] PublicKey = -CLIENT PUBLIC KEY- AllowedIPs = 10.55.55.2/32
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:
[root@shopper2 wireguard]# source ./wg-generate-keys [root@shopper2 wireguard]# ls -al total 44 drwx------ 2 root root 143 Nov 20 08:57 . drwxr-xr-x 235 root root 16384 Nov 19 08:45 .. -rw------- 1 root root 45 Nov 20 08:57 privatekey -rw------- 1 root root 45 Nov 20 08:57 publickey -rw------- 1 root root 174 Nov 20 08:50 wg0.conf -rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf -rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys -rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf
4) Edit the "wg0.conf" configuration file and substitute in the generated Server Private key content for the "-SERVER PRIVATE KEY-" name placeholder.
Before substitution:
[root@shopper2 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = -SERVER PRIVATE KEY- [Peer] PublicKey = -CLIENT PUBLIC KEY- AllowedIPs = 10.55.55.2/32
[root@shopper2 wireguard]# cat privatekey UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=
After substitution:
[root@shopper2 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ= [Peer] PublicKey = -CLIENT PUBLIC KEY- AllowedIPs = 10.55.55.2/32
***Note: We will substitute in the Client public key later once we generate it on the client NST system (See "WireGuard Client Endpoint Setup - Step: 6 Below").
WireGuard Client Endpoint Setup
Do the following steps on the NST client side (pktcap28):
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:
[root@pktcap28 ~]# cd /etc/wireguard
2) Copy the Client template file to a "wg0" WireGuard configuration file for this virtual network interface:
[root@pktcap28 wireguard]# cp wg-client.template.conf wg0.conf [root@pktcap28 wireguard]# ls -al total 32 drwx------ 2 root root 108 Nov 19 11:17 . drwxr-xr-x 225 root root 12288 Nov 19 11:17 .. -rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf -rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf -rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys -rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf
[root@pktcap28 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.2/32 PrivateKey = -CLIENT PRIVATE KEY- #DNS = 1.1.1.1 #DNS = 8.8.8.8 [Peer] PublicKey = -SERVER PUBLIC KEY- Endpoint = public.ip.of.server:51820 #AllowedIPs = 0.0.0.0/0 #AllowedIPs = 10.55.55.1/32, 10.55.55.2/32 AllowedIPs = 10.55.55.0/24 PersistentKeepalive = 21
3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:
[root@pktcap28 wireguard]# source ./wg-generate-keys [root@pktcap28 wireguard]# ls -al total 40 drwx------ 2 root root 143 Nov 21 07:58 . drwxr-xr-x 225 root root 12288 Nov 19 11:17 .. -rw------- 1 root root 45 Nov 21 07:58 privatekey -rw------- 1 root root 45 Nov 21 07:58 publickey -rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf -rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf -rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys -rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf
4) Edit the "wg0.conf" configuration file and substitute in the generated Client Private key content for the "-CLIENT PRIVATE KEY-" name placeholder.
Before substitution:
[Interface] Address = 10.55.55.2/32 PrivateKey = -CLIENT PRIVATE KEY- #DNS = 1.1.1.1 #DNS = 8.8.8.8 [Peer] PublicKey = -SERVER PUBLIC KEY- Endpoint = public.ip.of.server:51820 #AllowedIPs = 0.0.0.0/0 #AllowedIPs = 10.55.55.1/32, 10.55.55.2/32 AllowedIPs = 10.55.55.0/24 PersistentKeepalive = 21
[root@pktcap28 wireguard]# cat privatekey +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=
After substitution:
[root@pktcap28 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.2/32 PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk= #DNS = 1.1.1.1 #DNS = 8.8.8.8 [Peer] PublicKey = -SERVER PUBLIC KEY- Endpoint = public.ip.of.server:51820 #AllowedIPs = 0.0.0.0/0 #AllowedIPs = 10.55.55.1/32, 10.55.55.2/32 AllowedIPs = 10.55.55.0/24 PersistentKeepalive = 21
5) Now substitute in both the Server side public key: "-SERVER PUBLIC KEY-" and the public IP Address of the Server: "public.ip.of.server" name placeholders.
Server Public Key:
[root@shopper2 wireguard]# cat publickey vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=
After Substitution:
[root@pktcap28 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.2/32 PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk= #DNS = 1.1.1.1 #DNS = 8.8.8.8 [Peer] PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s= Endpoint = 102.5.221.22:51820 #AllowedIPs = 0.0.0.0/0 #AllowedIPs = 10.55.55.1/32, 10.55.55.2/32 AllowedIPs = 10.55.55.0/24 PersistentKeepalive = 21
6) Now back on the NST Server substitute in the Client side public key: "-CLIENT PUBLIC KEY-" name placeholder.
Client Public Key:
[root@pktcap28 wireguard]# cat publickey dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=
Server side "wg0.conf" file content after substitution:
[root@shopper2 wireguard]# cat wg0.conf [Interface] Address = 10.55.55.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ= [Peer] PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs= AllowedIPs = 10.55.55.2/32
***Note: At this point all template name placeholders have been filled in.
WireGuard VPN Firewall Rule Changes and IP Forwarding
Depending on how your Firewall is configured in your server side environment, access to UDP port: "51820" needs to be allowed from the internet facing side. The WireGuard article: Wireguard VPN: Typical Setup covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.
Note: Typically, an fresh NST install will only require a NATed firewall rule to the NST server, UDP port: "51820" for this example WireGuard VPN to be established and work correctly.
Bring Up WireGuard VPN
WireGuard VPN Access
WireGuard VPN Status
Server side VPN status:
[root@shopper2 wireguard]# wg show wg0 interface: wg0 public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s= private key: (hidden) listening port: 51820
peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs= endpoint: 14.41.111.122:38964 allowed ips: 10.55.55.2/32 latest handshake: 1 minute, 57 seconds ago transfer: 9.59 KiB received, 7.27 KiB sent
Client side VPN status:
[root@pktcap28 wireguard]# wg show wg0 interface: wg0 public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs= private key: (hidden) listening port: 38964
peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s= endpoint: 102.5.221.22:51820 allowed ips: 10.55.55.0/24 latest handshake: 58 seconds ago transfer: 860 B received, 4.92 KiB sent persistent keepalive: every 21 seconds
Tear Down WireGuard VPN
WireGuard VPN Automation
The WireGuard package includes a systemd template unit script to automate the starting of the VPN when bringing up an NST system.
On Server side:
[root@shopper2 wireguard]# systemctl enable wg-quick@wg0.service;
On Client side:
[root@pktcap28 wireguard]# systemctl enable wg-quick@wg0.service;