HowTo Quickly Setup A VPN Using WireGuard On NST

From MediaWiki
Jump to navigationJump to search

Overview

NST 28
SVN: 10606

This page provides a quick start reference on how to setup a fast, modern, secure VPN tunnel using WireGuard on NST.

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It tends to outperform OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

WireGuard aims to be as easy to configure and deploy as SSH. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between IP Addresses, just like Mosh. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.

WireGuard Detailed Command-Line Setup

One can follow the detailed setup for a WireGuard VPN on its main site: Quick Start. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.

NST Quick WireGuard VPN Setup

NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "/etc/wireguard".

[root@shopper2 wireguard]# ls -al /etc/wireguard
total 28
drwx------   2 root root    92 Nov 20 08:22 .
drwxr-xr-x 229 root root 12288 Nov 20 08:22 ..
-rw-r--r--   1 root root   296 Nov 19 08:39 wg-client.template.conf
-rw-r--r--   1 root root   289 Nov 19 08:39 wg-generate-keys
-rw-r--r--   1 root root   174 Nov 19 08:39 wg-server.template.conf

Example VPN Setup Steps

In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a NATed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.

***Note: All WireGuard VPN configuration and command execution requires "root" access. One can "su -" to the "root" user or use the "sudo" command with the "nst" user for configuration and command execution. The "root" user was used for this example VPN setup.


NST Server Side:

  • Server Address: "10.55.55.1"
  • Host Name: "shopper2"
  • Public IP Address: "102.5.221.22"       (***Note: Use the command: "getipaddr -f -p" to get your public IP Address)
  • WireGuard UDP VPN Listen Port: "51820"
  • WireGuard Virtual Interface: "wg0"
  • VPN Allowed IP Address: "10.55.55.2/32"

NST Client Side:

  • Client Address: "10.55.55.2"
  • Host Name: "pktcap28"
  • WireGuard Virtual Interface: "wg0"
  • VPN Allowed IP Addresses: "10.55.55.0/24"

WireGuard Server Endpoint Setup

Do the following steps on the NST server side (shopper2):

1) Change directory to the WireGuard configuration location where the templates and key generation files are found:

[root@shopper2 ~]# cd /etc/wireguard

2) Copy the Server template file to a "wg0" WireGuard configuration file for this virtual network interface:

[root@shopper2 wireguard]# install -m 600 wg-server.template.conf wg0.conf
[root@shopper2 wireguard]# ls -al
total 36
drwx------   2 root root   108 Nov 20 08:46 .
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..
-rw-------   1 root root   174 Nov 20 08:50 wg0.conf
-rw-r--r--   1 root root   296 Nov 19 08:39 wg-client.template.conf
-rw-r--r--   1 root root   289 Nov 19 08:39 wg-generate-keys
-rw-r--r--   1 root root   174 Nov 19 08:39 wg-server.template.conf
[root@shopper2 wireguard]# cat wg0.conf 
[Interface]
Address = 10.55.55.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = -SERVER PRIVATE KEY-

[Peer]
PublicKey = -CLIENT PUBLIC KEY-
AllowedIPs = 10.55.55.2/32

3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:

[root@shopper2 wireguard]# source ./wg-generate-keys
[root@shopper2 wireguard]# ls -al
total 44
drwx------   2 root root   143 Nov 20 08:57 .
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..
-rw-------   1 root root    45 Nov 20 08:57 privatekey
-rw-------   1 root root    45 Nov 20 08:57 publickey
-rw-------   1 root root   174 Nov 20 08:50 wg0.conf
-rw-r--r--   1 root root   296 Nov 19 08:39 wg-client.template.conf
-rw-r--r--   1 root root   289 Nov 19 08:39 wg-generate-keys
-rw-r--r--   1 root root   174 Nov 19 08:39 wg-server.template.conf

4) Edit the "wg0.conf" configuration file and substitute in the generated Server Private key content for the "-SERVER PRIVATE KEY-" name placeholder.

Before substitution:

[root@shopper2 wireguard]# cat wg0.conf 
[Interface]
Address = 10.55.55.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = -SERVER PRIVATE KEY-

[Peer]
PublicKey = -CLIENT PUBLIC KEY-
AllowedIPs = 10.55.55.2/32
[root@shopper2 wireguard]# cat privatekey 
UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=

After substitution:

[root@shopper2 wireguard]# cat wg0.conf 
[Interface]
Address = 10.55.55.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=

[Peer]
PublicKey = -CLIENT PUBLIC KEY-
AllowedIPs = 10.55.55.2/32

***Note: We will substitute in the Client public key later once we generate it on the NST client system (See "WireGuard Client Endpoint Setup - Step: 6 Below").

Peer Client Key Sharing:

[root@shopper2 wireguard]# cat wg0.conf 
[Interface]
Address = 10.55.55.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=

[Peer]
PublicKey = -CLIENT PUBLIC KEY-
AllowedIPs = 10.55.55.2/32 10.55.55.3/32

***Note: In this example peers: 10.55.55.2 and 10.55.55.3 with share the same Wireguard key configuration.

WireGuard Client Endpoint Setup

Do the following steps on the NST client side (pktcap28):

1) Change directory to the WireGuard configuration location where the templates and key generation files are found:

[root@pktcap28 ~]# cd /etc/wireguard

2) Copy the Client template file to a "wg0" WireGuard configuration file for this virtual network interface:

[root@pktcap28 wireguard]# install -m 600 wg-client.template.conf wg0.conf
[root@pktcap28 wireguard]# ls -al
total 32
drwx------   2 root root   108 Nov 19 11:17 .
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..
-rw-------   1 root root   296 Nov 21 07:55 wg0.conf
-rw-r--r--   1 root root   296 Nov 19 11:16 wg-client.template.conf
-rw-r--r--   1 root root   289 Nov 19 11:16 wg-generate-keys
-rw-r--r--   1 root root   174 Nov 19 11:16 wg-server.template.conf
[root@pktcap28 wireguard]# cat wg0.conf 
[Interface]
Address = 10.55.55.2/32
PrivateKey = -CLIENT PRIVATE KEY-
#DNS = 1.1.1.1
#DNS = 8.8.8.8

[Peer]
PublicKey = -SERVER PUBLIC KEY-
Endpoint = public.ip.of.server:51820
#AllowedIPs = 0.0.0.0/0
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32
AllowedIPs = 10.55.55.0/24
PersistentKeepalive = 21

3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:

[root@pktcap28 wireguard]# source ./wg-generate-keys
[root@pktcap28 wireguard]# ls -al
total 40
drwx------   2 root root   143 Nov 21 07:58 .
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..
-rw-------   1 root root    45 Nov 21 07:58 privatekey
-rw-------   1 root root    45 Nov 21 07:58 publickey
-rw-r--r--   1 root root   296 Nov 21 07:55 wg0.conf
-rw-r--r--   1 root root   296 Nov 19 11:16 wg-client.template.conf
-rw-r--r--   1 root root   289 Nov 19 11:16 wg-generate-keys
-rw-r--r--   1 root root   174 Nov 19 11:16 wg-server.template.conf

4) Edit the "wg0.conf" configuration file and substitute in the generated Client Private key content for the "-CLIENT PRIVATE KEY-" name placeholder.

Before substitution:

[Interface]
Address = 10.55.55.2/32
PrivateKey = -CLIENT PRIVATE KEY-
#DNS = 1.1.1.1
#DNS = 8.8.8.8

[Peer]
PublicKey = -SERVER PUBLIC KEY-
Endpoint = public.ip.of.server:51820
#AllowedIPs = 0.0.0.0/0
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32
AllowedIPs = 10.55.55.0/24
PersistentKeepalive = 21
[root@pktcap28 wireguard]# cat privatekey 
+JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=

After substitution:

[root@pktcap28 wireguard]# cat wg0.conf 
[Interface]
Address = 10.55.55.2/32
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=
#DNS = 1.1.1.1
#DNS = 8.8.8.8

[Peer]
PublicKey = -SERVER PUBLIC KEY-
Endpoint = public.ip.of.server:51820
#AllowedIPs = 0.0.0.0/0
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32
AllowedIPs = 10.55.55.0/24
PersistentKeepalive = 21

5) Now substitute in both the Server side public key: "-SERVER PUBLIC KEY-" and the public IP Address of the Server: "public.ip.of.server" name placeholders.

The "public.ip.of.server" name placeholder can also be a "FQDN". If both the client and server are on the same LAN, this is the IP Address of the server's LAN facing interface and not the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary.

Server Public Key:

[root@shopper2 wireguard]# cat publickey
vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=

After Substitution:

[root@pktcap28 wireguard]# cat wg0.conf 
[Interface]
Address = 10.55.55.2/32
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=
#DNS = 1.1.1.1
#DNS = 8.8.8.8

[Peer]
PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=
Endpoint = 102.5.221.22:51820
#AllowedIPs = 0.0.0.0/0
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32
AllowedIPs = 10.55.55.0/24
PersistentKeepalive = 21

6) Now back on the NST Server, substitute in the Client side public key: "-CLIENT PUBLIC KEY-" name placeholder.

Client Public Key:

[root@pktcap28 wireguard]# cat publickey
dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=

Server side "wg0.conf" file content after substitution:

[root@shopper2 wireguard]# cat wg0.conf 
[Interface]
Address = 10.55.55.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=

[Peer]
PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=
AllowedIPs = 10.55.55.2/32

***Note: At this point all template name placeholders have been filled in.

WireGuard VPN Firewall Rule Changes and IP Forwarding

Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "51820" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: Wireguard VPN: Typical Setup covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.

***Note: Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "51820" for this example VPN to be established and work properly.

Bring Up WireGuard VPN

Server Side (Linux)

Use the "wg-quick" command to bring up the WireGuard VPN on the Server side (Linux):

[root@shopper2 ~]# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip address add 10.55.55.1/24 dev wg0
[#] ip link set mtu 1420 dev wg0
[#] ip link set wg0 up
 
[root@shopper2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff
    inet 10.22.22.44/24 brd 10.222.222.255 scope global lan0
       valid_lft forever preferred_lft forever
    inet6 fe80::3285:a9ff:fe44:7e37/64 scope link 
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
     inet 10.55.55.1/24 scope global wg0
       valid_lft forever preferred_lft forever

[root@shopper2 ~]# route -nv
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.22.22.1      0.0.0.0         UG    0      0        0 lan0
10.55.55.0      0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.22.22.0      0.0.0.0         255.255.255.0   U     0      0        0 lan0

[root@shopper2 ~]# netstat -uanp | grep 51820
udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -                   
udp6       0      0 :::51820                :::*                                -
Server Side - IPv4 Forwarding

To allow client to client access over a WireGuard VPN tunnel enable IPv4 Forwarding:

[root@shopper2 ~]# /sbin/sysctl -w net.ipv4.ip_forward=1
[root@shopper2 ~]# /sbin/sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

To make the IPv4 Forwarding change permanent add the following line to file: "/etc/sysctl.conf"

 net.ipv4.ip_forward=1

To disallow client to client access over a WireGuard VPN tunnel disable IPv4 Forwarding:

[root@shopper2 ~]# /sbin/sysctl -w net.ipv4.ip_forward=0
[root@shopper2 ~]# /sbin/sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0

To make the IPv4 Forwarding disallow change permanent add the following line to file: "/etc/sysctl.conf"

 net.ipv4.ip_forward=0
Client Side (Linux)

Use the "wg-quick" command to bring up the WireGuard VPN on the Client side (Linux):

[root@pktcap28 ~]# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip address add 10.55.55.2/32 dev wg0
[#] ip link set mtu 1420 dev wg0
[#] ip link set wg0 up
[#] ip route add 10.55.55.0/24 dev wg0

[root@pktcap28 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff
    inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:17ff:fed9:d262/64 scope link 
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.55.55.2/32 scope global wg0
       valid_lft forever preferred_lft forever

[root@pktcap28 ~]# route -nv
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.29.1.1      0.0.0.0         UG    0      0        0 lan0
10.55.55.0      0.0.0.0         255.255.255.0   U     0      0        0 wg0
172.29.1.0      0.0.0.0         255.255.255.0   U     0      0        0 lan0
Client Side (macOS - Using brew)

Use the "wg-quick" command to bring up the WireGuard VPN on the Client side (macOS - Using brew) for the utun2 interface:

iMac27RWH-2020:wireguard rwhalb$ wg-quick up /usr/local/etc/wireguard/utun2.conf
[#] wireguard-go utun
INFO: (utun2) 2020/12/17 09:50:33 Starting wireguard-go version 0.0.20201118
[+] Interface for utun2 is utun2
[#] wg setconf utun2 /dev/fd/63
[#] ifconfig utun2 inet 10.55.55.101/32 10.55.55.101 alias
[#] ifconfig utun2 up
[#] route -q -n add -inet 10.55.55.0/24 -interface utun2
[+] Backgrounding route monitor

iMac27RWH-2020:wireguard rwhalb$ ifconfig -v utun2
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420 index 14
 	eflags=1002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE>
	xflags=4<NOAUTONX>
	inet 10.55.55.101 --> 10.55.55.101 netmask 0xffffffff 
	state availability: 0 (true)
	scheduler: FQ_CODEL 
	qosmarking enabled: no mode: none
	low power mode: disabled
	multi layer packet logging (mpklog): disabled
	routermode4: disabled
       routermode6: disabled

iMac27RWH-2020:wireguard rwhalb$ sudo wg show utun2
interface: utun2
  public key: ZjnnAQ4XqZ3itiUj8iOIR82izJIxroq1HAUloeVikEs=
  private key: (hidden)
  listening port: 62149

peer: sQh3WmtzyFuAOzLfKVwonVy1rpQLlnOWCCEIoLAAzy0=
  endpoint: 136.56.0.244:51823
  allowed ips: 10.55.55.0/24
  latest handshake: 1 minute, 45 seconds ago
  transfer: 184 B received, 712 B sent
  persistent keepalive: every 21 seconds

WireGuard VPN Access

After the WireGuard VPN has been established, we will now show two (2) network commands (i.e., ping and SSH) for exercising the VPN:

1) Ping the Server (10.55.55.1) from the Client (10.55.55.2):

[root@pktcap28 ~]# ping -nv -c 3 10.55.55.1
PING 10.55.55.1 (10.55.55.1) 56(84) bytes of data.
64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=41.0 ms
64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=38.3 ms
64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=37.8 ms

--- 10.55.55.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 37.802/39.072/41.085/1.457 ms

2) SSH from Server (10.55.55.1) to the Client (10.55.55.2):

[root@shopper2 ~]# ssh root@10.55.55.2
root@10.55.55.2's password: 
Activate the web console with: systemctl enable --now cockpit.socket


===========================================
= Linux Network Security Toolkit (NST 28) =
===========================================

Last login: Wed Nov 21 16:38:18 2018 from 10.55.55.1

[root@pktcap28 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff
    inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:17ff:fed9:d262/64 scope link 
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.55.55.2/32 scope global wg0
       valid_lft forever preferred_lft forever
[root@pktcap28 ~]# exit
logout
Connection to 10.55.55.2 closed.
[root@shopper2 ~]#

WireGuard VPN Status

Server side VPN status using the "wg" command:

[root@shopper2 ~]# wg show wg0
interface: wg0
  public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=
  private key: (hidden)
  listening port: 51820

peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=
  endpoint: 14.41.111.122:38964
  allowed ips: 10.55.55.2/32
  latest handshake: 1 minute, 57 seconds ago
  transfer: 9.59 KiB received, 7.27 KiB sent

Client side VPN status using the "wg" command:

[root@pktcap28 ~]# wg show wg0
interface: wg0
  public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=
  private key: (hidden)
  listening port: 38964

peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=
  endpoint: 102.5.221.22:51820
  allowed ips: 10.55.55.0/24
  latest handshake: 58 seconds ago
  transfer: 860 B received, 4.92 KiB sent
 persistent keepalive: every 21 seconds

Tear Down WireGuard VPN

Client side tear down the VPN using the "wg-quick" command:

[root@pktcap28 wireguard]# wg-quick down wg0
[#] ip link delete dev wg0

Server side tear down the VPN using the "wg-quick" command:

[root@shopper2 ~]# wg-quick down wg0
[#] wg showconf wg0
[#] ip link delete dev wg0

WireGuard VPN Automation

The WireGuard package includes a systemd template unit script to automate the starting of the VPN when bringing up an NST system.

On Server side:

[root@shopper2 ~]# systemctl start wg-quick@wg0.service;
[root@shopper2 ~]# systemctl enable wg-quick@wg0.service;
[root@shopper2 ~]# systemctl status wg-quick@wg0.service;

On Client side:

[root@pktcap28 ~]# systemctl start wg-quick@wg0.service;
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;
[root@pktcap28 ~]# systemctl status wg-quick@wg0.service;

Server With Multiple Clients/Peers

It is possible to have multiple client (peer) connections to the same server interface (wg0 for example). In order to accomplish this, you will need to:

  • Create a unique private/public key for each client (peer).
  • Add multiple [Peer] sections to the wg0.conf file.
  • Make sure that the AllowedIps setting for each peer entry do not overlap.

The following sections provide details on a configuration where the server has an IPv4 address of 10.55.55.1 associated with the wg0 interface and allows 3 clients (10.55.55.10, 10.55.55.11 and 10.55.55.12). Do NOT use these configurations verbatim, they are only examples.

  • The EndPoint parameter must be changed from wg.networksecuritytoolkit.org:51820 to the address address associated with your server (this typically involves opening a UDP hole in your firewall).
  • It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).
  • It is recommended to use a port other than 51820 (something different than this public example).
  • It is highly recommended that you generate your own server and client private/public key pairs.

Server Configuration (10.55.55.1)

The following /etc/wireguard/wg0.conf configuration would set the server's IPv4 address to 10.55.55.1 and allow 3 simultaneous clients (10.55.55.10, 10.55.55.11 and 10.55.55.12).

[Interface]
Address = 10.55.55.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = 8PZqxsTOqzmTbr324kQUnZFuBQDFY2QFeXOwUu3GhUM=

[Peer]
PublicKey = +iX/FDcPA4+mOFXb4ZMmlMX9GYuF9lqcE/fmnMTcgmI=
AllowedIPs = 10.55.55.10/32

[Peer]
PublicKey = WCSZPxwWcnsPwK3H2YuYlGKpO8AlWvxTCHTRdCz/Zmw=
AllowedIPs = 10.55.55.11/32

[Peer]
PublicKey = 0Hb8+a3F2C3SktCdt3XyCN466szWvXS/R+2S1l/BsU8=
AllowedIPs = 10.55.55.12/32

Client/Peer Configuration (10.55.55.10)

The following /etc/wireguard/wg0.conf configuration could be used on the 10.55.55.10 client.

[Interface]
Address = 10.55.55.10/32
PrivateKey = 0AgVt/rqnZ1sRW9WC3WSGmIL1KNUK8rGDa5z8/kJWF0=

[Peer]
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=
Endpoint = wg.networksecuritytoolkit.org:51820
AllowedIPs = 10.55.55.0/24
PersistentKeepalive = 21

Client/Peer Configuration (10.55.55.11)

The following /etc/wireguard/wg0.conf configuration could be used on the 10.55.55.11 client.

[Interface]
Address = 10.55.55.11/32
PrivateKey = cAvz+CMRpnZMyo5CmXz1ajmejZWoDgGmiTqihTd8w14=

[Peer]
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=
Endpoint = wg.networksecuritytoolkit.org:51820
AllowedIPs = 10.55.55.0/24
PersistentKeepalive = 21

Client/Peer Configuration (10.55.55.12)

The following /etc/wireguard/wg0.conf configuration could be used on the 10.55.55.12 client.

[Interface]
Address = 10.55.55.12/32
PrivateKey = UDnwlbOGrNYoWaNP96XrdWDqQRJecKx7u6IXfevrXX8=

[Peer]
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=
Endpoint = wg.networksecuritytoolkit.org:51820
AllowedIPs = 10.55.55.0/24
PersistentKeepalive = 21

Manual Wireguard DKMS Build and Install

NST 34
SVN: 12743

Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.

 

 

 

 

 

Use the following command to build a WireGuard dkms kernel module. This example is for WireGuard version: "0.0.20190123" and kernel: 4.19.16-200.fc28.x86_64.

[root@vortex nst28]#  dkms build -m wireguard -v 0.0.20190123;

Creating symlink /var/lib/dkms/wireguard/0.0.20190123/source ->
                 /usr/src/wireguard-0.0.20190123

DKMS: add completed.

Kernel preparation unnecessary for this kernel.  Skipping...

Building module:
cleaning build area...
make -j8 KERNELRELEASE=4.19.16-200.fc28.x86_64 -C /lib/modules/4.19.16-200.fc28.x86_64/build M=/var/lib/dkms/wireguard/0.0.20190123/build....
cleaning build area...

DKMS: build completed.

Use the following command to install a WireGuard dkms kernel module:

[root@vortex nst28]# dkms install -m wireguard -v 0.0.20190123;

wireguard.ko.xz:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/
Adding any weak-modules

depmod....

DKMS: install completed.

Manual Wireguard DKMS Module Verification

NST 34
SVN: 12743

Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.

 

 

 

 

 

Use the following commands to verify a WireGuard dkms kernel module was built and installed:

 [root@vortex nst28]# dkms status -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64
wireguard, 0.0.20190123, 4.19.16-200.fc28.x86_64, x86_64: installed

--Or--

[root@vortex nst28]# find /lib/modules -name wireguard*
/lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz

Manual Wireguard DKMS Module Information

NST 34
SVN: 12743

Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.

 

 

 

 

 

Use the following command to view WireGuard module information:

 [root@vortex nst28]# modinfo /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz
filename:       /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz
alias:          net-pf-16-proto-16-family-wireguard
alias:          rtnl-link-wireguard
version:        0.0.20190123
author:         Jason A. Donenfeld <Jason@zx2c4.com>
description:    WireGuard secure network tunnel
license:        GPL v2
srcversion:     E44DD24D14B1F49C0DD6610
depends:        udp_tunnel,ip6_udp_tunnel
retpoline:      Y
name:           wireguard
vermagic:       4.19.16-200.fc28.x86_64 SMP mod_unload

Manual Wireguard DKMS Module Remove

NST 34
SVN: 12743

Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.

 

 

 

 

 

Use the following command to remove a wireguard dkms kernel module. This example is for version: "0.0.20190123" and kernel: 4.19.16-200.fc28.x86_64.

[root@vortex nst28]# dkms remove -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64;

-------- Uninstall Beginning --------
Module:  wireguard
Version: 0.0.20190123
Kernel:  4.19.16-200.fc28.x86_64 (x86_64)
-------------------------------------

Status: Before uninstall, this module version was ACTIVE on this kernel.
Removing any linked weak-modules

wireguard.ko.xz:
 - Uninstallation
   - Deleting from: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/
rmdir: failed to remove 'kernel/net': Directory not empty
 - Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module version.

depmod....

DKMS: uninstall completed.

------------------------------
Deleting module version: 0.0.20190123
completely from the DKMS tree.
------------------------------
Done.

WireGuard Client Setup Example For Windows

The IVPN site has a nice Windows WireGuard Client Setup Example that can be manually entered.