Difference between revisions of "HowTo Quickly Setup A VPN Using WireGuard On NST"

From NST Wiki
Jump to navigationJump to search
(Server Endpoint Setup)
(Server Endpoint Setup)
Line 40: Line 40:
 
  -rw-r--r--  1 root root  289 Nov 19 08:39 wg-generate-keys
 
  -rw-r--r--  1 root root  289 Nov 19 08:39 wg-generate-keys
 
  -rw-r--r--  1 root root  174 Nov 19 08:39 wg-server.template.conf
 
  -rw-r--r--  1 root root  174 Nov 19 08:39 wg-server.template.conf
 +
[root@shopper2 wireguard]# cat wg0.conf
 +
[Interface]
 +
Address = 10.55.55.1/24
 +
SaveConfig = true
 +
ListenPort = 51820
 +
PrivateKey = -SERVER PRIVATE KEY-
 +
 +
[Peer]
 +
PublicKey = -CLIENT PUBLIC KEY-
 +
AllowedIPs = 10.55.55.2/32
  
 
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:
 
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:

Revision as of 10:08, 20 November 2018

Overview

This page provides a quick start reference on how to setup a fast, modern, secure VPN tunnel using WireGuard on NST.

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It tends to outperform OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

WireGuard aims to be as easy to configure and deploy as SSH. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between IP Addresses, just like Mosh. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.

WireGuard Detailed Command-Line Setup

One can follow the detailed setup for a WireGuard VPN on its main site: Quick Start. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.

NST Quick WireGuard VPN Setup

NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "/etc/wireguard".

[root@shopper2 wireguard]# ls -al /etc/wireguard
total 28
drwx------   2 root root    92 Nov 20 08:22 .
drwxr-xr-x 229 root root 12288 Nov 20 08:22 ..
-rw-r--r--   1 root root   296 Nov 19 08:39 wg-client.template.conf
-rw-r--r--   1 root root   289 Nov 19 08:39 wg-generate-keys
-rw-r--r--   1 root root   174 Nov 19 08:39 wg-server.template.conf

Example VPN Setup Steps

In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a NATed firewall. We will use the template IP Addresses for the VPN tunnel endpoints. Server Address: "10.55.55.1", Client Address: "10.55.55.2" and the public IP Address of the Server: "102.5.221.22". The virtual network interface: "wg0" willl be used.

Server Endpoint Setup

1) Change directory to the WireGuard configuration location where the templates and key generation files are found:

[root@shopper2 ~]# cd /etc/wireguard

2) Copy the Server template file to a "wg0" WireGuard configuration file for this virtual network interface:

[root@shopper2 wireguard]# cp wg-server.template.conf wg0.conf
[root@shopper2 wireguard]# ls -al
total 36
drwx------   2 root root   108 Nov 20 08:46 .
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..
-rw-------   1 root root   174 Nov 20 08:50 wg0.conf
-rw-r--r--   1 root root   296 Nov 19 08:39 wg-client.template.conf
-rw-r--r--   1 root root   289 Nov 19 08:39 wg-generate-keys
-rw-r--r--   1 root root   174 Nov 19 08:39 wg-server.template.conf
[root@shopper2 wireguard]# cat wg0.conf 
[Interface]
Address = 10.55.55.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = -SERVER PRIVATE KEY-

[Peer]
PublicKey = -CLIENT PUBLIC KEY-
AllowedIPs = 10.55.55.2/32

3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:

[root@shopper2 wireguard]# source ./wg-generate-keys
[root@shopper2 wireguard]# ls -al
total 44
drwx------   2 root root   143 Nov 20 08:57 .
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..
-rw-------   1 root root    45 Nov 20 08:57 privatekey
-rw-------   1 root root    45 Nov 20 08:57 publickey
-rw-------   1 root root   174 Nov 20 08:50 wg0.conf
-rw-r--r--   1 root root   296 Nov 19 08:39 wg-client.template.conf
-rw-r--r--   1 root root   289 Nov 19 08:39 wg-generate-keys
-rw-r--r--   1 root root   174 Nov 19 08:39 wg-server.template.conf

4) Edit the "wg0.conf" configuration file and substitute in the generated Server Private key content for the "-SERVER PRIVATE KEY-" name placeholder.

Before substitution:

[root@shopper2 wireguard]# cat wg0.conf 
[Interface]
Address = 10.55.55.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = -SERVER PRIVATE KEY-

[Peer]
PublicKey = -CLIENT PUBLIC KEY-
AllowedIPs = 10.55.55.2/32

After substitution:

[root@shopper2 wireguard]# cat wg0.conf 
[Interface]
Address = 10.55.55.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=

[Peer]
PublicKey = -CLIENT PUBLIC KEY-
AllowedIPs = 10.55.55.2/32