wireguard.md 3 KB
Newer Older
Elias Ojala's avatar
Elias Ojala committed
1
2
3
4
5
6
7
---
title: Wireguard
permalink: /wireguard
---

## Installation

Elias Ojala's avatar
Elias Ojala committed
8
### Debian 9 (`stretch`) or Debian 10 (`buster`)
Elias Ojala's avatar
Elias Ojala committed
9

Elias Ojala's avatar
Elias Ojala committed
10
If you do not use Debian 9 or 10, follow guides on [Wireguard's install page](https://www.wireguard.com/install/).
Elias Ojala's avatar
Elias Ojala committed
11
12
13
14
15
16
17
18
19
20
21


Run these commands with `root` user:

```bash
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install linux-headers-$(uname -r) wireguard
```

Elias Ojala's avatar
Elias Ojala committed
22
23
24
25
26
27
28
29
30
Or run these commands on your normal user:

```bash
echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | sudo tee /etc/apt/preferences.d/limit-unstable
sudo apt update
sudo apt install linux-headers-$(uname -r) wireguard
```

Elias Ojala's avatar
Elias Ojala committed
31
### Raspbian 9 (`stretch`)
Elias Ojala's avatar
Elias Ojala committed
32

Elias Ojala's avatar
Elias Ojala committed
33
```bash
Elias Ojala's avatar
Elias Ojala committed
34
sudo apt-get update
Elias Ojala's avatar
Elias Ojala committed
35
sudo apt-get upgrade
Elias Ojala's avatar
Elias Ojala committed
36
sudo apt-get install raspberrypi-kernel-headers
Elias Ojala's avatar
Elias Ojala committed
37
echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee -a /etc/apt/sources.list.d/unstable.list
Elias Ojala's avatar
Elias Ojala committed
38
sudo apt-get install dirmngr
Elias Ojala's avatar
Elias Ojala committed
39
sudo apt-key adv --keyserver   keyserver.ubuntu.com --recv-keys 8B48AD6246925553
Elias Ojala's avatar
Elias Ojala committed
40
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee -a /etc/apt/preferences.d/limit-unstable
Elias Ojala's avatar
Elias Ojala committed
41
sudo apt-get update
Elias Ojala's avatar
Elias Ojala committed
42
sudo apt-get install wireguard
Elias Ojala's avatar
Elias Ojala committed
43
44
45
46
sudo reboot
```

([Source](https://github.com/adrianmihalko/raspberrypiwireguard#1-wireguard-installation-raspberry-pi-2-v12-and-above))
Elias Ojala's avatar
Elias Ojala committed
47
48
49
50

## Generate keys

```bash
Elias Ojala's avatar
Elias Ojala committed
51
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
Elias Ojala's avatar
Elias Ojala committed
52
53
```

Elias Ojala's avatar
Elias Ojala committed
54
55
(recommended to run as `root`)

Elias Ojala's avatar
Elias Ojala committed
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
## Client configuration

`/etc/wireguard/wg0.conf`:

```
[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x

[Peer]
PublicKey = Server_Public_Key
AllowedIPs = 0.0.0.0/0 # or subnets you want to allow
Endpoint = ip:51820
# PersistentKeepalive = 25 # optional
```

## Server configuration

```
[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x
ListenPort = 51820
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE

[Peer]
PublicKey = Client_Public_key
AllowedIPs = 10.x.x.x/32
```

Replace `PUBLIC_INTERFACE` with your interface, such as `eth0`.

### Enable IPv4 packet forwarding

In `/etc/sysctl.d/99-sysctl.conf`, uncomment line `#net.ipv4.ip_forward=1`.

93
To apply, reboot or run `sudo sysctl -p`.
Elias Ojala's avatar
Elias Ojala committed
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

## Daemonizing

Replace `wg0` with the filename (without extension) you have in `/etc/wireguard/`.

```bash
sudo systemctl enable --now wg-quick@wg0
```

### Restarting

```bash
wg-quick down wg0 && wg-quick up wg0
```

## Further reading
* [Set Up WireGuard VPN on Ubuntu](https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/) on linode.com/docs
* [WireGuard](https://wiki.archlinux.org/index.php/WireGuard) on wiki.archlinux.org