Searchโ€ฆ
Wireguard Guide
From the WireGuard project homepage:
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable.
This guide will create a VPN from a core node behind a firewall to a relay node with Wireguard listening on the default port 51820. We will then control traffic between the connected interfaces with UFW.
Feel free to use a different port!
GitHub - pirate/wireguard-docs: ๐Ÿ“– Unofficial WireGuard Documentation: Setup, Usage, Configuration, and full example setups for VPNs supporting both servers & roaming clients.
GitHub

Install Wireguard

Do this on both machines.
1
sudo apt install wireguard
Copied!
Become root.
1
sudo su
Copied!
Enter the Wireguard folder and set permissions for any new files created to root only.
1
cd /etc/wireguard
2
umask 077
Copied!

Configure

Generate key pairs on each machine.
C1
R1
1
wg genkey | tee C1-privkey | wg pubkey > C1-pubkey
Copied!
1
wg genkey | tee R1-privkey | wg pubkey > R1-pubkey
Copied!
Create a Wireguard configuration file on both machines.
1
nano /etc/wireguard/wg0.conf
Copied!
Use cat to print out the key values. Public keys are then used in the other machines conf file.
C1
R1
1
cat C1-privkey
2
cat C1-pubkey
Copied!
1
cat R1-privkey
2
cat R1-pubkey
Copied!
C1
R1
Example
1
[Interface]
2
Address = 10.220.0.1/22
3
SaveConfig = true
4
ListenPort = 51820
5
PostUp = wg set %i private-key <path to private key>
6
##PostUp = resolvectl domain %i "~."; resolvectl dns %i 10.220.0.2; resolvectl dnssec %i yes
7
โ€‹
8
[Peer]
9
PublicKey = <result of cat R1-pubkey>
10
AllowedIPs = 10.220.0.2/22
11
Endpoint = <R1 nodes public ip or hostname>:51820
12
PersistentKeepalive = 21
Copied!
1
[Interface]
2
Address = 10.220.0.2/22
3
SaveConfig = true
4
ListenPort = 51820
5
PostUp = wg set %i private-key <path to private key>
6
โ€‹
7
[Peer]
8
PublicKey = <result of cat C1-pubkey>
9
AllowedIPs = 10.220.0.1/22
10
#Endpoint = endpoint is not needed on the listening side
11
PersistentKeepalive = 21
Copied!
1
[Interface]
2
Address = 10.220.0.1/22
3
SaveConfig = true
4
ListenPort = 51820
5
PostUp = wg set %i private-key /etc/wireguard/C1-privkey
6
โ€‹
7
[Peer]
8
PublicKey = FnXP9t17JXTCf3kyuTBh/z83NeJsE8Ar2HtOCy2VPyw=
9
AllowedIPs = 10.220.0.2/22
10
Endpoint = r1.armada-alliance.com:51820
11
PersistentKeepalive = 21
Copied!

โ€‹wg-quickโ€‹

Use wg-quick to create the interface & manage Wireguard as a Systemd service on both machines
1
wg-quick up wg0
Copied!
Useful commands.
1
sudo wg show # metrics on the interface
2
ip a # should see a wg0 interface
Copied!
Once both interfaces are up you can try and ping each other.
C1
R1
1
ping 10.220.0.2
Copied!
1
ping 10.220.0.1
Copied!
If they are connected bring them down and back up with Systemd
1
wg-quick down wg0
2
sudo systemctl start [email protected]
Copied!
Enable the Wireguard service on both machines to automatically start on boot.
1
sudo systemctl enable [email protected]
2
sudo systemctl status [email protected]
Copied!
SaveConfig saves the loaded wg0.conf file in runtime and overwrites the file when it stops. Therefore you must stop the [email protected] service before editing the configuration file or your changes will be overwritten when you try to restart the service or reboot the server.
Like so
1
# become root
2
sudo su
3
# stop the service
4
systemctl stop [email protected]
5
# edit the configuration file
6
nano /etc/wireguard/wg0.conf
7
# start the service
8
systemctl start [email protected]
Copied!

Topology

You can now update your C1 & R1 topology files so they point 10.220.0.2 & 10.220.0.1 respectively through the Wireguard VPN.

Prometheus

Likewise update IPv4 address' in /etc/prometheus/prometheus.yml to use the VPN.

UFW

Control traffic through the VPN. The following allows for Prometheus/Grafana on C1 to scrape metrics from node-exporter on R1.
C1
R1
1
# allow ssh access on lan behind router
2
sudo ufw allow 22
3
# deny ssh access from R1 to C1
4
sudo ufw deny in on wg0 to any port 22 proto tcp
5
# cardano-node port
6
sudo ufw allow 3000
Copied!
1
# allow ssh access
2
sudo ufw allow 22
3
# wireguard service
4
sudo ufw allow 51820/udp
5
# cardano-node port
6
sudo ufw allow 3001
7
# allow prometheus on C1 to scrape exporter metrics on R1
8
sudo ufw allow in on wg0 to any port 12798 proto tcp
9
sudo ufw allow in on wg0 to any port 9090 proto tcp
Copied!
Bring up ufw
When you're sure you are not going to lock yourself out and that all the ports for your pool that need to be open are you can bring up the firewall. Don't forget 80 & 443 if you have nginx proxying Grafana.
1
sudo ufw enable
2
# view rules
3
sudo ufw status numbered
Copied!
Notes & links/To Do
1
PostUp = resolvectl domain %i "~."; resolvectl dns %i 192.0.2.1; resolvectl dnssec %i yes
Copied!
1
PostUp = wg set %i private-key /etc/wireguard/wg0.key <(cat /some/path/%i/privkey)
Copied!
Reload conf without taking VPN down.
1
alias wgstrip='wg syncconf wg0 <(wg-quick strip wg0)'
Copied!
Last modified 1mo ago
Export as PDF
Copy link
Edit on GitHub