Setting up WireGuard VPN server

vpn Dec 15, 2018

Previously, we saw how easy it is to set-up OpenVPN. Today we will configure WireGuard VPN on our server.

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.

Below tutorial is based on Debian Operating System but most of it will work on other *nix OS also. So without wasting anymore time, let's GetStarted !

Please NOTE WireGuard is currently under development, and therefore any installation steps here should be considered as experimental.

Installation
Use the below command to install WireGuard on a Debian OS. For any other OS please check here:

echo "deb http://deb.debian.org/debian/unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' >      /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard -y

Configuration
Create a Public and Private Key pair

(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey

Modify the configuration file:
nano /etc/wireguard/wg0.conf
Add the below text:

[Interface]
PrivateKey = YOUR_PRIVATE_KEY
ListenPort = 5555
SaveConfig = false
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat –A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

WireGuard server configuration is complete.

Start WireGuard: wg-quick up wg0
Check WireGuard status: wg

Configuring WireGuard VPN on Android device:
Follow the below steps to configure Android client to access your WireGuard VPN.

  1. Download and Install WireGuard app from Google Play Store
  2. Click the + button
  3. Select "Create from scratch"
  4. Give a name (without using any special character)
  5. Click "GENERATE" beside "Private key", to generate the private-key and the public-key
  6. Fill in "10.0.0.2/32" for "Addresses"
  7. Fill in "1.1.1.1,1.0.0.1" or "8.8.8.8,8.8.4.4", etc for "DNS servers"

    Add the server information:
  8. Click "ADD PEER"
  9. Fill in the server-public-key
  10. Fill in "0.0.0.0/0" for "Allowed IPs"
  11. Fill in the Server IP or domain-name with port-number for "Endpoint"
    (e.g.12:34:56:78:5555 or mydomain.com:5555)

Finishing the setup on Server
Modify the WireGuard configuration file to add the peer details.
nano /etc/wireguard/wg0.conf
Add the below text:

[Peer]
PublicKey = PublicKey_created_in_the_app_during_setup
AllowedIPs = 10.0.0.2/32

Save and exit.

Restart WireGuard for the changes to take place
wg-quick down wg0
wg-quick up wg0

To start WireGuard automatically on system startup
systemctl enable wg-quick@wg0

Enable Packet Forwarding to access internet through WireGuard VPN
Modify sysctl.conf:
nano /etc/sysctl.conf
Search and set net.ipv4.ip_forward = 1 and net.ipv6.conf.all.forwarding = 1
Apply the changes: sysctl -p

Setup packet forwarding in UFW if installed
nano /etc/default/ufw
set DEFAULT_FORWARD_POLICY="ACCEPT"

Thats All folks !
You have successfully completed the WireGuard VPN installation.

Update: I have also created a script to automate the task of setting up WireGuard.
You can check the script here

Eshan

Cyber Security Professional • Offensive Infrastructure • Anime Addict • Love to Travel • Co-creater of rescure.fruxlabs.com •