Setting up WireGuard VPN Server

vpn Aug 01, 2020

This post has been updated to accommodate changes and feature updates in WireGuard and Debian OS.  

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.

Below tutorial is based on Debian Operating System but most of it will work on other *nix OS also. So without wasting anymore time, let's GetStarted !

Installation
Use the below commands to install WireGuard on a Debian OS. For any other OS please check here:

sudo sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list"
sudo apt update
sudo apt install wireguard

Configuration
Navigate to cd /etc/wireguard/ and create a Public and Private Key pair

(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey

Modify the configuration file:
nano /etc/wireguard/wg0.conf

And add the below text:

PrivateKey = YOUR_PRIVATE_KEY
ListenPort = 5555
SaveConfig = false
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat –A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

WireGuard server configuration is complete for now.

Start WireGuard: wg-quick up wg0
Check WireGuard status: wg

Configuring WireGuard VPN on Windows PC:
Follow the below steps to configure Windows client to access WireGuard VPN.

  1. Download and Install WireGuard Client file from here.
  2. Open the WireGuard Tunnel Management window.
  3. At the bottom left, click on the arrow next the "Add Tunnel" button and select Add empty tunnel or press Ctrl+N.
  4. The new connection will automatically generate a Public and Private key pair.
  5. Give a name to the connection
  6. Add the below values in the dialog box below the Private Key.
[Interface]
PrivateKey = [Private Key of the Client automatically generated]
Address = 10.0.0.3/24
DNS = 8.8.8.8

Add the Peer Information below the interface

[Peer]
PublicKey = [Public Key of the WireGuard Server]
AllowedIPs = 0.0.0.0/0
Endpoint = [Public IP of the WireGuard Server]:5555

Configuring WireGuard VPN on Android device:
Follow the below steps to configure Android client to access your WireGuard VPN.

  1. Download and Install WireGuard app from Google Play Store
  2. Click the + button
  3. Select "Create from scratch"
  4. Give a name (without using any special character)
  5. Click "GENERATE" beside "Private key", to generate the private-key and the public-key
  6. Fill in "10.0.0.2/32" for "Addresses"
  7. Fill in "1.1.1.1,1.0.0.1" or "8.8.8.8,8.8.4.4", etc for "DNS servers"

    Add the server information:
  8. Click "ADD PEER"
  9. Fill in the server-public-key
  10. Fill in "0.0.0.0/0" for "Allowed IPs"
  11. Fill in the Server IP or domain-name with port-number for "Endpoint"
    (e.g.12:34:56:78:5555 or mydomain.com:5555)

Finishing the setup on Server
Modify the WireGuard configuration file to add the peer details.
nano /etc/wireguard/wg0.conf

Add the below text:

[Peer]
PublicKey = [PublicKey_created_in_the_app_during_setup]
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = [PublicKey_created_in_the_windows_setup]
AllowedIPs = 10.0.0.3/32

Save and exit.

Restart WireGuard for the changes to take place
wg-quick down wg0
wg-quick up wg0

To start WireGuard automatically on system startup
systemctl enable wg-quick@wg0

Enable Packet Forwarding to access internet through WireGuard VPN
Modify sysctl.conf:
nano /etc/sysctl.conf

Search and set net.ipv4.ip_forward = 1 and net.ipv6.conf.all.forwarding = 1
Apply the changes: sysctl -p . You can also use the following command sysctl -w net.ipv4.ip_forward=1 and sysctl -w net.ipv6.conf.all.forwarding=1

If you have installed UFW on the server, there are a few more things which need to be configured to complete the VPN Setup
1. If you needed UFW to NAT the connections from the external interface to the internal the solution is pretty straight forward. In the file /etc/default/ufw change the parameter DEFAULT_FORWARD_POLICY
nano /etc/default/ufw
set DEFAULT_FORWARD_POLICY="ACCEPT"

2. Also configure /etc/ufw/sysctl.conf to allow ipv4 forwarding (the parameters is commented out by default). Uncomment for ipv6 if you want.

net.ipv4.ip_forward=1
#net/ipv6/conf/default/forwarding=1
#net/ipv6/conf/all/forwarding=1

3. The final step is to add NAT to ufw’s configuration. Add the following to /etc/ufw/before.rules just before the filter rules.

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

4. Additionally, you will need to update the wg0.conf to look like this:

PrivateKey = YOUR_PRIVATE_KEY
ListenPort = 5555
SaveConfig = false
Address = 10.0.0.1/24
PostUp = ufw allow in on wg0 to any
PostDown = ufw deny in on wg0 to any

sudo ufw disable && sudo ufw enable

Thats All folks !
You have successfully completed the WireGuard VPN installation.

Update: I have also created a script to automate the task of setting up WireGuard.
You can check the script here

Eshan

Among with Anmol Nayyar, Sreyash Ratna Tripathi

Cyber Security Professional • Offensive Infrastructure • Anime Addict • Love to Travel • Co-creater of rescure.fruxlabs.com •