WireGuard - a fast and modern VPN
WireGuard - a fast and modern VPN
- About WireGuard
- Configuration - Debian Peers
- Configuration - Mobile Clients
- See also
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It can be a useful replacement for IPSec or OpenVPN.
Official website: https://www.wireguard.com/
WireGuard is packaged in as wireguard which pulls in wireguard-tools. If the installed Linux kernel doesn't have builtin wireguard support (which it indicates by providing the virtual package wireguard-modules), wireguard-dkms will also be pulled in as a dependency.
On DebianBuster, wireguard is available from Backports. If your sources list contains the backports stanza, you can install wireguard by
# apt update && apt -t buster-backports install wireguard
On DebianBullseye and later you may use command:
# sudo apt update && sudo apt install wireguard wireguard-dkms openresolv
The packages for DebianUnstable and DebianTesting also work on DebianJessie and DebianStretch. You can install them by following the Wireguard installation instructions, which boil down to:
# echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable-wireguard.list # printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | sudo tee /etc/apt/preferences.d/limit-unstable # apt update # apt install wireguard
Note that if the module is built with dkms you should ensure you have rebooted in to your most recent kernel update before installing.
Configuration - Debian Peers
Step 1 - Generating Keypairs
You need to generate key pairs for server and clients. To generate key pairs:
# cd /etc/wireguard/ # umask 077; wg genkey | tee privatekey | wg pubkey > publickey
Make sure that you protect the privatekey file, e.g. via appropriate file permissions.
Step 2 - Configuration
Step 2 - Alternative A - Manual Configuration
You need to enable the following in /etc/sysctl.conf
net.ipv4.ip_forward = 1
to reload settings
# sysctl -p
In server create /etc/wireguard/wg0.conf. Open UDP port 51820 and change your interface for iptables (eth0).
[Interface] Address = 192.168.11.1/24 SaveConfig = true PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 51820 PrivateKey = YOUR_SERVER_PRIVATE KEY [Peer] PublicKey = YOUR_CLIENT_PUBLIC_KEY AllowedIPs = 192.168.11.2/32 [Peer] PublicKey = OTHER_CLIENT_PUBLIC_KEY AllowedIPs = ...
# systemctl start wg-quick@wg0 # ip a show wg0
Now, in client create /etc/wireguard/wg0.conf.
[Interface] PrivateKey = YOU_CLIENT_PRIVATE_KEY ## Client IP Address = 192.168.11.2/24 ## if you have DNS server running # DNS = 192.168.11.1 [Peer] PublicKey = YOUR_SERVER_PUBLIC_KEY ## to pass internet trafic 0.0.0.0 but for peer connection only use 192.168.11.0/24, or you can also specify comma separated IPs AllowedIPs = 0.0.0.0/0 Endpoint = SERVER_PUBLIC_IP:51820 PersistentKeepalive = 20
# systemctl start wg-quick@wg0 # ip a show wg0
You may enable systemd by default in server and client by
# systemctl enable wg-quick@wg0
For testing purposes, it may be sufficient to use wg-quick directly - see the wg-quick(8) man page (upstream version) and quickstart instructions.
Step 2 - Alternative B - /etc/network/interfaces
The following configuration examples focus on using /etc/network/interfaces as much as possible.
For a host with static network configuration (such as a server), using /etc/network/interfaces is often the preferred way.
This example builds a simple point-to-point tunnel between two machines.
# /etc/network/interfaces auto wg-p2p iface wg-p2p inet static address 10.88.88.1 netmask 255.255.255.0 pre-up ip link add $IFACE type wireguard pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf post-down ip link del $IFACE iface wg-p2p inet6 static address 2001:db8:1234:5678::1 netmask 64
# /etc/wireguard/wg-p2p.conf [Interface] PrivateKey = <paste the private key of the local host here> ListenPort = <enter a port number to use for WireGuard UDP data, 51820 seems common> [Peer] Endpoint = <remote IP>:<remote port> PublicKey = <paste the public key of the remote host here> AllowedIPs = 0.0.0.0/0, ::/0
You can then simply add routes through the tunnel, either statically, or dynamically using e.g. OSPF or BGP. For static routes:
# ip route add 2001:db8:4242::/48 dev wg-demo # ip route add 192.168.42.0/24 dev wg-demo
VPN client with default route
This allows a "client" to connect to a server, and redirect its default route through the tunnel. This example uses wg-quick, make sure you understand what it does to your routing tables!
# /etc/network/interfaces auto wg-client iface wg-client inet static address 10.88.88.1 netmask 255.255.255.0 pre-up wg-quick up $IFACE post-down wg-quick down $IFACE
# /etc/wireguard/wg-client.conf [Interface] PrivateKey = <paste the private key of the local host here> ListenPort = <enter a port number to use for WireGuard UDP data, 51820 seems common> [Peer] Endpoint = <server IP>:<server port> PublicKey = <paste the public key of the remote host here> AllowedIPs = 0.0.0.0/0, ::/0
Step 2 - Alternative C - systemd
systemd has native support for setting up WireGuard interfaces since version 237 (available in buster and stretch-backports).
First, create a systemd.netdev(5) file ending in .netdev and place it in /etc/systemd/network, for example as /etc/systemd/network/wg0.netdev:
[NetDev] Name=wg0 Kind=wireguard Description=WireGuard test [WireGuard] PrivateKey=<paste the private key of the local host here> ListenPort=<enter a port number to use for WireGuard UDP data, 51820 seems common> [WireGuardPeer] PublicKey=<paste the public key of the remote host here> AllowedIPs=0.0.0.0/0 AllowedIPs=::/0 Endpoint=<remote IP or hostname>:<remote port>
Note that the above example assumes that you are setting up a "client" to connect to a server. If you are instead setting up a server, you probably want much more restricted AllowedIPs entries. Also, on a server you would typically have several WireGuardPeer sections.
The .netdev file contains security-sensitive data (the private key) and should have appropriate file permissions:
# chown root.systemd-network /etc/systemd/network/wg0.netdev # chmod 0640 /etc/systemd/network/wg0.netdev
Second, create a matching systemd.network(5) file ending in .network and place it in /etc/systemd/network, for example as /etc/systemd/network/wg0.network:
[Match] Name=wg0 [Network] Address=10.88.88.1/24 Address=2001:db8:1234:5678::1
Now tell systemd to reload its configuration and start systemd-networkd(8):
# systemctl daemon-reload # systemctl start systemd-networkd
Step 2 - Alternative D - systemd with wg-quick
Assuming the user has a valid configuration file, by example /etc/wireguard/wg0.conf, one can simply do:
# systemctl enable wg-quick@wg0 # systemctl start wg-quick@wg0
Step 2 - Alternative E - NetworkManager
NetworkManager has had support for WireGuard since version 1.16 (i.e. in DebianTesting and DebianUnstable).
This support does not yet include a GUI for configuring WireGuard interfaces, meaning that the configuration has to be done using the command line for now.
See this blog post for more details.
Step 3 - Check the end result
You can check the status of your new interface by using e.g.:
# ip addr show dev wg0 # wg show wg0
And, if you've let systemd create the interface, by using:
# networkctl status wg0
Configuration - Mobile Clients
WireGuard has a user space implementation for mobile devices available via the WireGuard app - available for Android and iOS (a full list of supported operating systems is available here).
The client can be configured in several ways:
Alternative A - Create configuration manually
This is self-explanatory, you actually create the config on the mobile device then transfer the relevant keys to the server's config.
Alternative B - Create configuration from archive
Here you have to create a .zip archive of the client configuration file, transfer it to the device then import it into the app.
Alternative C - Import by reading a QR code (most secure method)
The mobile client as of version 0.0.20180724 supports QR code based input.
qrencode can be used to generate qr codes, even in a terminal/console using UTF8 characters.
The syntax is:
# qrencode -t ansiutf8 < client.conf
This will generate a QR code that is readable by the mobile client.
The advantage of this approach is that there is no need to transfer sensitive information via data channels that can potentially be compromised and there is no need for any additional software.