WireGuard - a fast and modern VPN

About WireGuard

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It can be a useful replacement for IPSec or OpenVPN.

Official website: https://www.wireguard.com/

Installation

WireGuard is packaged in as wireguard which pulls in wireguard-tools. If the installed Linux kernel doesn't have builtin wireguard support (which it indicates by providing the virtual package wireguard-modules), wireguard-dkms will also be pulled in as a dependency.

On DebianBuster, wireguard is available from Backports. If your sources list contains the backports stanza, you can install wireguard by

# apt update && apt -t buster-backports install wireguard 

The packages for DebianUnstable and DebianTesting also work on DebianJessie and DebianStretch. You can install them by following the Wireguard installation instructions, which boil down to:

# echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable-wireguard.list
# printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | sudo tee /etc/apt/preferences.d/limit-unstable
# apt update
# apt install wireguard

Note that if the module is built with dkms you should ensure you have rebooted in to your most recent kernel update before installing.

Configuration - Debian Peers

Step 1 - Generating Keypairs

You need to generate key pairs for server and clients. To generate key pairs:

# cd /etc/wireguard/
# umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Make sure that you protect the privatekey file, e.g. via appropriate file permissions.

Step 2 - Configuration

Step 2 - Alternative A - Manual Configuration

You need to enable the following in /etc/sysctl.conf

net.ipv4.ip_forward = 1

to reload settings

# sysctl -p

In server create /etc/wireguard/wg0.conf. Open UDP port 51820 and change your interface for iptables (eth0).

[Interface]
Address = 192.168.11.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = YOUR_SERVER_PRIVATE KEY

[Peer]
PublicKey = YOUR_CLIENT_PUBLIC_KEY
AllowedIPs = 192.168.11.2/32

[Peer]
PublicKey = OTHER_CLIENT_PUBLIC_KEY
AllowedIPs = ...

Test server:

# systemctl start wg-quick@wg0
# ip a show wg0

Now, in client create /etc/wireguard/wg0.conf.

[Interface]
PrivateKey = YOU_CLIENT_PRIVATE_KEY
## Client IP
Address = 192.168.11.2/24

## if you have DNS server running
# DNS = 192.168.11.1

[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
 
## to pass internet trafic 0.0.0.0 but for peer connection only use 192.168.11.0/24, or you can also specify comma separated IPs
AllowedIPs =  0.0.0.0/0

Endpoint = SERVER_PUBLIC_IP:51820
PersistentKeepalive = 20

Test client:

# systemctl start wg-quick@wg0
# ip a show wg0

You may enable systemd by default in server and client by

# systemctl enable wg-quick@wg0

For testing purposes, it may be sufficient to use wg-quick directly - see the wg-quick(8) man page (upstream version) and quickstart instructions.

Step 2 - Alternative B - /etc/network/interfaces

The following configuration examples focus on using /etc/network/interfaces as much as possible.

For a host with static network configuration (such as a server), using /etc/network/interfaces is often the preferred way.

Point-to-point tunnel

This example builds a simple point-to-point tunnel between two machines.

# /etc/network/interfaces
auto wg-p2p
iface wg-p2p inet static
        address 10.88.88.1
        netmask 255.255.255.0
        pre-up ip link add $IFACE type wireguard
        pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
        post-down ip link del $IFACE
iface wg-p2p inet6 static
        address 2001:db8:1234:5678::1
        netmask 64

# /etc/wireguard/wg-p2p.conf 
[Interface]
PrivateKey = <paste the private key of the local host here>
ListenPort = <enter a port number to use for WireGuard UDP data, 51820 seems common>

[Peer]
Endpoint = <remote IP>:<remote port>
PublicKey = <paste the public key of the remote host here>
AllowedIPs = 0.0.0.0/0, ::/0

You can then simply add routes through the tunnel, either statically, or dynamically using e.g. OSPF or BGP. For static routes:

# ip route add 2001:db8:4242::/48 dev wg-demo
# ip route add 192.168.42.0/24 dev wg-demo

VPN client with default route

This allows a "client" to connect to a server, and redirect its default route through the tunnel. This example uses wg-quick, make sure you understand what it does to your routing tables!

# /etc/network/interfaces
auto wg-client
iface wg-client inet static
        address 10.88.88.1
        netmask 255.255.255.0
        pre-up wg-quick up $IFACE
        post-down wg-quick down $IFACE

# /etc/wireguard/wg-client.conf 
[Interface]
PrivateKey = <paste the private key of the local host here>
ListenPort = <enter a port number to use for WireGuard UDP data, 51820 seems common>

[Peer]
Endpoint = <server IP>:<server port>
PublicKey = <paste the public key of the remote host here>
AllowedIPs = 0.0.0.0/0, ::/0

Step 2 - Alternative C - systemd

systemd has native support for setting up WireGuard interfaces since version 237 (available in buster and stretch-backports).

First, create a systemd.netdev(5) file ending in .netdev and place it in /etc/systemd/network, for example as /etc/systemd/network/wg0.netdev:

[NetDev]
Name=wg0
Kind=wireguard
Description=WireGuard test

[WireGuard]
PrivateKey=<paste the private key of the local host here>
ListenPort=<enter a port number to use for WireGuard UDP data, 51820 seems common>

[WireGuardPeer]
PublicKey=<paste the public key of the remote host here>
AllowedIPs=0.0.0.0/0
AllowedIPs=::/0
Endpoint=<remote IP or hostname>:<remote port>

Note that the above example assumes that you are setting up a "client" to connect to a server. If you are instead setting up a server, you probably want much more restricted AllowedIPs entries. Also, on a server you would typically have several WireGuardPeer sections.

The .netdev file contains security-sensitive data (the private key) and should have appropriate file permissions:

# chown root.systemd-network /etc/systemd/network/wg0.netdev
# chmod 0640 /etc/systemd/network/wg0.netdev

Second, create a matching systemd.network(5) file ending in .network and place it in /etc/systemd/network, for example as /etc/systemd/network/wg0.network:

[Match]
Name=wg0

[Network]
Address=10.88.88.1/24
Address=2001:db8:1234:5678::1

Now tell systemd to reload its configuration and start systemd-networkd(8):

# systemctl daemon-reload
# systemctl start systemd-networkd

Step 2 - Alternative D - systemd with wg-quick

Assuming the user has a valid configuration file, by example /etc/wireguard/wg0.conf, one can simply do:

# systemctl enable wg-quick@wg0 
# systemctl start wg-quick@wg0

Step 2 - Alternative E - NetworkManager

NetworkManager has had support for WireGuard since version 1.16 (i.e. in DebianTesting and DebianUnstable).

This support does not yet include a GUI for configuring WireGuard interfaces, meaning that the configuration has to be done using the command line for now.

See this blog post for more details.

Step 3 - Check the end result

You can check the status of your new interface by using e.g.:

# ip addr show dev wg0
# wg show wg0

And, if you've let systemd create the interface, by using:

# networkctl status wg0

Configuration - Mobile Clients

WireGuard has a user space implementation for mobile devices available via the WireGuard app - available for Android and iOS (a full list of supported operating systems is available here).

The client can be configured in several ways:

Alternative A - Create configuration manually

This is self-explanatory, you actually create the config on the mobile device then transfer the relevant keys to the server's config.

Alternative B - Create configuration from archive

Here you have to create a .zip archive of the client configuration file, transfer it to the device then import it into the app.

Alternative C - Import by reading a QR code (most secure method)

The mobile client as of version 0.0.20180724 supports QR code based input.

qrencode can be used to generate qr codes, even in a terminal/console using UTF8 characters.

The syntax is:

# qrencode -t ansiutf8 < client.conf

This will generate a QR code that is readable by the mobile client.

The advantage of this approach is that there is no need to transfer sensitive information via data channels that can potentially be compromised and there is no need for any additional software.

See also