Wireguard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It can be a useful replacement for IPSec or OpenVPN.
Official website: https://www.wireguard.io/
Installation on Debian
The packages also work on jessie and stretch, follow the instructions at https://www.wireguard.io/install/
Configuration on Debian
The following configuration examples focus on using /etc/network/interfaces as much as possible. Alternatives include using wg-quick directly or through a systemd service (see quickstart and man wg-quick). However, for a server, configuration based on /etc/network/interfaces is often the preferred way.
To generate key pairs, use:
wg genkey | tee wg-private.key | wg pubkey > wg-public.key
This example builds a simple point-to-point tunnel between two machines.
# /etc/network/interfaces auto wg-p2p iface wg-p2p inet static address 10.88.88.1 netmask 255.255.255.0 pre-up ip link add $IFACE type wireguard pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf post-down ip link del $IFACE iface wg-p2p inet6 static address 2001:db8:1234:5678::1 netmask 64
# /etc/wireguard/wg-p2p.conf [Interface] PrivateKey = XXX ListenPort = YYYY [Peer] Endpoint = <remote IP>:<remote port> PublicKey = ZZZ AllowedIPs = 0.0.0.0/0, ::/0
You can then simply add routes through the tunnel, either statically, or dynamically using e.g. OSPF or BGP. For static routes:
# ip route add 2001:db8:4242::/48 dev wg-demo # ip route add 192.168.42.0/24 dev wg-demo
VPN client with default route
This allows a "client" to connect to a server, and redirect its default route through the tunnel. This example uses wg-quick, make sure you understand what it does to your routing tables!
# /etc/network/interfaces auto wg-client iface wg-client inet static address 10.88.88.1 netmask 255.255.255.0 pre-up wg-quick up $IFACE post-down wg-quick down $IFACE
# /etc/wireguard/wg-client.conf [Interface] PrivateKey = XXX ListenPort = YYYY [Peer] Endpoint = <server IP>:<server port> PublicKey = ZZZ AllowedIPs = 0.0.0.0/0, ::/0