WireGuard —VPN SERVER AND CLIENT CONFIGURATION
In this blog I will show how to configure client and server vpn using wireguard step by step.
Introduction:
WireGuard is a security-focused virtual private network (VPN) known for its simplicity and ease of use. It uses proven cryptography protocols and algorithms to protect data. Originally developed for the Linux kernel, it is now deployable on Windows, macOS, BSD, iOS and Android.
Notes: In this WireGuard vpn setup I used ubuntu 20.04 (Client and Server)
Step 1: Install Wireguard in Server Machine (Peer A)
SSH into cloud server, after login into machine check the machine in up to date with following command,
sudo apt-get update && sudo apt-get upgrade
now install Wireguard , with follwing command
sudo apt-get install wireguard
as same as install Wireguard in client machine also.
- Ip forwarding:
we need to enable packet forwarding , then only we able to connect through your Wireguard server, to do this we need to edit in this /etc/sysctl.conf file.
sudo nano /etc/sysctl.conf
remove the # for following command net.ipv4.ip_forward=1
after that run the following command to apply,
sysctl -p
you will get this output net.ipv4.ip_forward=1
2. Generating private and public keys
WireGuard works by encrypting the connection using a pair of cryptographic keys. The keypair is used by sharing the public key with the other party who then can encrypt their message in such a way that it can only be decrypted with the corresponding private key. To make the communication secure both ways, each party needs to have their own private and public keys as each pair only enables one-way messaging.
before generating the key pair change the directory to ,
sudo /etc/wireguard
set the permission to that directory umask 077
to generate the key pair , enter the following command,
wg genkey | tee privatekey | wg publickey > publickey
3. Generate server config
to start configuring the WireGuard server, move to this location /etc/wireguard and create a file called wg0.conf .
sudo vi /etc/wireguard/wg0.conf
Add the following directives to the configuration file:
[Interface]
PrivateKey = <contents-of-server-privatekey>
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32
Notes:
1. Copy the private key we generated before , and paste it in the PrivateKey.
2. As same as we need to generate a keypair for client, and copy the public key of client and paste it in PublicKey
To copy the key value use following command:
sudo cat /etc/wireguard/publickey
sudo cat /etc/wireguard/privatekey
4. Starting WireGuard and enabling it at boot
Now we are ready to start the server, to start WireGuard we use wg-quick to start the new interface,
wg-quick up wg0
if configure is done perfect means , you will see the output screen as follows,
to check WireGuard server running status:
wg show
Step 2: Client configuration (Peer 2)
Install WireGuard as same as installed in server side,follow the same steps and generate a Client public and private key pair, to that follow the command,
wg genkey | tee privatekey | wg publickey > publickey
after that create client configuration file , in the following directory sudo vi /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <contents-of-server-privatekey>
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32
Notes: In public paste the server public key as we generated before and private key paste the client private key
to start connection enter the following command
sudo wg-quick up wg0
Now client can communicate with server,
to known connection up status enter follow command,
sudo wg show
you will get all connection detail, as follows,