[How to] Configure Wireguard VPN Server on the Host

Introduction:

Thegoal of this guide is to set up a Wireguard server on the host toallow remote access to the network that the server lives on.Point-to-site connection.

Thereare many ways to set up remote encrypted VPN access to the server.The easiest is to use the openmediavault-wireguard plugin. The plugin does exactly the same as this howto. You can also do it via docker stack, you can see how to doit here.[How-To] Install Wireguard (VPN) in docker, server modeIf you are a beginner user maybe you should not continue reading, itis easier to follow the other routes. Everything in this guide is donefrom the command line and the explanations are not extensive.

Butif for some reason you prefer to do it directly on the host, forexample avoiding container updates, or you need to customize your wireguard configuration, you can follow this guide.

Update (June 2023): The openmediavault-wireguard plugin now allows custom configurations. So installing wireguard on the host would only make sense if there is a problem installing this plugin.

Initialparameters:

Thisguide will use the following parameters, you can change them at yourconvenience:

Networkinterface: wg0
Accessport: 51280 (remember to open this port on the router and direct itto the server)
Networkgenerated: 10.15.15.0/24
Domain:mydomain.com (you need a domain pointing to your server, you can setone up for free at duckdns.org)
Existingnetwork interface: enp2s0 (check which one is yours in WebUI andchange this value)

Initialsetup:

InstallWireguard and qrencode (to generate configuration QR on the client)

apt install wireguard

apt install qrencode

Createkey tree and generate server keys.

mkdir -p /etc/wireguard/keys

cd /etc/wireguard/keys

wg genkey | tee server.key | wg pubkey > server.pub

Tosee the keys and copy them somewhere

cat server.key

cat server.pub

Configuringclients on the server:

[Interface]PrivateKey = XXXXXXXXXX_VALUE_OF_client2.key_XXXXXXXXXXListenPort = 51280Address = 10.15.15.3/32[Peer]PublicKey = XXXXXXXXXX_VALUE_OF_server.pub_XXXXXXXXXXPresharedKey = XXXXXXXXXX_VALUE_OF_client2.psk_XXXXXXXXXXAllowedIPs = 0.0.0.0/0Endpoint = mydomain.com:51280

Youcan create as many clients as you need.

Serverconfiguration:

Createserver configuration file

cd /etc/wireguard

nano wg0.conf

Copyin the following, remember to adjust the values of enp2s0 and subnet to the real ones:

Code

[Interface]PrivateKey = XXXXXXXXXX_VALUE_OF_server.key_XXXXXXXXXXListenPort = 51280Address = 10.15.15.1/32PreUp = sysctl -w net.ipv4.ip_forward=1PostUp = iptables -A FORWARD -i enp2s0 -o %i -j ACCEPT; iptables -A FORWARD -i %i -o enp2s0 -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.15.15.0/32 -o enp2s0 -j MASQUERADEPostDown = iptables -D FORWARD -i enp2s0 -o %i -j ACCEPT; iptables -D FORWARD i %i -o enp2s0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE[Peer]#client1PublicKey = XXXXXXXXXX_VALUE_OF_client1.pub_XXXXXXXXXXPresharedKey = XXXXXXXXXX_VALUE_OF_client1.psk_XXXXXXXXXXAllowedIPs = 10.15.15.2/32[Peer]#client2PublicKey = XXXXXXXXXX_VALUE_OF_client2.pub_XXXXXXXXXXPresharedKey = XXXXXXXXXX_VALUE_OF_client2.psk_XXXXXXXXXXAllowedIPs = 10.15.15.3/32#If more clients have been configured, continue below#[peer]#client3#...

Alles anzeigen

Saveand exit

Changepermissions of all wireguard keys and configuration files

chmod -R 600 /etc/wireguard

Configurethe service

systemctl enable wg-quick@wg0.service

systemctl start wg-quick@wg0.service

Atthis moment you already have the service configured and working, youonly have to configure a client to access the network.

Configuringa client on a smartphone (Android/iOS) or PC (Ubuntu/Mac/Windows):

Connectionwith a Smartphone (Android/iOS)

Installthe Wireguard app from your smartphone, open it and set up aconnection from a QR code. Copy the/etc/wireguard/keys/client1/client1-qr.png file that you generatedearlier to your desktop and open it. Scan the image with yoursmartphone. You already have the connection configured.

Connection with a PC (Ubuntu 22.10)

Ubuntu does not yet have Wireguard integrated into its GUI. If you've gotten this far it's easy to set up the client. You just have to repeat some of the steps above:

- Install wireguard

sudo apt update

sudo apt install wireguard

- Copy the file you generated for the client to /etc/wireguard

- Edit the client file and enable routing in the kernel by adding another line in the interface section

Preup = sysctl -w net.ipv.ip_forward=1

- Enable the service

sudo systemctl enable wg-quick@wg0.service

- You will have to start and stop it manually.

systemctl start wg-quick@wg0.service

systemctl stop wg-quick@wg0.service

Connection with a PC (Mac/Windows)

Copythe /etc/wireguard/keys/client1/client1.conf file that you generatedpreviously to your PC's desktop. Install the Wireguard application onyour PC. Click on add tunnel and import tunnel from file and selectthe file from your desktop client1.conf (or client2.conf if youalready used 1 on your smartphone). You already have the connectionconfigured.

Adda client if the service is already running:

Ifyou need to add a client later to the operation of the service, dothe following:

Generatekeys and configuration of the new client as explained above.
Stopthe service and edit the server configuration file

systemctl stop wg-quick@wg0.service

nano /etc/wireguard/wg0.conf

Addthe configuration of the new client at the end, do not forget toupload the IP one position. Save and exit.
Uploadthe service.

systemctl start wg-quick@wg0.service

Youcan now configure the connection in your new client.

I hope it is useful !!

[How to] Configure Wireguard VPN Server on the Host - openmediavault (2024)