Introduction:
Thegoal of this guide is to set up a Wireguard server on the host toallow remote access to the network that the server lives on.Point-to-site connection.
Thereare many ways to set up remote encrypted VPN access to the server.The easiest is to use the openmediavault-wireguard plugin. The plugin does exactly the same as this howto. You can also do it via docker stack, you can see how to doit here.[How-To] Install Wireguard (VPN) in docker, server modeIf you are a beginner user maybe you should not continue reading, itis easier to follow the other routes. Everything in this guide is donefrom the command line and the explanations are not extensive.
Butif for some reason you prefer to do it directly on the host, forexample avoiding container updates, or you need to customize your wireguard configuration, you can follow this guide.
Update (June 2023): The openmediavault-wireguard plugin now allows custom configurations. So installing wireguard on the host would only make sense if there is a problem installing this plugin.
Initialparameters:
Thisguide will use the following parameters, you can change them at yourconvenience:
- Networkinterface: wg0
- Accessport: 51280 (remember to open this port on the router and direct itto the server)
- Networkgenerated: 10.15.15.0/24
- Domain:mydomain.com (you need a domain pointing to your server, you can setone up for free at duckdns.org)
- Existingnetwork interface: enp2s0 (check which one is yours in WebUI andchange this value)
Initialsetup:
- InstallWireguard and qrencode (to generate configuration QR on the client)
apt install wireguard
apt install qrencode
- Createkey tree and generate server keys.
mkdir -p /etc/wireguard/keys
cd /etc/wireguard/keys
wg genkey | tee server.key | wg pubkey > server.pub
- Tosee the keys and copy them somewhere
cat server.key
cat server.pub
Configuringclients on the server:
- Createclient folder and generate keys.
mkdir /etc/wireguard/key/client1
cd /etc/wireguard/keys/client1
wg genkey | tee client1.key | wg pubkey > client1.pub | wg genpsk > client1.psk
- Viewthe keys and copy them somewhere
cat client1.key
cat client1.pub
cat client1.psk
- Createclient1 configuration file
nano client1.conf
- Copyin the following:
Code
[Interface]PrivateKey = XXXXXXXXXX_VALUE_OF_client1.key_XXXXXXXXXXListenPort = 51280Address = 10.15.15.2/32[Peer]PublicKey = XXXXXXXXXX_VALUE_OF_server.pub_XXXXXXXXXXPresharedKey = XXXXXXXXXX_VALUE_OF_client1.psk_XXXXXXXXXXAllowedIPs = 0.0.0.0/0Endpoint = mydomain.com:51280
Saveand exit.
- Generatefile with client configuration QR code.
qrencode -t png -o client1-qr.png -r client1.conf
- Ifyou want to see the code on screen
qrencode-t ansiutf8 < client1.conf
Atthis point you have generated the configuration files for a client.If you need another client, repeat the process in the client2 folder,in the configuration file add a position to the client's IP address,address = 10.15.15.3/32, the rest is all the same, with thecorresponding keys. For client 2 it would be:
[Interface]PrivateKey = XXXXXXXXXX_VALUE_OF_client2.key_XXXXXXXXXXListenPort = 51280Address = 10.15.15.3/32[Peer]PublicKey = XXXXXXXXXX_VALUE_OF_server.pub_XXXXXXXXXXPresharedKey = XXXXXXXXXX_VALUE_OF_client2.psk_XXXXXXXXXXAllowedIPs = 0.0.0.0/0Endpoint = mydomain.com:51280
Youcan create as many clients as you need.
Serverconfiguration:
- Createserver configuration file
cd /etc/wireguard
nano wg0.conf
- Copyin the following, remember to adjust the values of enp2s0 and subnet to the real ones:
Code
[Interface]PrivateKey = XXXXXXXXXX_VALUE_OF_server.key_XXXXXXXXXXListenPort = 51280Address = 10.15.15.1/32PreUp = sysctl -w net.ipv4.ip_forward=1PostUp = iptables -A FORWARD -i enp2s0 -o %i -j ACCEPT; iptables -A FORWARD -i %i -o enp2s0 -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.15.15.0/32 -o enp2s0 -j MASQUERADEPostDown = iptables -D FORWARD -i enp2s0 -o %i -j ACCEPT; iptables -D FORWARD i %i -o enp2s0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE[Peer]#client1PublicKey = XXXXXXXXXX_VALUE_OF_client1.pub_XXXXXXXXXXPresharedKey = XXXXXXXXXX_VALUE_OF_client1.psk_XXXXXXXXXXAllowedIPs = 10.15.15.2/32[Peer]#client2PublicKey = XXXXXXXXXX_VALUE_OF_client2.pub_XXXXXXXXXXPresharedKey = XXXXXXXXXX_VALUE_OF_client2.psk_XXXXXXXXXXAllowedIPs = 10.15.15.3/32#If more clients have been configured, continue below#[peer]#client3#...
Alles anzeigen
Saveand exit
- Changepermissions of all wireguard keys and configuration files
chmod -R 600 /etc/wireguard
- Configurethe service
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service
Atthis moment you already have the service configured and working, youonly have to configure a client to access the network.
Configuringa client on a smartphone (Android/iOS) or PC (Ubuntu/Mac/Windows):
- Connectionwith a Smartphone (Android/iOS)
Installthe Wireguard app from your smartphone, open it and set up aconnection from a QR code. Copy the/etc/wireguard/keys/client1/client1-qr.png file that you generatedearlier to your desktop and open it. Scan the image with yoursmartphone. You already have the connection configured.
- Connection with a PC (Ubuntu 22.10)
Ubuntu does not yet have Wireguard integrated into its GUI. If you've gotten this far it's easy to set up the client. You just have to repeat some of the steps above:
- Install wireguard
sudo apt update
sudo apt install wireguard
- Copy the file you generated for the client to /etc/wireguard
- Edit the client file and enable routing in the kernel by adding another line in the interface section
Preup = sysctl -w net.ipv.ip_forward=1
- Enable the service
sudo systemctl enable wg-quick@wg0.service
- You will have to start and stop it manually.
systemctl start wg-quick@wg0.service
systemctl stop wg-quick@wg0.service
- Connection with a PC (Mac/Windows)
Copythe /etc/wireguard/keys/client1/client1.conf file that you generatedpreviously to your PC's desktop. Install the Wireguard application onyour PC. Click on add tunnel and import tunnel from file and selectthe file from your desktop client1.conf (or client2.conf if youalready used 1 on your smartphone). You already have the connectionconfigured.
Adda client if the service is already running:
Ifyou need to add a client later to the operation of the service, dothe following:
- Generatekeys and configuration of the new client as explained above.
- Stopthe service and edit the server configuration file
systemctl stop wg-quick@wg0.service
nano /etc/wireguard/wg0.conf
- Addthe configuration of the new client at the end, do not forget toupload the IP one position. Save and exit.
- Uploadthe service.
systemctl start wg-quick@wg0.service
Youcan now configure the connection in your new client.
I hope it is useful !!