16th January 2019 - I have updated the article to include DNS lookups over VPN too, where as previously they would have been going out via your ISP/WiFi/mobile provider.
WireGuard is the new kid on the block when it comes to VPNs. I could try and explain what it is and why you should switch from OpenVPN or IPsec to it, but they do a great job of that themselves:
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache.
“Great” I hear you say, “but IPSec and OpenVPN are a pain to setup, let alone setup securely”. Fear not, WireGuard has you covered:
WireGuard aims to be as easy to configure and deploy as SSH. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard.
This guide will walk you through how to setup WireGuard in a way that all your client outgoing traffic will be routed via another machine (server). This is ideal for situations where you don’t trust the local network (public or coffee shop wifi) and wish to encrypt all your traffic to a server you trust, before routing it to the Internet.
Server Setup Guide
I am making some assumptions here, such as using Ubuntu for your server OS, so please tweak to fit your situation.
First up, we need to make sure you’ve got the kernel headers installed, as well as enabling IPv4 forwarding:
sudo apt install linux-headers-$(uname -r) sysctl net.ipv4.ip_forward=1 echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.d/99-sysctl.conf # Make the change persistent
Because WireGuard isn’t currently part of the distributed Ubuntu packages, we’ll add the helpful PPA repository to keep things easy and up to date.
sudo add-apt-repository ppa:wireguard/wireguard sudo apt update sudo apt install wireguard sudo modprobe wireguard
With WireGuard now installed, we need to generate a public and a private key – fortunately, this is a simple one-liner:
wg genkey | tee /etc/wireguard/server-privatekey | wg pubkey > /etc/wireguard/server-publickey
Next up, we need to create a WireGuard config file:
sudo nano /etc/wireguard/wg0.conf [Interface] Address = 10.200.200.1/24 Address = fd86:ea04:1115::1/64 SaveConfig = true DNS = 10.200.200.1 # Change eth0 to your network interface if it differs PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A INPUT -s 10.200.200.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT; iptables -A INPUT -s 10.200.200.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 51820 PrivateKey = <contents of /etc/wireguard/server-privatekey>
We also need a DNS server running, to forward our requests from the clients rather than letting the clients go out to their local/ISP provided DNS. I have pinched most of this from ck’s Wireguard setup guide.
apt-get install unbound unbound-host curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
sudo nano /etc/unbound/unbound.conf server: num-threads: 4 #Enable logs verbosity: 1 #list of Root DNS Server root-hints: "/var/lib/unbound/root.hints" #Use the root servers key for DNSSEC auto-trust-anchor-file: "/var/lib/unbound/root.key" #Respond to DNS requests on all interfaces interface: 0.0.0.0 max-udp-size: 3072 #Authorized IPs to access the DNS Server access-control: 0.0.0.0/0 refuse access-control: 127.0.0.1 allow access-control: 10.200.200.0/24 allow #not allowed to be returned for public internet names private-address: 10.200.200.0/24 # Hide DNS Server info hide-identity: yes hide-version: yes #Limit DNS Fraud and use DNSSEC harden-glue: yes harden-dnssec-stripped: yes harden-referral-path: yes #Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning unwanted-reply-threshold: 10000000 #Have the validator print validation failures to the log. val-log-level: 1 #Minimum lifetime of cache entries in seconds cache-min-ttl: 1800 #Maximum lifetime of cached entries cache-max-ttl: 14400 prefetch: yes prefetch-key: yes Last but not least, we need to tidy up some permissions and give unbound a kick to bring it to life. ```shell sudo chown -R unbound:unbound /var/lib/unbound sudo systemctl enable unbound sudo systemctl start unbound
At this point, WireGuard on the server is complete and we could start it up if we wanted, but first, lets configure our client.
iOS Client Setup Guide
Our first client is an Apple iOS device. Currently WireGuard isn’t built into the operating system, unlike IPSec or IKEv2. However, we can easily overcome this hurdle thanks to the WireGuard iOS App which is currently in alpha and can be installed easily via TestFlight. Alternatively you can check out another 3rd party client produced by TunSafe which again can be installed via TestFlight.
With one of the two apps installed, lets generate a config server-side and we can transfer it later with a simple QR code. We could manually enter a config within the app, however moving around those keys can be a nightmare…
First up, client private and public keys:
cd /etc/wireguard wg genkey | tee mobile-privatekey | wg pubkey > mobile-publickey
We need to configure our mobile client as a peer within
wg0.conf, so that we can connect to our server.
[Interface] [...] [Peer] # Our mobile client details PublicKey = <contents of mobile-publickey> AllowedIPs = 10.200.200.2/32, fd86:ea04:1115::2/128
That is everything we need to do for our server config - simple right?
To split things up a little, lets start WireGuard. We can bring the interface up with
wg-quick up wg0, as well as down with
wg-quick down wg0.
However if you would rather run it as a service so that it is always brought up on start-up or after reboots, we can utilise
systemctl enable wg-quick@wg0 # Enable to start at boot-up systemctl start wg-quick@wg0 # Start to.. well, start.
You can get the current status of WireGuard by simply running
root@lon-vpn:/etc/wireguard# wg interface: wg0 public key: 3YjKyxxxxxxxxxxxxxxxxxxxxxxxxxxxsx856vfcQc= private key: (hidden) listening port: 51820 peer: x8roC6GOxxxxxxxxxxxxxxxxxxxxxxxdi7Uhol6xY= allowed ips: 10.200.200.2/32, fd86:ea04:1115::2/128
With WireGuard successfully running, lets create a
conf file for our iOS device which we will transfer via QR code. We can do all of this whilst we are still on our server.
cd /etc/wireguard nano mobile.conf [Interface] PrivateKey = <contents of mobile-privatekey> Address = 10.200.200.2/32, fd86:ea04:1115::2/128 DNS = 10.200.200.1 [Peer] PublicKey = <contents of server-publickey> Endpoint = <server-ip>:51820 AllowedIPs = 0.0.0.0/0, ::/0
Mobile config done. Lets get it transferred to our device. We will do this using a QR code, which we can create on our server using
qrencode. You can install this via
apt install qrencode.
To generate the QR code and display it on the screen:
qrencode -t ansiutf8 < /etc/wireguard/mobile.conf
Simply scan this code using one of the iOS apps mentioned previously, and you will be all setup! Enjoy routing all of your traffic via your server. You can verify this by visiting https://canihazip.com or similar on your device.