WireGuard: fast, modern, secure VPN tunnel

Install on ubuntu 18.04:

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard

Create keys

Create keys for server in /etc/wireguard:

umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Forward traffic

To use this box as jumpbox to the LAN:

sysctl -w net.ipv4.ip_forward=1

To survive reboots, create /etc/sysctl.d/50-forward.conf:

net.ipv4.ip_forward = 1

Create Configuration

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = contents_of_private_key

When using the box to forward traffic to LAN, add to the [Interface] section in wg0.conf:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Make sure to replace eth0 with the appropriate network adapter.

Add “peers” (clients)

You should have each client generate its own secrets and just share with you the public key.

You should assign a IP for each client in the range you defined for the serve (e.g. 10.0.0.1/24 in this example)

[Peer]
PublicKey = public_key_generated_on_client
AllowedIPs = 10.0.0.2/32

Enable service

systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0

DNS

When you are trying to use wireguard as a jumpbox to access resources that are not public (e.g. AWS VPC), you may need to use the the DNS resolver of the private network.

For example to access resources in a AWS VPC by their DNS.

Install unbound DNS server in the wireguard jumpbox

sudo apt-get install unbound

Modify the configuration to forward name resolution of amazonaws.com names to VPC DNS resolver. Create a file amazonaws.conf in /etc/unbound/unbound.conf.d:

server:
    interface: 10.0.0.1
	access-control: 0.0.0.0/0 allow
	forward-zone:
		name: amazonaws.com
		forward-addr: 169.254.169.253
	forward-zone:
		name: "."
		forward-addr: 8.8.8.8
		forward-addr: 4.4.4.4

In this case the dns will only respond in the wg0 adapter (10.0.0.1) and will forward all but *.amazonaws.com to google DNS servers.

Now on the configuration in your “local machine” for wireguard modify it to let the client know to use unbound as the DNS resolver when connected to the VPN.

[Interface]
DNS = 10.0.0.1

References

Categories: TL;DR

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *