10-29-2019, 05:00 AM
Build a virtual private network with Wireguard
<div><p>Wireguard is a new VPN designed as a replacement for IPSec and OpenVPN. Its design goal is to be simple and secure, and it takes advantage of recent technologies such as the <a href="http://www.noiseprotocol.org/">Noise Protocol Framework</a>. Some consider Wireguard’s ease of configuration akin to OpenSSH. This article shows you how to deploy and use it.</p>
<p> <span id="more-29472"></span> </p>
<p>It is currently in active development, so it might not be the best for production machines. However, Wireguard is under consideration to be included into the Linux kernel. The design has been <a href="https://hal.inria.fr/hal-02100345">formally verified</a>,* and proven to be secure against a number of threats.</p>
<p>When deploying Wireguard, keep your Fedora Linux system updated to the most recent version, since Wireguard does not have a stable release cadence.</p>
<h2 id="set-the-timezone">Set the timezone</h2>
<p>To check and set your timezone, first display current time information:</p>
<pre class="wp-block-preformatted">timedatectl</pre>
<p>Then if needed, set the correct timezone, for example to Europe/London.</p>
<pre class="wp-block-preformatted">timedatectl set-timezone Europe/London</pre>
<p>Note that your system’s real time clock (RTC) may continue to be set to UTC or another timezone.</p>
<h2 id="install-wireguard">Install Wireguard</h2>
<p>To install, enable the COPR repository for the project and then install with <em>dnf</em>, <a href="https://fedoramagazine.org/howto-use-sudo/">using </a><em><a href="https://fedoramagazine.org/howto-use-sudo/">sudo</a></em>:</p>
<pre class="wp-block-preformatted">$ sudo dnf copr enable jdoss/wireguard
$ sudo dnf install wireguard-dkms wireguard-tools</pre>
<p>Once installed, two new commands become available, along with support for systemd:</p>
<ul>
<li><strong>wg</strong>: Configuration of wireguard interfaces</li>
<li><strong>wg-quick</strong> Bringing up the VPN tunnels</li>
</ul>
<p>Create the configuration directory for Wireguard, and apply a umask of 077. A umask of 077 allows read, write, and execute permission for the file’s owner (root), but prohibits read, write, and execute permission for everyone else. </p>
<pre class="wp-block-preformatted">mkdir /etc/wireguard
cd /etc/wireguard
umask 077</pre>
<h2 id="generate-key-pairs">Generate Key Pairs</h2>
<p>Generate the private key, then derive the public key from it.</p>
<pre class="wp-block-preformatted">$ wg genkey > /etc/wireguard/privkey
$ wg pubkey < /etc/wireguard/privkey > /etc/wireguard/publickey</pre>
<p>Alternatively, this can be done in one go:</p>
<pre class="wp-block-preformatted">wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey</pre>
<p>There is a <a href="https://github.com/warner/wireguard-vanity-address">vanity address generator</a>, which might be of interest to some. You can also generate a pre-shared key to provide a level of quantum protection:</p>
<pre class="wp-block-preformatted">wg genpsk > psk</pre>
<p>This will be the same value for both the server and client, so you only need to run the command once.</p>
<h2 id="configure-server-and-client">Configure Wireguard server and client</h2>
<p>Both the client and server have an <em>[Interface]</em> option to specify the IP address assigned to the interface, along with the private keys.</p>
<p>Each peer (server and client) has a <em>[Peer]</em> section containing its respective <em>PublicKey</em>, along with the <em>PresharedKey</em>. Additionally, this block can list allowed IP addresses which can use the tunnel.</p>
<h3 id="server">Server</h3>
<p>A firewall rule is added when the interface is brought up, along with enabling masquerading. Make sure to note the <em>/24</em> IPv4 address range within Interface, which differs from the client. Edit the <em>/etc/wireguard/wg0.conf</em> file as follows, using the IP address for your server for <em>Address</em>, and the client IP address in <em>AllowedIPs</em>.</p>
<pre class="wp-block-preformatted">[Interface]
Address = 192.168.2.1/24, fd00:7::1/48
PrivateKey = <SERVER_PRIVATE_KEY>
PostUp = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
PostDown = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --remove-masquerade
ListenPort = 51820 [Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
PresharedKey = LpI+UivLx1ZqbzjyRaWR2rWN20tbBsOroNdNnjKLMQ=
AllowedIPs = 192.168.2.2/32, fd00:7::2/48</pre>
<p>Allow forwarding of IP packets by adding the following to <em>/etc/sysctl.conf</em>:</p>
<pre class="wp-block-preformatted">net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1</pre>
<p>Load the new settings:</p>
<pre class="wp-block-preformatted">$ sysctl -p</pre>
<p>Forwarding will be preserved after a reboot.</p>
<h3 id="client">Client</h3>
<p>The client is very similar to the server config, but has an optional additional entry of <em>PersistentKeepalive</em> set to 30 seconds. This is to prevent NAT from causing issues, and depending on your setup might not be needed. Setting AllowedIPs to 0.0.0.0/0 will forward all traffic over the tunnel. Edit the client’s <em>/etc/wireguard/wg0.conf</em> file as follows, using your client’s IP address for <em>Address</em> and the server IP address at the <em>Endpoint</em>.</p>
<pre class="wp-block-preformatted">[Interface]
Address = 192.168.2.2/32, fd00:7::2/48
PrivateKey = <CLIENT_PRIVATE_KEY> [Peer]
PublicKey = <SERVER_PUBLIC_KEY>
PresharedKey = LpI+UivLx1ZqbzjyRaWR2rWN20tbBsOroNdNnjWKLM=
AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = <SERVER_IP>:51820
PersistentKeepalive = 30</pre>
<h2 id="test-wireguard">Test Wireguard</h2>
<p>Start and check the status of the tunnel on both the server and client:</p>
<pre class="wp-block-preformatted">$ systemctl start wg-quick@wg0
$ systemctl status wg-quick@wg0</pre>
<p>To test the connections, try the following:</p>
<pre class="wp-block-preformatted">ping google.com
ping6 ipv6.google.com</pre>
<p>Then check external IP addresses:</p>
<pre class="wp-block-preformatted">dig +short myip.opendns.com @resolver1.opendns.com
dig +short -6 myip.opendns.com aaaa @resolver1.ipv6-sandbox.opendns.com</pre>
<hr class="wp-block-separator" />
<p>* <em>“Formally verified,” in this sense, means that the design has been proved to have mathematically correct messages and key secrecy, forward secrecy, mutual authentication, session uniqueness, channel binding, and resistance against replay, key compromise impersonation, and denial of server attacks. </em></p>
<hr class="wp-block-separator" />
<p><em>Photo by </em><a href="https://unsplash.com/@blackzheng?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>Black Zheng</em></a><em> on <a href="https://unsplash.com/@blackzheng?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a></em>.</p>
</div>
https://www.sickgaming.net/blog/2019/10/...wireguard/
<div><p>Wireguard is a new VPN designed as a replacement for IPSec and OpenVPN. Its design goal is to be simple and secure, and it takes advantage of recent technologies such as the <a href="http://www.noiseprotocol.org/">Noise Protocol Framework</a>. Some consider Wireguard’s ease of configuration akin to OpenSSH. This article shows you how to deploy and use it.</p>
<p> <span id="more-29472"></span> </p>
<p>It is currently in active development, so it might not be the best for production machines. However, Wireguard is under consideration to be included into the Linux kernel. The design has been <a href="https://hal.inria.fr/hal-02100345">formally verified</a>,* and proven to be secure against a number of threats.</p>
<p>When deploying Wireguard, keep your Fedora Linux system updated to the most recent version, since Wireguard does not have a stable release cadence.</p>
<h2 id="set-the-timezone">Set the timezone</h2>
<p>To check and set your timezone, first display current time information:</p>
<pre class="wp-block-preformatted">timedatectl</pre>
<p>Then if needed, set the correct timezone, for example to Europe/London.</p>
<pre class="wp-block-preformatted">timedatectl set-timezone Europe/London</pre>
<p>Note that your system’s real time clock (RTC) may continue to be set to UTC or another timezone.</p>
<h2 id="install-wireguard">Install Wireguard</h2>
<p>To install, enable the COPR repository for the project and then install with <em>dnf</em>, <a href="https://fedoramagazine.org/howto-use-sudo/">using </a><em><a href="https://fedoramagazine.org/howto-use-sudo/">sudo</a></em>:</p>
<pre class="wp-block-preformatted">$ sudo dnf copr enable jdoss/wireguard
$ sudo dnf install wireguard-dkms wireguard-tools</pre>
<p>Once installed, two new commands become available, along with support for systemd:</p>
<ul>
<li><strong>wg</strong>: Configuration of wireguard interfaces</li>
<li><strong>wg-quick</strong> Bringing up the VPN tunnels</li>
</ul>
<p>Create the configuration directory for Wireguard, and apply a umask of 077. A umask of 077 allows read, write, and execute permission for the file’s owner (root), but prohibits read, write, and execute permission for everyone else. </p>
<pre class="wp-block-preformatted">mkdir /etc/wireguard
cd /etc/wireguard
umask 077</pre>
<h2 id="generate-key-pairs">Generate Key Pairs</h2>
<p>Generate the private key, then derive the public key from it.</p>
<pre class="wp-block-preformatted">$ wg genkey > /etc/wireguard/privkey
$ wg pubkey < /etc/wireguard/privkey > /etc/wireguard/publickey</pre>
<p>Alternatively, this can be done in one go:</p>
<pre class="wp-block-preformatted">wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey</pre>
<p>There is a <a href="https://github.com/warner/wireguard-vanity-address">vanity address generator</a>, which might be of interest to some. You can also generate a pre-shared key to provide a level of quantum protection:</p>
<pre class="wp-block-preformatted">wg genpsk > psk</pre>
<p>This will be the same value for both the server and client, so you only need to run the command once.</p>
<h2 id="configure-server-and-client">Configure Wireguard server and client</h2>
<p>Both the client and server have an <em>[Interface]</em> option to specify the IP address assigned to the interface, along with the private keys.</p>
<p>Each peer (server and client) has a <em>[Peer]</em> section containing its respective <em>PublicKey</em>, along with the <em>PresharedKey</em>. Additionally, this block can list allowed IP addresses which can use the tunnel.</p>
<h3 id="server">Server</h3>
<p>A firewall rule is added when the interface is brought up, along with enabling masquerading. Make sure to note the <em>/24</em> IPv4 address range within Interface, which differs from the client. Edit the <em>/etc/wireguard/wg0.conf</em> file as follows, using the IP address for your server for <em>Address</em>, and the client IP address in <em>AllowedIPs</em>.</p>
<pre class="wp-block-preformatted">[Interface]
Address = 192.168.2.1/24, fd00:7::1/48
PrivateKey = <SERVER_PRIVATE_KEY>
PostUp = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
PostDown = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --remove-masquerade
ListenPort = 51820 [Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
PresharedKey = LpI+UivLx1ZqbzjyRaWR2rWN20tbBsOroNdNnjKLMQ=
AllowedIPs = 192.168.2.2/32, fd00:7::2/48</pre>
<p>Allow forwarding of IP packets by adding the following to <em>/etc/sysctl.conf</em>:</p>
<pre class="wp-block-preformatted">net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1</pre>
<p>Load the new settings:</p>
<pre class="wp-block-preformatted">$ sysctl -p</pre>
<p>Forwarding will be preserved after a reboot.</p>
<h3 id="client">Client</h3>
<p>The client is very similar to the server config, but has an optional additional entry of <em>PersistentKeepalive</em> set to 30 seconds. This is to prevent NAT from causing issues, and depending on your setup might not be needed. Setting AllowedIPs to 0.0.0.0/0 will forward all traffic over the tunnel. Edit the client’s <em>/etc/wireguard/wg0.conf</em> file as follows, using your client’s IP address for <em>Address</em> and the server IP address at the <em>Endpoint</em>.</p>
<pre class="wp-block-preformatted">[Interface]
Address = 192.168.2.2/32, fd00:7::2/48
PrivateKey = <CLIENT_PRIVATE_KEY> [Peer]
PublicKey = <SERVER_PUBLIC_KEY>
PresharedKey = LpI+UivLx1ZqbzjyRaWR2rWN20tbBsOroNdNnjWKLM=
AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = <SERVER_IP>:51820
PersistentKeepalive = 30</pre>
<h2 id="test-wireguard">Test Wireguard</h2>
<p>Start and check the status of the tunnel on both the server and client:</p>
<pre class="wp-block-preformatted">$ systemctl start wg-quick@wg0
$ systemctl status wg-quick@wg0</pre>
<p>To test the connections, try the following:</p>
<pre class="wp-block-preformatted">ping google.com
ping6 ipv6.google.com</pre>
<p>Then check external IP addresses:</p>
<pre class="wp-block-preformatted">dig +short myip.opendns.com @resolver1.opendns.com
dig +short -6 myip.opendns.com aaaa @resolver1.ipv6-sandbox.opendns.com</pre>
<hr class="wp-block-separator" />
<p>* <em>“Formally verified,” in this sense, means that the design has been proved to have mathematically correct messages and key secrecy, forward secrecy, mutual authentication, session uniqueness, channel binding, and resistance against replay, key compromise impersonation, and denial of server attacks. </em></p>
<hr class="wp-block-separator" />
<p><em>Photo by </em><a href="https://unsplash.com/@blackzheng?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>Black Zheng</em></a><em> on <a href="https://unsplash.com/@blackzheng?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a></em>.</p>
</div>
https://www.sickgaming.net/blog/2019/10/...wireguard/