Setup Wireguard with IPv4 and IPv6

Wireguard a fast, modern and secure vpn solution

In this blog post, I am going to write about how to installed and set up your own wireguard VPN at home. The reasons to set up a VPN server at home can be to have your own VPN when you are out on insecure networks, or you want to connect to your local servers without port forwarding them.

Wireguard is the big new hype when it comes to VPNs; various VPN providers have begun to provide Wireguard in combination with OpenVPN. Wireguard is incredible for its speed and simplicity.

What is Wireguard

Wireguard is a very opinionated VPN software which aims to be fast, modern and secure. The codebase is less than 5000 LOC instead of over 70 000 LOC like OpenVPN. Wireguard is also a peer-to-peer VPN instead of using the server-client architecture like many other VPN solutions are using; this means that every peer in the VPN can be a client or a server. In this blog post, I’m going to refer to the exit node as the server and the other nodes as clients.

Wireguard was written initially to be used to maintain access to a network after a computer on the network was compromised, Because of this Wireguard was built to not to be detected in a compromised network, so it aims to be as silent on the network as possible and only talks to the client and servers when actual data is going through.

For a better explanation of what Wireguard is I Recommend watching this video: WireGuard: Next Generation Secure Network Tunnel

Install Wireguard

Wireguard was in Linux Kernel 5.6 implemented into the Linux kernel (Ubuntu backported it to Linux Kernel 5.4 for Ubuntu 20.04), so this means that you don’t need to recompile kernels to use Wireguard with your system if you have a newer Kernel version. You can check your Kernel version with uname -a

To install Wireguard on Ubuntu 20.04 just run

1
2
$ sudo apt update
$ sudo apt install wireguard

Generate Private / Public keys

Wireguard connects the client and the server with the use of Private / Public keys similar to how SSH keys work.

To generate a private and public key just run the command below

1
2
$ umask 077
$ wg genkey | tee privatekey | wg pubkey > publickey

You need one pair of keys on the server and one pair for each client you want to connect to the server.

Server Config

When you have your private key, copy it to the clipbord and open up the wireguard config with

1
2
$ touch /etc/wireguard/wg0.conf
$ nano /etc/wireguard/wg0.conf

The commands over will create and open a new config file for Wireguard. Start the file with the [Interface] tag, this indicate that to wireguard that the config under is to configure the interface. The config file name is also gone be used as the name for the wireguard interface, so her the name is wg0.

1
2
3
4
5
6
[Interface]
Address = 10.10.10.1/24, 2b06:dead:beef:c0ffe::1001/64
ListenPort = 51820
PrivateKey = +L9qfpAXX8qC6efveE7//REJ4P1D3djNHfo1NRo1NGo=
PostUp = IPtables -A FORWARD -i %i -j ACCEPT; IPtables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; IP6tables -A FORWARD -i %i -j ACCEPT; IP6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = IPtables -D FORWARD -i %i -j ACCEPT; IPtables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; IP6tables -D FORWARD -i %i -j ACCEPT; IP6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
  • Address is the IP address that the interface will get assigned and the IP address that the will be used to communicate between the peers in the VPN connection.

    • The IP address in the network needs to be unique from the LAN address that both peers use, so make it some high number unlikely to be used by network admins.
    • The IPv6 address assigned here is the address block that the network have from your ISP.
  • ListenPort Is the port that each peer will open to communicate with each other. it is normally for only the server to use this , and the clients use a random port for each connection. The port 51820 is the most used port for Wireguard however you can choose any port you want to use. This port needs to be opened up on the firewall.

  • The PrivateKey field is where the private key that was generated earlier and copied to the clipboard will be pasted.

  • PostUp Is one or a chain of commands that is run when the interface is turned on. PostUp often used with IPtables to add routing within a NAT and to activate IPv4 and IPv6 forwarding.

  • PostDown is the same as PostUp However often used to reverse the effects that PostUp have set up when the interface is taken down.

1
2
3
[Peer]
PublicKey = MW7/zKvoA+WxZEgbfGtmy1fmsfD0mz0Emlx/yezMtkk=
AllowedIPs = 10.10.10.2/32, 2b06:dead:beef:c0ffe::1002/128

For every client that you wants to connect to the server, a peer config, in the server config is needed. Under the Peer section of the config the PublicKey and the AllowedIPs is needed to make it work

  • PublicKey is the Public key that was generated on the client computer

  • AllowedIPs is the IP addresses that the server is allowed to talk to on that peer. It is recommended using a /32 for IPv4 and a /128 for IPv6.

Client Config

The client config is almost identical to the server config, and there are just some adjustments to make it behave more like a client then a server.

The config can be located under /etc/wireguard/, as with the server you can name the config file what you want the interface to be named. the common naming pattern is to call it wg0.conf

1
2
3
4
5
6
7
8
9
[Interface]
Address = 10.10.10.2/24, 2b06:dead:beef:c0ffe::1002/64
PrivateKey = +PbSi3catHToOMmlWyuy8b5+9qpHbIjZLSVhAoNDgkM=

[Peer]
PublicKey = z7CWKZGxiXQafhcfXOOtGiUuXFqyyjNSiOAIPSHFfyY=
Endpoint = 5.4.3.2:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 30

Under the [Interface] the Address for that client is specified with the PrivateKey for that client.

  • Address is the address for this client and the network that it is connecting to in the tunnel
  • PrivateKey is the key that was generated for the client

Under [Peer] more is happening than in the server config, her the connection to the server and what IPs that is routed through the VPN.

  • PublicKey This is where the Public key for the server is going.

  • Endpoint is the IP and the port to the server

  • AllowedIPs is deciding what IPs that is routed through the VPN tunnel, if you want all network to go through the tunnel then allowed 0.0.0.0/0 and ::/0 her; else you can spesifie the local network on the server side 192.168.1.1/24

  • PersistentKeepalive is used if the server is behind NAT to keep the connection to the clients. This will make the client send a Keepalive packet every 30 seconds to keep connection more stable.

Enable routing for IPv4 and IPv6

To make wireguard able to forward packets from the client thorough the server and out to the network, IP forwarding must be activated on both IPv4 and on IPv6. To activate IP forwarding edit /etc/sysctl.conf and then add these lines to the file.

1
2
3
net.IPv4.IP_forward = 1

net.IPv6.conf.all.forwarding = 1

Activate the changes with the command under

1
$ sysctl -p /etc/sysctl.conf

net.IPv6.conf.all.forwarding = 1 Will disable IPv6 Stateless Address Autoconfiguration based on Router Advertisements for this host

Open firewall

If the server is behind NAT you need to open up the port that was chosen on the ListenPort in the server config

On ubuntu the server firewall can be open with these commands

1
2
3
$ ufw allow <wireguard-port>\udp
$ ufw enable
$ ufw status

Remember to allow your ssh port before enabling the firewall, so you don't lose the connection to your ssh connection

Debug Wireguard

Turn on Wireguard logging to syslog

1
$ echo 'module wireguard +p' | sudo tee /sys/kernel/debug/dynamic_debug/control

Turn off Wireguard logging to syslog

1
$ echo 'module wireguard -p' | sudo tee /sys/kernel/debug/dynamic_debug/control

Conclusion

So now that you have set up a VPN server, you can both surf with a little more confidence at the local coffee shop or when you need access to some server at home that you don’t want to open the port to in the network.

vpn  network 

See also