User Tools

WireGuard

WireGuard is a modern VPN tunnel solution which is quickly taking the place of OpenVPN. Some of the strong key points of WireGuard are, beside a supposedly more secure implementation, the ease of setup and how it simply merge with the overall linux network management.

WireGuard will create an encrypted and protected tunnel between hosts, where each host act as a peer. You need to have at least one host reachable from all the others, of course, but then WireGuard will create a common subnetwork on which all the hosts will see each other.

Concepts

You should be fmailiar with basic networking concepts like routing, subnets, addresses.

A subnet is a portion of a network where all the hosts can ping each other without the need of a gateway. Routing is the act of sending out network packets from a specific network interface toward the destination of the packet. On a subnet, routing is always direct for hosts on the same subnet, otherwise routing happens trough a gateway.

All VPNs work by creating an encrypted tunnel between it's peers. This tunnel needs to be initiated from one host to the other (or viceversa) and whatever traffic flows inside the tunnes is not intellegible to anyone else because it's, guess what, encrypted.

To perform the encryption at both ends, some encryption keys needs to be shared. The approach used by WireGuard is to use the private/public key pairs: each host has one private key (which is by definition, not shared) and public key (which is shared with all the other hosts). The private/public technology ensures that the identity of the host is verified because only the private key can encrypt what the public key can decrypt.

Installation

These steps need to be followed on every host that participate in the WireGuard tunnel.

Installing WireGuard on Gentoo is pretty easy since the latest release is always in portage, but you will also need nftables if you plan to do port-forwarding or any advanced networking: 

emerge -v net-vpn/wireguard-tools net-firewall/nftables

Create local host private and public keys: 

wg genkey > /etc/wireguard/privatekey
wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey
chmod 500 /etc/wireguard/privatekey /etc/wireguard/publickey

You will need these two keys for the configuration below.

Configuration

A WireGuard tunnel can connect two or more hosts. A tunnel is usually called wg0 or wg1 and so on. Each tunnel has it's own config file located at /etc/wireguard/wg0.conf. Please note that the following instructions need to be applied to each host in the tunnel.

So, create the tunnel config at /etc/wireguard/wg0.conf:

wg0.conf
[Interface]
PrivateKey = << local host private key >>
Address = 10.100.0.1/24
ListenPort = << local host port >> 

[Peer]
PublicKey = << remote host public key >>
Endpoint = << remote host public IP >>:<< remote host port >>
AllowedIPs = 10.100.0.2/24 #
PersistentKeepAlive = 25

Where:

  • You can have as many peers as you need to connect to the local host, just create one [Peer] block for each one.
  • The PrivateKey is the local host private key
  • The Address is the local host address on the tunnel subnetwork (usually, a new subnet you are not using already)
  • The ListenPort is the port on which the local host can be reached from the remote hosts. This can be omitted if the local host is not reacheable from the remote hosts
  • The PublicKey is the remote host public key
  • The Endpoint is the remote host public IP and open port, omit if the remote host cannot be reached from the local host
  • The AllowedIPs limits which hosts can send data to the local host, in case you have more than one machine connecting trough the remote host, for example
  • The PersistentKeepAlive is usefull to help keep the tunnel connected by sending a keekalive e forcing a reconnection.

Each host connecting to the WireGuard tunnel will need one of these files. These configuration files should usually be symmetrical to each other.

Link the startup scripts and set it to start on boot: 

ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.wg0
rc-update add wg-quick.wg0 default

Remote access

There are tons of WireGuard tutorials online on how to use WireGuard to connect your mobile device securely to your home network, i do not plan to cover this topic here.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also, you acknowledge that you have read and understand our Privacy Policy. If you do not agree, please leave the website.

More information