- Install Wireguard
aptitude install wireguard
- create keys for your node
cd /etc/wireguard/
umask 077; wg genkey | tee wg0.key | wg pubkey > wg0.pub
Next make your config touch /etc/wireguard/wg0.conf
, inside you can put this:
#VPN
[Interface]
Address = 192.168.1.1/24
SaveConfig = false
ListenPort = 12345
PrivateKey = HERE__IS_WHATS_IN_wg0.key
PostUp = /etc/wireguard/helper/add-wg0.sh
PostDown = /etc/wireguard/helper/remove-wg0.sh
Next lets tune iptables and open some ports. We do it with files add-wg0.sh
& remove-wg0.sh
add-wg0.sh
#!/bin/bash
IPT="iptables"
IN_FACE="eth0" # NIC connected to the internet
WG_FACE="wg0" # WG NIC
SUB_NET="192.168.1.0/24" # WG IPv4 sub/net aka CIDR
WG_PORT="12345" # WG udp port
WG_GATEWEY="192.168.1.1"
## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
$IPT -A FORWARD -i $WG_FACE -s $SUB_NET -j DROP
remove-wg0.sh
#!/bin/bash
IPT="iptables"
IN_FACE="eth0" # NIC connected to the internet
WG_FACE="wg0" # WG NIC
SUB_NET="192.168.1.0/24" # WG IPv4 sub/net aka CIDR
WG_PORT="12345" # WG udp port
WG_GATEWEY="192.168.1.1"
# IPv4 rules #
$IPT -t nat -D POSTROUTING -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -D INPUT -i $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -D INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
$IPT -D FORWARD -i $WG_FACE -s $SUB_NET -j DROP
-
don't forget
chmod +x
each of this files. -
systemctl enable wg-quick@wg0
-
systemctl start wg-quick@wg0
-
systemctl status wg-quick@wg0
Now lets add some scripts. We need qrencode
for QR codes, so lets install it aptitude install qrencode
.
Now create wg_create_wg0
and add chmod +x
.
#!/bin/bash
echo "nickname"
read wg_nickname
echo "ip (192.168.1.2 etc):"
read wg_ip
wg_net="/32"
###############################################################
wg_dns="YOUR_DNS_HERE"
wg_c_private=$(wg genkey | tee)
wg_c_public=$(echo "$wg_c_private" | wg pubkey)
wg_iface="wg0"
wg_endpoint="YOUR_ENDPOINT:ANDPORT"
wg_s_pubkey="HERE__IS_WHATS_IN_wg0.pub"
###############################################################
wg_cl_01="[Interface]"
wg_cl_02="PrivateKey = ${wg_c_private}"
wg_cl_03="Address = ${wg_ip}/24"
wg_cl_04="DNS = ${wg_dns}"
wg_cl_05="[Peer]"
wg_cl_06="PublicKey = ${wg_s_pubkey}"
wg_cl_07="AllowedIPs = 0.0.0.0/0"
wg_cl_08="Endpoint = ${wg_endpoint}"
wg_cl_09="PersistentKeepalive = 60"
wg_client_full="
${wg_cl_01}
${wg_cl_02}
${wg_cl_03}
${wg_cl_04}
${wg_cl_05}
${wg_cl_06}
${wg_cl_07}
${wg_cl_08}
${wg_cl_09}
"
wg_sr_01="[Peer]"
wg_sr_02="PublicKey = ${wg_c_public}"
wg_sr_03="AllowedIPs = ${wg_ip}${wg_net}"
wg_server_full="
# ${wg_nickname}
${wg_sr_01}
${wg_sr_02}
${wg_sr_03}
"
echo "$wg_server_full" >> /etc/wireguard/${wg_iface}.conf
systemctl reload wg-quick@${wg_iface}
echo "$wg_client_full" | qrencode -t ansiutf8
exit 0
Each time your tune this script it will ask for "nickname" (or any label) for the peer it will generate and add into main config and for IP address.
After it will add peer into wg0.conf
, reload service and display a QR code which can be flashed with a phone.
Another way: you can generate private/public keys on phone, then just add [peer] into wg0.conf
:
# someuser
[Peer]
PublicKey = CLIENTS_PUBLIC_KEY
AllowedIPs = 192.168.1.2/32