=====Ubuntu 18.04 LTS - Wireguard =====
[[https://www.wireguard.com/|Wireguard]] Installation on PC Engines APU with Ubuntu 18.
====Server====
* Install hardware, see [[https://wiki.polaire.nl/doku.php?id=apu_ubuntu|Ubuntu on PC Engines]]
* Configure networking: ''/etc/netplan/01-netcfg.yaml''
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
enp1s0:
addresses:
- 192.168.1.20/24
gateway4: 192.168.1.1
nameservers:
search: [lan]
addresses: [192.168.1.53]
* Apply settings:netplan apply
* Install netfilter-persistent:apt install iptables-persistent
* Configure iptables:
iptables -A ...
netfilter-persistent save
* Install PPA and Wireguard:sudo apt-get install software-properties-common
sudo add-apt-repository ppa:wireguard/wireguard
sudo apt update
sudo apt install wireguard qrencode
* Reboot to confirm the wireguard automatically loads.ip link add dev wg0 type wireguard
lsmod | grep wire
* Generate keys:umask 077
wg genkey | tee privatekey | wg pubkey > publickey
* Configure Wireguard ''/etc/wireguard/wg0.conf'':
[Interface]
Address = 192.168.2.1/24
SaveConfig = true
PostUp = /usr/local/bin/wg-iptables.sh %i up
PreDown = /usr/local/bin/wg-iptables.sh %i down
ListenPort =
PrivateKey =
* Change mod bits:chmod 600 /etc/wireguard/wg0.conf
* Add iptables script ''/usr/local/bin/wg-iptables.sh ''
#!/bin/bash
WGINT=$1
OUTINT=enp1s0
ACTION=$2
case "${ACTION}" in
up)
iptables -A FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
ip6tables -A FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
iptables -t nat -A POSTROUTING -o ${OUTINT} -j MASQUERADE
ip6tables -t nat -A POSTROUTING -o ${OUTINT} -j MASQUERADE
;;
down)
iptables -D FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
ip6tables -D FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
iptables -t nat -D POSTROUTING -o ${OUTINT} -j MASQUERADE
ip6tables -t nat -D POSTROUTING -o ${OUTINT} -j MASQUERADE
;;
*)
echo $"Usage: $0 {up|down} "
exit 1
esac
* Allow forwarding:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/forward.conf
sysctl -p /etc/sysctl.d/forward.conf
* Start interface:wg-quick up wg0
* Enable the interface at boot:systemctl enable wg-quick@wg0
====Client / peer====
* Generate client config:
umask 077
CLIENT=client1
wg genkey | tee privatekey-${CLIENT} | wg pubkey > publickey-${CLIENT}
cat >wg-${CLIENT}.conf <
* Generate a QR-code and scan it with your client:
qrencode -t ansiutf8 < wg-client1.conf
* Add peer to server:
wg set wg0 peer $(cat publickey-${CLIENT}) allowed-ips 192.168.2.2/32
{{tag>[wireguard vpn apu apu1 apu2 Ubuntu linux ]}}