=====Ubuntu 18.04 LTS - Wireguard =====
[[https://www.wireguard.com/|Wireguard]] Installation on PC Engines APU with Ubuntu 18.

====Server====
  * Install hardware, see [[https://wiki.polaire.nl/doku.php?id=apu_ubuntu|Ubuntu on PC Engines]]
  * Configure networking: ''/etc/netplan/01-netcfg.yaml''<code>
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    enp1s0:
      addresses:
        - 192.168.1.20/24
      gateway4: 192.168.1.1
      nameservers:
          search: [lan]
          addresses: [192.168.1.53]

</code>
  * Apply settings:<code>netplan apply</code>
  * Install netfilter-persistent:<code>apt install iptables-persistent</code>
  * Configure iptables:<code>
iptables -A ...
netfilter-persistent save
</code>
  * Install PPA and Wireguard:<code>sudo apt-get install software-properties-common
sudo add-apt-repository ppa:wireguard/wireguard
sudo apt update
sudo apt install wireguard qrencode</code>
  * Reboot to confirm the wireguard automatically loads.<code>ip link add dev wg0 type wireguard
lsmod | grep wire</code>
  * Generate keys:<code>umask 077
wg genkey | tee privatekey | wg pubkey > publickey</code>
  * Configure Wireguard ''/etc/wireguard/wg0.conf'':<code>
[Interface]
Address = 192.168.2.1/24
SaveConfig = true
PostUp = /usr/local/bin/wg-iptables.sh %i up
PreDown = /usr/local/bin/wg-iptables.sh %i down
ListenPort = <random port>
PrivateKey = <privatekey>
</code>
  * Change mod bits:<code>chmod 600 /etc/wireguard/wg0.conf</code>
  * Add iptables script ''/usr/local/bin/wg-iptables.sh ''<code>
#!/bin/bash

WGINT=$1
OUTINT=enp1s0
ACTION=$2

case "${ACTION}" in
	up)
		iptables  -A FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
                ip6tables -A FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
                iptables  -t nat -A POSTROUTING -o ${OUTINT} -j MASQUERADE
                ip6tables -t nat -A POSTROUTING -o ${OUTINT} -j MASQUERADE
		;;
	down)
		iptables  -D FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
		ip6tables -D FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
		iptables  -t nat -D POSTROUTING -o ${OUTINT} -j MASQUERADE
		ip6tables -t nat -D POSTROUTING -o ${OUTINT} -j MASQUERADE
		;;
	*)
		echo $"Usage: $0 {up|down} <INTERACE>"
		exit 1
esac
</code>
  * Allow forwarding:<code>
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/forward.conf
sysctl -p /etc/sysctl.d/forward.conf</code>
  * Start interface:<code>wg-quick up wg0</code>
  * Enable the interface at boot:<code>systemctl enable wg-quick@wg0</code>

====Client / peer====
  * Generate client config:<code>
umask 077
CLIENT=client1
wg genkey | tee privatekey-${CLIENT} | wg pubkey > publickey-${CLIENT}

cat >wg-${CLIENT}.conf <<EOF
[Interface]
PrivateKey = $(cat privatekey-${CLIENT})
Address = 192.168.2.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = $(wg show wg0 public-key)
Endpoint = $(ip -4 -o addr show dev enp1s0 | awk '{print $4}' | cut -d "/" -f1):$(awk '/ListenPort/ {print $3}' /etc/wireguard/wg0.conf)
AllowedIPs = 0.0.0.0/0, ::/0
EOF
</code>
  * Generate a QR-code and scan it with your client:<code>
qrencode -t ansiutf8 < wg-client1.conf</code>
  * Add peer to server:<code>
wg set wg0 peer $(cat publickey-${CLIENT}) allowed-ips 192.168.2.2/32
</code>

{{tag>[wireguard vpn apu apu1 apu2 Ubuntu linux ]}}