Ben Stienstra

Linux, Unix, network, radio and more...

User Tools

Site Tools


Action disabled: revisions
wireguard_apu_ubuntu

Ubuntu 18.04 LTS - Wireguard

Wireguard Installation on PC Engines APU with Ubuntu 18.

Server

  • Install hardware, see Ubuntu on PC Engines
  • Configure networking: /etc/netplan/01-netcfg.yaml
    # This file describes the network interfaces available on your system
    # For more information, see netplan(5).
    network:
      version: 2
      renderer: networkd
      ethernets:
        enp1s0:
          addresses:
            - 192.168.1.20/24
          gateway4: 192.168.1.1
          nameservers:
              search: [lan]
              addresses: [192.168.1.53]
    
  • Apply settings:
    netplan apply
  • Install netfilter-persistent:
    apt install iptables-persistent
  • Configure iptables:
    iptables -A ...
    netfilter-persistent save
  • Install PPA and Wireguard:
    sudo apt-get install software-properties-common
    sudo add-apt-repository ppa:wireguard/wireguard
    sudo apt update
    sudo apt install wireguard qrencode
  • Reboot to confirm the wireguard automatically loads.
    ip link add dev wg0 type wireguard
    lsmod | grep wire
  • Generate keys:
    umask 077
    wg genkey | tee privatekey | wg pubkey > publickey
  • Configure Wireguard /etc/wireguard/wg0.conf:
    [Interface]
    Address = 192.168.2.1/24
    SaveConfig = true
    PostUp = /usr/local/bin/wg-iptables.sh %i up
    PreDown = /usr/local/bin/wg-iptables.sh %i down
    ListenPort = <random port>
    PrivateKey = <privatekey>
  • Change mod bits:
    chmod 600 /etc/wireguard/wg0.conf
  • Add iptables script /usr/local/bin/wg-iptables.sh
    #!/bin/bash
    
    WGINT=$1
    OUTINT=enp1s0
    ACTION=$2
    
    case "${ACTION}" in
    	up)
    		iptables  -A FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
                    ip6tables -A FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
                    iptables  -t nat -A POSTROUTING -o ${OUTINT} -j MASQUERADE
                    ip6tables -t nat -A POSTROUTING -o ${OUTINT} -j MASQUERADE
    		;;
    	down)
    		iptables  -D FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
    		ip6tables -D FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
    		iptables  -t nat -D POSTROUTING -o ${OUTINT} -j MASQUERADE
    		ip6tables -t nat -D POSTROUTING -o ${OUTINT} -j MASQUERADE
    		;;
    	*)
    		echo $"Usage: $0 {up|down} <INTERACE>"
    		exit 1
    esac
  • Allow forwarding:
    echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/forward.conf
    sysctl -p /etc/sysctl.d/forward.conf
  • Start interface:
    wg-quick up wg0
  • Enable the interface at boot:
    systemctl enable wg-quick@wg0

Client / peer

  • Generate client config:
    umask 077
    CLIENT=client1
    wg genkey | tee privatekey-${CLIENT} | wg pubkey > publickey-${CLIENT}
    
    cat >wg-${CLIENT}.conf <<EOF
    [Interface]
    PrivateKey = $(cat privatekey-${CLIENT})
    Address = 192.168.2.2/24
    DNS = 8.8.8.8
    
    [Peer]
    PublicKey = $(wg show wg0 public-key)
    Endpoint = $(ip -4 -o addr show dev enp1s0 | awk '{print $4}' | cut -d "/" -f1):$(awk '/ListenPort/ {print $3}' /etc/wireguard/wg0.conf)
    AllowedIPs = 0.0.0.0/0, ::/0
    EOF
  • Generate a QR-code and scan it with your client:
    qrencode -t ansiutf8 < wg-client1.conf
  • Add peer to server:
    wg set wg0 peer $(cat publickey-${CLIENT}) allowed-ips 192.168.2.2/32
wireguard_apu_ubuntu.txt · Last modified: 2019/07/21 10:15 by admin