Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools

Trace: wireguard_apu_ubuntu
Action disabled: revisions
wireguard_apu_ubuntu

Table of Contents

Ubuntu 18.04 LTS - Wireguard

Wireguard Installation on PC Engines APU with Ubuntu 18.

Server

  • Install hardware, see Ubuntu on PC Engines
  • Configure networking: /etc/netplan/01-netcfg.yaml
    # This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    enp1s0:
      addresses:
        - 192.168.1.20/24
      gateway4: 192.168.1.1
      nameservers:
          search: [lan]
          addresses: [192.168.1.53]
  • Apply settings:
    netplan apply
  • Install netfilter-persistent:
    apt install iptables-persistent
  • Configure iptables:
    iptables -A ...
netfilter-persistent save
  • Install PPA and Wireguard:
    sudo apt-get install software-properties-common
sudo add-apt-repository ppa:wireguard/wireguard
sudo apt update
sudo apt install wireguard qrencode
  • Reboot to confirm the wireguard automatically loads.
    ip link add dev wg0 type wireguard
lsmod | grep wire
  • Generate keys:
    umask 077
wg genkey | tee privatekey | wg pubkey > publickey
  • Configure Wireguard /etc/wireguard/wg0.conf:
    [Interface]
Address = 192.168.2.1/24
SaveConfig = true
PostUp = /usr/local/bin/wg-iptables.sh %i up
PreDown = /usr/local/bin/wg-iptables.sh %i down
ListenPort = <random port>
PrivateKey = <privatekey>
  • Change mod bits:
    chmod 600 /etc/wireguard/wg0.conf
  • Add iptables script /usr/local/bin/wg-iptables.sh 
    #!/bin/bash

WGINT=$1
OUTINT=enp1s0
ACTION=$2

case "${ACTION}" in
	up)
		iptables  -A FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
                ip6tables -A FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
                iptables  -t nat -A POSTROUTING -o ${OUTINT} -j MASQUERADE
                ip6tables -t nat -A POSTROUTING -o ${OUTINT} -j MASQUERADE
		;;
	down)
		iptables  -D FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
		ip6tables -D FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT
		iptables  -t nat -D POSTROUTING -o ${OUTINT} -j MASQUERADE
		ip6tables -t nat -D POSTROUTING -o ${OUTINT} -j MASQUERADE
		;;
	*)
		echo $"Usage: $0 {up|down} <INTERACE>"
		exit 1
esac
  • Allow forwarding:
    echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/forward.conf
sysctl -p /etc/sysctl.d/forward.conf
  • Start interface:
    wg-quick up wg0
  • Enable the interface at boot:
    systemctl enable wg-quick@wg0

Client / peer

  • Generate client config:
    umask 077
CLIENT=client1
wg genkey | tee privatekey-${CLIENT} | wg pubkey > publickey-${CLIENT}

cat >wg-${CLIENT}.conf <<EOF
[Interface]
PrivateKey = $(cat privatekey-${CLIENT})
Address = 192.168.2.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = $(wg show wg0 public-key)
Endpoint = $(ip -4 -o addr show dev enp1s0 | awk '{print $4}' | cut -d "/" -f1):$(awk '/ListenPort/ {print $3}' /etc/wireguard/wg0.conf)
AllowedIPs = 0.0.0.0/0, ::/0
EOF
  • Generate a QR-code and scan it with your client:
    qrencode -t ansiutf8 < wg-client1.conf
  • Add peer to server:
    wg set wg0 peer $(cat publickey-${CLIENT}) allowed-ips 192.168.2.2/32
, , , , , , ,
wireguard_apu_ubuntu.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1