wireguard_apu_ubuntu
This is an old revision of the document!
Table of Contents
Ubuntu 18.04 LTS - Wireguard
Wireguard Installation on PC Engines APU with Ubuntu 18.
Server
- Install hardware, see Ubuntu on PC Engines
- Configure networking:
/etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system # For more information, see netplan(5). network: version: 2 renderer: networkd ethernets: enp1s0: addresses: - 192.168.1.20/24 gateway4: 192.168.1.1 nameservers: search: [lan] addresses: [192.168.1.53]
- Apply settings:
netplan apply
- Install netfilter-persistent:
apt install iptables-persistent
- Configure iptables:
iptables -A ... netfilter-persistent save
- Install PPA and Wireguard:
sudo apt-get install software-properties-common sudo add-apt-repository ppa:wireguard/wireguard sudo apt update sudo apt install wireguard qrencode
- Reboot to confirm the wireguard automatically loads.
ip link add dev wg0 type wireguard lsmod | grep wire
- Generate keys:
umask 077 wg genkey | tee privatekey | wg pubkey > publickey
- Configure Wireguard
/etc/wireguard/wg0.conf
:[Interface] Address = 192.168.2.1/24 SaveConfig = true PostUp = /usr/local/bin/wg-iptables.sh %i up PreDown = /usr/local/bin/wg-iptables.sh %i down ListenPort = 20617 PrivateKey = <privatekey>
- Change mod bits:
chmod 600 /etc/wireguard/wg0.conf
- Add iptables script
/usr/local/bin/wg-iptables.sh
#!/bin/bash WGINT=$1 OUTINT=enp1s0 ACTION=$2 case "${ACTION}" in up) iptables -A FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT ip6tables -A FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT iptables -t nat -A POSTROUTING -o ${OUTINT} -j MASQUERADE ip6tables -t nat -A POSTROUTING -o ${OUTINT} -j MASQUERADE ;; down) iptables -D FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT ip6tables -D FORWARD -i ${WGINT} -o ${OUTINT} -j ACCEPT iptables -t nat -D POSTROUTING -o ${OUTINT} -j MASQUERADE ip6tables -t nat -D POSTROUTING -o ${OUTINT} -j MASQUERADE ;; *) echo $"Usage: $0 {up|down} <INTERACE>" exit 1 esac
- Allow forwarding:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/forward.conf sysctl -p /etc/sysctl.d/forward.conf
- Start interface:
wg-quick up wg0
- Enable the interface at boot:
systemctl enable wg-quick@wg0
Client / peer
- Generate client config:
umask 077 CLIENT=client1 wg genkey | tee privatekey-${CLIENT} | wg pubkey > publickey-${CLIENT} cat >wg-${CLIENT}.conf <<EOF [Interface] PrivateKey = $(cat privatekey-${CLIENT}) Address = 192.168.2.2/24 DNS = 8.8.8.8 [Peer] PublicKey = $(wg show wg0 public-key) Endpoint = $(ip -4 -o addr show dev enp1s0 | awk '{print $4}' | cut -d "/" -f1):$(awk '/ListenPort/ {print $3}' /etc/wireguard/wg0.conf) AllowedIPs = 0.0.0.0/0, ::/0 EOF
- Generate a QR-code and scan it with your client:
qrencode -t ansiutf8 < wg-client1.conf
- Add peer to server:
wg set wg0 peer $(cat publickey-${CLIENT}) allowed-ips 192.168.2.2/32
wireguard_apu_ubuntu.1551032515.txt.gz · Last modified: 2019/02/24 18:21 by admin