Ubuntu 20.04
Sponsored Link

WireGuard : Configure Server2020/10/29
 
Install WireGuard which is the simple yet fast and modern VPN software.
This example is based on the environment like follows.
First, it needs to configure IP masquerade setting on your router that UDP packets to global IP address of WireGuard server from WireGuard client via internet are forwared to local IP address of WireGuard server. 
  +------------------------+
  | [  WireGuard Server  ] |172.16.100.1 (VPN IP)
  |      dlp.srv.world     +--------+
  |                        |wg0     |
  +-----------+------------+        |
          eth0|10.0.0.30/24         |
              |                     |
              |       Local Network |
       +------+-----+               |
-------|  Router#1  |---------------|-----
       +------+-----+               |
              |                     |
    Internet  |  Internet           |
              |                     |
       +------+-----+               |
-------|  Router#2  |---------------|-----
       +------+-----+               |
              |       Local Network |
              |                     |
          eth0|192.168.10.30/24     |
  +-----------+------------+        |
  |  [ WireGuard Client ]  |wg0     |
  |                        +--------+
  |                        |172.16.100.5 (VPN IP)
  +------------------------+
[1] Install WireGuard.
root@dlp:~#
apt -y install wireguard-tools
[2] Configure WireGuard.
root@dlp:~#
umask 077
# generate private key for server

root@dlp:~#
wg genkey | tee /etc/wireguard/server.key

2IcE8jDSDpHGOFBk5vEkmJ5yP7T9YHU+vr0mya+h5Ho=
# generate public key for server

root@dlp:~#
cat /etc/wireguard/server.key | wg pubkey | tee /etc/wireguard/server.pub

AIUd+0cxJVkbq4M+4cVUJhHu1Nxszlz3ccidVTbCh1k=
# generate private key for client

root@dlp:~#
wg genkey | tee /etc/wireguard/client.key

8JI7j5Q3HWBtwMFwX6TCZf4nJXjS15S9jH8ktKyty2g=
# generate public key for client

root@dlp:~#
cat /etc/wireguard/client.key | wg pubkey | tee /etc/wireguard/client.pub

Sv35tTqVeKh+YjF9hLXQ6mpx4CH6q3Xj/xiN7R63930=
# confirm network interface

root@dlp:~#
ip addr 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:ac:8f:06 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.30/24 brd 10.0.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:feac:8f06/64 scope link
       valid_lft forever preferred_lft forever
# create a new config

# [wg0.conf] ⇒ [(VPN interface name).conf]

# VPN interface name ⇒ any name you like

root@dlp:~#
vi /etc/wireguard/wg0.conf 
[Interface]
# specify generated private key for server
PrivateKey = 2IcE8jDSDpHGOFBk5vEkmJ5yP7T9YHU+vr0mya+h5Ho=
# IP address for VPN interface
Address = 172.16.100.1
# UDP port WireGuard server listens
ListenPort = 51820

# possible to set any commands after WireGuard starts/stops
# set routing rules like follows to access to local network via VPN session
# [wg0] ⇒ VPN interface name
# [eth0] ⇒ Ethernet interface name
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# specify public key for client
PublicKey = Sv35tTqVeKh+YjF9hLXQ6mpx4CH6q3Xj/xiN7R63930=
# clients' VPN IP addresses you allow to connect
# possible to specify subnet ⇒ [172.16.100.0/24]
AllowedIPs = 172.16.100.5, 172.16.100.6
root@dlp:~#
vi /etc/sysctl.conf
# line 28: uncomment to enable IP forearding

net.ipv4.ip_forward=1
root@dlp:~#
sysctl -p

net.ipv4.ip_forward = 1
# [wg-quick@wg0] ⇒ [wg-quick@(VPN interface name)]

root@dlp:~#
systemctl enable --now wg-quick@wg0
root@dlp:~#
ip addr 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:ac:8f:06 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.29/24 brd 10.0.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:feac:8f06/64 scope link
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 172.16.100.1/32 scope global wg0
       valid_lft forever preferred_lft forever
Matched Content