Configuring Wireguard
Wireguard must be installed using
sudo apt install wireguard
This should install Wireguard and the wg-quick utility.
THE FOLLOWING STEP ONLY NEEDS TO BE RAN ON THE FORWARDING HOST
Along with this, the system must be allowed to forward traffic. Configure this by using
sudo nano /etc/sysctl.conf
Make the following change
Commit these changes by running the following
sudo sysctl -p
sudo sysctl --system
These changes should now be applied. A quick restart can show if these have been saved.
You can either configure the Wireguard tunnel manually, or you can use the cool little tool i made for configuring your host. As always never run any script from the Internet without reviewing the code yourself. Run the following to begin the setup. This will configure a Tunnel Interface named "wg1" the configuration can be found inside of wg1.conf
bash <(wget -qO- https://raw.githubusercontent.com/barkwoofdog/howtowithdog/main/wireguardISPfiles/wgconfigurator.sh)
However, if you don't feel like using that tool, here is a sample of what a configuration looks like. Make substitutes where needed for your individual config.
[Interface]
PrivateKey = ******
ListenPort = 55369
Address = 10.0.0.1/24
DNS = 1.1.1.1
PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 --match multiport '!' --dport 22 -j DNAT --to-destination HOMESERVER-WGIP; iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source THISHOST-IP
PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 '!' --dport $userListen -j DNAT --to-destination HOMESERVER-WGIP;
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 --match multiport '!' --dport 22 -j DNAT --to-destination HOMESERVER-WGIP; iptables -t nat -D POSTROUTING -o eth0 -j SNAT --to-source THISHOST-IP
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 '!' --dport $userListen -j DNAT --to-destination HOMESERVER-WGIP
#on-prem server
[Peer]
PublicKey = ********
AllowedIPs = 10.0.0.2/32NOTE DOWN THE PUBLIC KEY FROM THE OUTPUT! (it can also be found in a file named pubkey)
You will need to enter that you are configuring the forwarder.
As for the Listening port, you can pretty much choose anything. The default is UDP 55017.
The Network configuration includes a Subnet Mask. You can choose any Private IP Range, and any Subnet Mask. Just be sure to note your choices down for later.
Important to configuration on this is changing the values denoted by the script in the firewall rules. You can change the Host IP placeholder at this moment, however you will need the Wireguard Interface IP of the other host in order to forward the traffic to it.
You can enable the tunnel to start on boot by running
sudo systemctl enable wg-quick@wg1
Later, when the other host is established we can add the public key and IP of the other Host to the Peer definition inside of wg1.conf
In order for the tunnel to connect, you will need to allow the Listen Port that you selected to the firewall rules. We'll also COA and allow the OpenSSH program. Since it is assumed that you are on an Ubuntu system we're going to go ahead and use ufw. Let's accomplish this by running the following
ufw enable
ufw allow wgport/udp comment 'wireguard port'
ufw allow openssh
ufw reload
Here, we can just run the configuration tool again. Say no to the forwarding server question. This will proceed with a Host setup, adding a few lines to the peer definition and not configuring a listening port.
bash <(wget -qO- https://raw.githubusercontent.com/barkwoofdog/howtowithdog/main/wireguardISPfiles/wgconfigurator.sh)
AGAIN. Take note of your public key
When it comes to configuring this Host, you must match the network and subnet mask to what you selected on the forwarder. So this means that if your IP configuration on the Forwarder was 10.0.0.1/24 then this host must be anything within that subnet, so any IP between 10.0.0.2-254/24
in the wg1.conffile on this host, you will need to paste the public key of the forwarder. Along with this you will need to enter the public IP and port of the endpoint like this Endpoint = 185.5.24.2:55017 The Persistent Keep-Alive has been set at 15, but you can change it to whatever you like.
At this point you can go back to the Forwarder and paste the public key of your Home Server into the Public Key value of the Peer Definition. You will also need to add the IP of your Home Server into the AllowedIPs value, Be sure to leave the /32 so that only that host can connect. Remember to add the Home Servers IP into the firewall rules as well.
At this point you should have a working tunnel.
run sudo sysctl start wg-quick@wg1 on both hosts to start the tunnel.
You can also use the wg-quick utility as root. It can be used like this to bring the tunnel up and down.
wg-quick up wg1
You can check the status of the tunnel by using wg If all is well, you should be able to see traffic being transferred both ways.
In order to further secure your forwarding host, I recommend that you set ufw to default deny for incoming traffic with
ufw default deny incoming
Remember that with this you will need to allow traffic for the services you are hosting behind it. The most common being http and https
ufw allow 80/tcp comment 'accept http connections'
ufw allow 443/tcp comment 'accept https connections'
be sure to run ufw reload to apply your changes
