The officially official Devuan Forum!

You are not logged in.

#1 2022-11-01 02:01:10

nixer
Member
From: North Carolina, USA
Registered: 2016-11-30
Posts: 145  

Wireguard VPN install

This post may look long, and it is.  After installing, using, and fighting with an openvpn server for about 6 years, configuring and using a wireguard vpn server is much easier.  A lot has been shared on the internet on installing and configuring wireguard.  I don't think another one is needed, but I tried to put together a wireguard vpn and this is what I came up with on Devuan Chimaera. 

The information below was mainly taken from these two tutorials:
https://linuxize.com/post/how-to-set-up … debian-10/

Dual stack ipv4 and ipv6:
https://stanislas.blog/2019/01/how-to-s … -nat-ipv6/

Also, I did run across and implement a couple of features that appear to work well with wireguard and devuan.  These two items are 1- a sysvinit start/stop/status script, and 2- how to run multiple instances on the same vps, using different ports.  You may not need to run wireguard on multiple ports but if you have a dedicated vps server, and one port is blocked by an internet service provider, having another port available might be of use.  This "should" get a functional vpn tunnel operational, and then you can do more advanced things within the tunnel itself, if you wish.

Configuration steps:
- install wireguard
- Configure keys and wg0 file on both the server and peer (client)
- Create sysvinit startup script
- sysctl.conf edits to allow for routing on the server
- Add vpn profile to mobile device with a qr-code scan
- Import WireGuard profile using Network-Manager (nmcli)
- Create multiple instances of wireguard on different ports (same host/server) (optional)

On Server
Install:

apt install wireguard

create keys:
   

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

   

sudo nano /etc/wireguard/wg0.conf

Add to wg0.conf file, you may choose your own ip address subnets, and you may select a different port number:   

[Interface]
Address = 10.0.0.1/24,fd00::1/64
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2,fd00::2   
PersistentKeepalive = 24

   

sudo chmod 600 /etc/wireguard/{privatekey,wg0.conf}

https://www.procustodibus.com/blog/2021 … it-script/
Sysvinit start/stop/status script:
   

nano /etc/init.d/wg0

Add this to file:

#!/bin/sh -eu
# checkconfig: 2345 30 70
# description: set up a WireGuard interface simply
### BEGIN INIT INFO
# Provides: wg-quick
# Required-Start: $local-fs $network
# Required-Stop: $local-fs $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: set up a WireGuard interface simply
### END INIT INFO

command=/usr/bin/wg-quick
interface=wg0
description="wg-quick on $interface"
logfile=/var/log/$interface

status() {
    /usr/bin/wg show $interface
}

start() {
    touch $logfile && date >>$logfile
    echo "starting $description ..." | tee -a $logfile
    $command up $interface >>$logfile 2>&1
    echo "... started $description" | tee -a $logfile
}

stop() {
    touch $logfile && date >>$logfile
    echo "stopping $description ..." | tee -a $logfile
    $command down $interface >>$logfile 2>&1
    echo "... stopped $description" | tee -a $logfile
}

case "${1-}" in
    status) status ;;
    start) start ;;
    restart) stop || true; start ;;
    stop) stop ;;
    *) echo "usage: $0 {status|start|restart|stop}" ;;
esac

Make executable with
   

chmod +x /etc/init.d/wg0

Update default rc links:
   

update-rc.d wg0 defaults

Enable IPv4 and IPv6 routing on the server
In /etc/sysctl.conf, add or uncomment these, and save file

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding = 1

Save the file and apply the change:
   

sudo sysctl -p

Open up your firewall to allow for incoming udp connections to the port number you specified, if it is different from port 51820. 

On Client
Install:

apt install wireguard

create keys:
   

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

Create the file wg0.conf and add the following contents:
   

sudo nano /etc/wireguard/wg0.conf

Add this to the wg0.conf file on the client machine

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 8.8.8.8,2620:0:ccc::1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP_ADDRESS:51820
AllowedIPs = 0.0.0.0/0

The client keys needed for a mobile device can be created on any computer, and does not need to be created on the mobile device itself.  I just created a different folder and populated it with the keys so that the other keys were not overwritten.

At this point, you should have a fully functional wireguard vpn server.  But you will need to start the wg0 service first.
   

service wg0 start

Useful commands to see wg0 on server, or use "service wg0 {start,stop,status}"
To start vpn tunneling:
   

sudo wg-quick up wg0

To stop the tunneling, bring down the wg0 interface:
   

sudo wg-quick down wg0

To check the interface state and configuration, run:
   

sudo wg show wg0

You can also verify the interface state with ip a show wg0:
   

ip a show wg0

https://www.hardill.me.uk/wordpress/202 … uard-ipv6/

Add vpn profile to mobile device with qr-code scan.  To generate qr code for android import: 
   

apt install qrencode

From the computer where the client keys and client wg0.conf file are located, as root
   

qrencode -t png -o wg0.png < wg0.conf

   

qrencode -t ansiutf8 < wg0.conf

The qr-code will display in the terminal, and from the wireguard mobile app
    Add > Scan from QR Code
Once the profile is imported, minor changes can be made to the profile itself as editing is allowed.

https://www.cyberciti.biz/faq/how-to-im … -on-linux/

How to import WireGuard profile using nmcli (Network-Manager) on Linux.  We can import /etc/wireguard/wg0.conf by typing the following command(s):

Set up shell environment variable:
   

file='/etc/wireguard/wg0.conf'

   
Now import it using the nmcli command:
   

sudo nmcli connection import type wireguard file "$file"

 
Rename profile wg0 as hostname-wg0, or whatever you want it to be:
   

nmcli connection modify wg0 connection.id "hostname-wg0"

You may repeat this procedure for all WireGuard profiles on Linux when using NetworkManager CLI interface called nmcli.


Multiple instances on same host with different ports, minimal changes are needed to a newly created wg1 interface file.  The file can be given any name.
wg1 sounds good for this example.

Make duplicate of wg0.conf file
   

cd /etc/wireguard

   

cp wg0.conf wg1.conf

Edits to wg1.conf file, change the listening port

ListenPort = ??

    (whatever port you choose)

Also, the noted [Peer] subnet must be different from wg0!
Change this from what is noted in the wg0.conf file:
   

AllowedIPs = 10.0.0.3,fd00::3

    -to-
   

AllowedIPs = 10.0.1.3,fd01::3

The rest of the file can stay the same, including the keys.
   

sudo chmod 600 /etc/wireguard/wg1.conf

The best port to use for a vpn is open for discussion.  Which port is least likely to be blocked by internet carriers?
Wireguard only uses udp, not tcp.  Ports 443 and 53 are most often mentioned as least likely to be blocked.

Add / edit the /etc/init.d/wg1 script
Make copy of /etc/init.d/wg0 script
   

cd /etc/init.d

   

cp wg0 wg1

Open file /etc/init.d/wg1
   

nano wg1

   
and change the following line:
   

interface=wg0

   
change to:
   

interface=wg1

Save the file.

The first time above we ran
    update-rc.d wg0 defaults
to update the script links into the /etc/rc.d folders.  However, when it is run again with
    update-rc.d wg1 defaults
It does not build any links in any rc0, rc1, rc2... folders, and this response is noted in the terminal,

insserv: script wg1: service wg-quick already provided!

But the wg1 service still works, it just does not start at boot.  This can be corrected by adding
   

service wg1 start

to /etc/rc.local file so it will start at boot.  You might want the rc.local file to look like this:

service wg1 start
sleep 1
exit 0

The  service {wg0,wg1} start/stop/status  commands will work.

The additional memory usage for the extra interface is minimal on a 512mb vultr vps server.  CPU and memory use is quite light with wireguard in general.

Additional and helpful info on wireguard:
https://www.reddit.com/r/WireGuard/comm … ts_on_the/

I hope I did not overlook anything.

I get a little paranoid using public wifi hotspots.  I am glad my vpn is operational again and I don't want to pay for a vpn if I can host my own.

Offline

Board footer