Contents

WireGuard: VPN Tunnel

   Oct 15, 2024     6 min read

VPN Server & Client configuration

Online privacy and security offers many benefits, VPNs (Virtual Private Networks) have become essential tools for protecting personal data and ensuring secure internet connections. Although, each has its own strengths and weaknesses, WireGuard gained acceptance by many security and IT professionals. Wireguard benefits by its simplicty, being only 4,000 lines of C, which means fewer bugs and security vulnerabilities, reduced CPU usage and faster connection times. Wireguard (WG) which is 256-bit encryption uses ChaCha20 cipher with Poly1305 message authentication code, which is particuarly effective at protecting against MiTM. Wireguard has been designed with security in mind.

Wireguard can run inside the Linux kernel, a part of the OS that does the low level processing, which is what is going to be demonstrated in this documentation. Wrieguard does not have a way of allocating dynamic IP addresses. This means your VPN IP address can be the same everytime you connect, which can lead to being tracked online. This and WG doesnt delete your IP when you disconnect, it remains in memory for another period of time. WG uses the same keys by default, if someone obtained the keys from the server they can decrypt traffic. WG doesnt do anything to obfuscate traffic, so it can be vulnerable to Deep Packet Inspection (DPI), so someone can figure you’re using a VPN and even what type. WG is also UDP only, there are ways to enable TCP but we will address this in another post by utilizing 2 VPN tunnels for our traffic.

Also, its worthwhile to note that the traffic will have the same public IP address of where your server resides. So of it is running at home, with the VPN service running it will have the same home IP address even if you were to connect at a distant LAN. WG continues to be the most secure free and open source VPN protocol.

Wireguard

Limiting Factors: CPU utilization, Memory, Network Bandwidth

Step 1: Expose the WG server to the internet - this ensures your external IP can be referenced from the wider internet, most people have a static IP from their ISP. Port Forwarding - enables external devices to access services on a private network. When data reaches your router, the router needs to know which device on the LAN. Port forwarding sets up rules to direct this traffic. Each rule has a port number identified and the local IP address of the device that should receive this traffic.

Wireguard

In order to determine the correct IP address, you may type ipconfig or ifconfig, depending on which OS, and look for the private IP address in the eth0 interface. That’s what you’re going to want to use for port forwarding on your router.

Purpose: analyzing network traffic to determine if port forwarding is working properly.

$ sudo apt install netcat -y [-y at the end means yes]

$ ifconfig -a

  • eth0 inet 192.168.0.88 netmask 255.255.255.0

$ tcpdump -i eth0 “udp port 33333”

  • translated: listen on interface eth0 for UDP packets on port 33333
Scan for listening daemons to determine whether a connection attempt will successful.

$ netcat -v -z -u 33333

  • check connectivity to a port on a remote server
  • note if you have a firewall enabled, ensure it allows 33333 through from the router

Setup WG VPN Server - install programs, create configuration file

$ sudo apt install wireguard wireguard-tools iptables

  • sudo superuser do - allows user to execute a command as an elevated user
  • apt managing software and handling packages on the system efficiently.
  • iptables this is used to manage NAT (network address translation) and packet forwarding in the kernel.

$ sudo nano /etc/sysctl.conf

  • direction: enable packet forwarding by removing # next to: net.ipv4.ip_forward=1

$ cat /proc/sys/net/ipv4/ip_forward

  • output must be 1 use this to check if recent edit has saved successfully

Wireguard

Create public and private keys for VPN server

$ wg genkey | tee server-privatekey | wg pubkey > server-publickey

  • generates new private key, tee reads and writes from standard input to standard output and files, generates private ket to a file name server-privatekey
  • wg reads the private keys and generates corresponding public, server redirects the output to a file named server-publickey
  • suggestion $ chmod 600 server-privatekey
  • this command will provide additional security to the private key ensuring its permissions are set accordingly
Create configuration file

$ sudo nano /etc/wireguard/wg0.conf

$ chmod 600 wg0.conf

Wireguard

  • Address - this is the private IP address for the wg0 interface, which is a tunnel at one end is a server the end is a client peer. Cannot be within your LAN IP network.
  • Listen Port - you can choose another, this ones easily remembered and unlikely to clash with other VPNs or network services.
  • PrivateKey - keep it private, should never be shared with peers/clients.
  • PostUp/PostDown - remember to change the interface from eth0 to the name you find on your server.
Start Server, in this configuration at startup

$ systemctl start wg-quick@wg0

$ systemctl enable wg-quick@wg0

  • first, start the wg0 interface, then enable WG service automatically at boot
Confirm status of interface & determien if connection is achievable

$ netstat -n -r

  • display IP routing. Wireguard
  • note destination network, such as 0.0.0.0 represents the default route, which searches for a gateway, in this case 192.168.0.1. Subnet masks indicate the number of devices that can fit within a network segement /24 (255.255.255.0 is 254 devices, 1 network address 1 broadcast).

$ systemctl status wg-quick@wg0 Wireguard

  • note look for indicators that tell you whether the service is active or inactive. Ensure the service unit file is loaded correctly. Review log entries from the service.

Setup Client connections: supported operating systems include Linux, Windows, MacOS, Android, iOS, and Raspberry Pi.

Download the Windows Wireguard application. Add an empty tunnel. Take note of the Public Key, it will need to be placed onto the WG VPN server as a peer.

  • Utilize this configuration file: worked successfully on Android & Windows OS Wireguard
Update the server configuration file

$ sudo nano /etc/wireguard/wg0.conf

[Peer]

  • PublicKey = key_from_client_device (under interface)
  • AllowedIPs = 10.0.0.2/32 (notice /32, specific address permitted to transmit/receive traffic)
Reload the configuration file, activate the client tunnel.

note I suggest configuring this with a different DNS server than 8.8.8.8 or 8.8.4.4.

$ systemctl reload wg-quick@wg0

Outcomes:

  • Secure Remote Access securely access your network from anywhere, ensuring data remains protected
  • Internet Privacy encryption helps protect your online privacy by preventing eavesdropping
  • Faster VPN connections lightweight & efficient VPN service, results in better speeds and lower latency
Generate QR Codes

$ apt install qrencode

$ qrencode -t ansiutf8 -r “wg0.conf”

Test Connection

$ tcpdump -i wg0 Wireguard

  • You should see a lot of traffic going over the connection, if nothing, then there’s no connection established.

$ wg show

Your device will now connect to the VPN server using WireGuard, encrypting all traffic between your device and the VPN server. Next, you may want to assess outbound traffic from your sever, such as by implementing a SOCKS5 proxy.