WireGuard - Hidden Path In The Shades

ghostware.jpg

Virtual Private Networks aren't for watching streams.

VPNs secure connections. They encrypt your data flow.

Once they connected networks.
Today they protect information and privacy.

A VPN isn't optional anymore.
It's your shield against the prying eyes.

Without it your ISP can observe too much:

  • browsing habits
  • downloads
  • protocols

With a consumer VPN you shift your trust to your provider.

Or you host your own VPN service - putting the trust in yourself and your hosting.

Guard Your Wires - Protect The Flow

WireGuard is a modern VPN protocol.
It's simple, fast and secure.
It's part of the Linux kernel.

The Server

Install the wireguard package: 

sudo apt install wireguard

Generate the server keys: 

wg genkey > server_private.key
wg pubkey < server_private.key > server_public.key
sudo mv *.key /etc/wireguard/

Protect the keys with hardened permissions: 

sudo chmod 400 /etc/wireguard/{server_private.key,server_public.key}
sudo chown root:root /etc/wireguard/{server_private.key,server_public.key}

In the following examples:

  • Replace the IP address with your IP.
  • Replace the interface with your LAN interface.

Enable the local IP forwarding: 

 echo  "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/wireguard.conf
sudo sysctl --system

In the /etc/ufw/sysctl.conf: 

 net.ipv4.ip_forward=1

In the /etc/ufw/before.rules before the *filter line: 

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.20.20.0/24 -o enp1s0 -j MASQUERADE
COMMIT

Allow the routing in UFW: 

sudo ufw route allow  in on wg0 out on enp1s0
sudo ufw allow 51820/udp

Reload the UFW configuration: 

sudo ufw disable
sudo ufw enable

WireGuard server configuration:

Minimal server configuration /etc/wireguard/wg0.conf. 

 #  Server configuration
[ Interface]
 PrivateKey = 
 Address = 10.20.20.1/24
 ListenPort = 51820
 SaveConfig = false

 #  Client's config
[ Peer]
 PublicKey = e2V40zdPiX43lqOamcoEI8J10uKaXWBeKwf+spWDWgc=
 AllowedIPs = 10.20.20.2/32

Harden the file permissions: 

sudo chmod 600 /etc/wireguard/wg0.conf

Start and enable the service: 

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Verify the service: 

sudo systemctl status wg-quick@wg0.service

The Clients

Install the wireguard package.

Generate the key pair as on the server.
Harden their permissions.

Install the resolvconf package (optional on some systems): 

sudo apt install resolvconf

WireGuard client configuration.

Minimal client config in /etc/wireguard/wg-ds.conf: 

 #  Client's configuration
[ Interface]
 PrivateKey = 
 Address = 10.20.20.2/32
 SaveConfig = true

 #  Server's configuration
[ Peer]
 PublicKey = tInj/aAAZIkv8RWzAyXq5ngbO9OUPz+Fkbog7LkgQzQ=
 Endpoint = :51820
 AllowedIPs = 10.20.20.0/24, 192.168.100.0/24
 PersistentKeepalive = 25

PersistentKeepalive is crucial for services behind NAT.

Don't forget the hardening: 

sudo chmod 600 /etc/wireguard/wg-ds.conf

Bring up the connection: 

sudo wg-quick up wg-ds

Verify it: 

sudo wg show

Break down the connection if you don't need it: 

sudo wg-quick down wg-ds

Final Whisper

This configuration protects your communication between the client and the server.

What leaves the server is observable.
The trace leads back to it.

A VPN is not anonymity. It's more privacy.

[ Fear the Silence. Fear the Switch. ]