diff --git a/README.md b/README.md index 1ad5131..6642f1d 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,128 @@ -# wireguard-with-systemd +# Client side on Ubuntu/Debian +On a client computer, install wireguard +`sudo apt-get install wireguard` + +Generate a new key pair +`wg genkey | tee privatekey | wg pubkey > publickey` + +Restrict the access for the privatekey +`chmod o-r privatekey` + +Create a new configuration file in the `/etc/wireguard` directory +- Set DNS server (that resolves hostnames in the VPN network) +- Set the client IP placeholder XXX (i.e. 2-254) +- Set your private key `cat privatekey` +- Sent your publickey to the WireGuard server's admin `cat publickey` +- Ask the WireGuard server's admin for the server's public key and set it +- Set the WireGuard server's hostname or public IP address + +```bash +sudo tee /etc/wireguard/wg0.conf < +DNS = 10.0.0.1 + +[Peer] +PublicKey = +Endpoint = :51820 +AllowedIPs = 10.0.0.0/16, 192.168.2.0/24 +EOF +``` + +Note that setting AllowedIPs to `0.0.0.0/0` will forward all traffic over the WireGuard VPN connection. Traffic can be restricted to specific networks only + +Create QR code of the configuration install qrencode +`sudo apt install qrencode` + +Generate the QR code +`qrencode -t png -o foo-android.png -r wg0.conf` + +Display the image +`xdg-open foo-android.png` + +Use the system command to start WireGuard as a service +`sudo systemctl start wg-quick@wg0` + +To disconnect +`sudo systemctl stop wg-quick@wg0` + +See the status of the WireGuard +`systemctl status wg-quick@wg0` + +In case of an error `resolvconf not found`, install `openresolv` +`sudo apt install openresolv` + +Enable to start VPN after the boot +`sudo systemctl enable wg-quick@wg0` + +Repeat these steps on each client you want to connect to the WireGuard server + +Folow this guide https://www.makeuseof.com/how-to-install-wireguard-vpn-client/ to configure VPN clients on different systems such as +- Windows +- MacOS +- Other Linux distros +- iOS +- Android + +# Server side + +Install wireguard +`sudo apt-get install wireguard` + +## If you want to allow VPN clients to be able to access the Internet (they can choose not to using AllowedIPs) allow IP forward +Open the system variables file for editing +`sudo nano /etc/sysctl.conf` + +Then uncomment the following line by removing the # at the beginning of the line +`net.ipv4.ip_forward=1` + +Then apply the new option with the command below +`sudo sysctl -p` + +## Setup Wireguard server + +Generate a new key pair +`wg genkey | tee privatekey | wg pubkey > publickey` + +Restrict the access for the privatekey +`chmod o-r privatekey` + +Create a new configuration file in the `/etc/wireguard` directory +- Set DNS server (that resolves hostnames in the VPN network) +- Set your server's private key +- Ask users for their public keys and add for each a `[peer]` section +- Set the client IP placeholder XXX (i.e. 2-254) +- Set the WireGuard server's hostname or public IP address + +```bash +sudo tee /etc/wireguard/wg0.conf < +PostUp = ufw allow 51820/udp +PostUp = iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o wan -j MASQUERADE +PostDown = iptables -t nat -D POSTROUTING -s 192.168.2.0/255.255.255.0 -o wan -j MASQUERADE + +[Peer] +# foo's android phone +PublicKey = +AllowedIPs = 192.168.2.XXX/32 +PersistentKeepalive = 25 +``` + +Note that setting PostUp and PostDown is only neccessary to allow client to forward internet traffic over the WireGuard server + +Use the system command to start WireGuard as a service +`sudo systemctl start wg-quick@wg0` + +To disconnect +`sudo systemctl stop wg-quick@wg0` + +See the status of the WireGuard +`systemctl status wg-quick@wg0` + +Enable to start VPN after the boot +`sudo systemctl enable wg-quick@wg0` \ No newline at end of file