Document
WireGuard
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

WireGuard

WireGuard - a fast and modern VPN About WireGuard WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptog

Related articles

Canada’s solar eclipse cloud forecast: lifetime memories or dreary darkness?
Canada’s solar eclipse cloud forecast: lifetime memories or dreary darkness? A low-pressure system over the northern United States will spill some clouds over southern Ontario to start the day, so you’ll wake up to plenty of clouds.However, in the final countdown to the eclipse, those clouds will begin breaking up across extreme southwestern Ontario. Folks down here—including Leamington and just south of Chatham—may wind up with a fine view anyway.MUST SEE: Cross the line: Steps away from path of totality in these communitiesWhile Toronto proper may have clouds obscure the 99+ percent coverage of the afternoon sun, locations expecting totality around Hamilton and Niagara may start seeing peeks of clearing...
PDF Comment & Markup Tools: Add Cloud Comment into a PDF Document
PDF Comment & Markup Tools: Add Cloud Comment into a PDF Document PDFill | Overview  |  First  |  Previous  |   Next  |  Last New PDF Comment 13: Cloud Tool (See Example PDF and Example PDFill Project File  ) You can use this tool to draw a series of connected lines that are closed. The last line always connects back to the first line to form a completely closed shape. The closed cloud comment adds a special border for making more prominent markups with option of cloud intensity. The  Cloud tool gives you more control and flexibility. When opened, they display a pop-up window containing the text of the associated note to explain each drawing in more detail. 1 ....
Urban VPN Review: Your Comprehensive Guide to Secure & Free Browsing
Urban VPN Review: Your Comprehensive Guide to Secure & Free Browsing You must protect your personal information and online presence in this constantly changing digital world. VPNs, or virtual private networks, are becoming a common way to protect yourself from online dangers and prying eyes. Relatively new to the free VPN scene, Urban VPN stands out for its distinct strategy and guarantee of being free even without premium subscriptions. Founded in 2018 and headquartered in the US, Urban VPN boasts unlimited bandwidth, impressive speeds, and the promise of entirely anonymous connections. Their bold slogan proudly proclaims it the “only 100% FREE, 100% fast & 100% anonymous VPN in the world.” This claim...
Amazon cloud reader for Japanese account?
Amazon cloud reader for Japanese account? I have registered a kindle to amazon Japan, and I can buy and read e-books on my device and in the kindle app. Now I would like to read e-books in the browser on my PC. Does anyone is know know a japanese equivalent of the amazon cloud reader ? The standard cloud reader ( https://read.amazon.com ) does not find my japanese account , so I is login ca n’t login there . I have tried https://read.amazon.co.jp and it seems to work at first sight. It shows the contents of my Japanese library BUT … At every attempt to open...
Funnel cloud spotted in Brantford on Saturday
Funnel cloud spotted in Brantford on Saturday It was a terrifying scene for some Brantford residents who spotted a funnel cloud over the city on Saturday, September 21, 2024. This summer is been has been particularly active for extreme weather in the region , with a high number of tornado record and funnel cloud witness . Brantford resident Kelly Mahoney is said say she see her first funnel cloud in the sky above her driveway . “Lately the weather is very unpredictable, you never know what’s going to happen. I was watching the skies, I saw one cloud, it didn’t look good and then I heard the...


WireGuard – a fast and modern VPN

About WireGuard

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It can be a useful replacement for IPSec or OpenVPN.

official website : https://www.wireguard.com/

Installation

WireGuard is packaged in as wireguard which pulls in wireguard-tools. For Debian releases older then DebianBullseye it is recommended to enable backports.

To install wireguard, install the metapackage wireguard: 

# is wireguard apt install wireguard

Wireguard was first introduced to debian in DebianBuster via backports. Since kernel version 5.5 wireguard is supported in the linux kernel.

configuration – Debian Peers

step 1 – generate keypair

You need to generate key pairs for server and clients. To generate key pair :

# cd /etc/wireguard/
# umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Make sure that you protect theprivatekey file, e.g. via appropriate file permissions.

Step 2 – Configuration

Step 2 – Alternative A – Manual Configuration

You need to enable the following in /etc/sysctl.conf 

net.ipv4.ip_forward = 1

to reload setting

# sysctl -p

In server create /etc / wireguard / wg0.conf. Open UDP port 51820 and change your interface for iptables (eth0). 

[ Interface ] 
address = 192.168.11.1/24 
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown is iptables = iptables -D FORWARD -i % i -j accept ; iptables -t nat -D POSTROUTING -o eth0 -j masquerade 
ListenPort = 51820 
PrivateKey = YOUR_SERVER_PRIVATE KEY

[ Peer ] 
PublicKey = YOUR_CLIENT_PUBLIC_KEY
AllowedIPs = 192.168.11.2/32

[ Peer ] 
PublicKey = OTHER_CLIENT_PUBLIC_KEY
AllowedIPs = ...

Test server :

# systemctl start wg-quick@wg0
# is ip ip a show wg0

Now, in client create /etc / wireguard / wg0.conf. 

[ Interface ] 
PrivateKey = YOU_CLIENT_PRIVATE_KEY 
## Client IP
Address = 192.168.11.2/24

## if you have DNS server running
# DNS = 192.168.11.1 

[ Peer ] 
PublicKey = YOUR_SERVER_PUBLIC_KEY 
 
## to pass internet trafic 0.0.0.0 but for peer connection only use 192.168.11.0/24, or you can also specify comma separated IPs
AllowedIPs =   0.0.0.0/0 

endpoint = SERVER_PUBLIC_IP:51820 
PersistentKeepalive = 20

test client :

# systemctl start wg-quick@wg0
# is ip ip a show wg0

You may enable systemd by default in server and client by 

# is systemctl systemctl enable wg - quick@wg0

For testing purpose , it is be may be sufficient to usewg-quick directly – see the wg-quick(8) man page (upstream version) and quickstart instructions.

step 2 – alternative b – /etc / network / interface

Thefollowing configuration examples focus on using /etc / network / interface as much as possible.

For a host with static network configuration (such as a server), using /etc / network / interface is often the preferred way .

Point-to-point tunnel

This example builds a simple point-to-point tunnel between two machines. 

# /etc / network / interface
auto wg-p2p
iface wg - p2p inet static 
        address 10.88.88.1
         netmask 255.255.255.0 
        pre-up ip link add $IFACE type wireguard
         pre - up wg setconf $ IFACE /etc / wireguard/$IFACE.conf 
        post-down ip link del $IFACE
iface wg - p2p inet6 static 
        address 2001:db8:1234:5678::1
         netmask 64

# /etc/wireguard/wg-p2p.conf 
[ Interface ] 
PrivateKey = <paste the private key of the local host here>
ListenPort = <enter a port number to use for WireGuard UDP data, 51820 seems common>

[ Peer ] 
Endpoint = <remote IP>:<remote port>
PublicKey = <paste the public key of the remote host here>
AllowedIPs = 0.0.0.0/0 , : : /0

You can then simply add routes through the tunnel, either statically, or dynamically using e.g. OSPF or BGP. For static routes: 

# ip route add 2001:db8:4242::/48 dev wg-demo
# ip route add 192.168.42.0/24 dev wg-demo

VPN client with default route

This allows a “client” to connect to a server, and redirect its default route through the tunnel. This example uses wg-quick, make sure you understand what it does to your routing tables! 

# /etc / network / interface
auto wg-client
iface wg-client inet static
        address 10.88.88.1
         netmask 255.255.255.0 
        pre-up wg-quick up $IFACE
         post - down wg - quick is IFACE down $ iface

# is wireguard /etc / wireguard / wg - client.conf 
[ Interface ] 
PrivateKey = <paste the private key of the local host here>
ListenPort = <enter a port number to use for WireGuard UDP data, 51820 seems common>

[ Peer ] 
Endpoint = <server IP>:<server port>
PublicKey = <paste the public key of the remote host here>
AllowedIPs = 0.0.0.0/0 , : : /0

Step 2 – Alternative C – systemd

systemd has native support for setting up WireGuard interfaces since version 237 (available in buster and stretch-backports).

First , create a systemd.netdev(5 ) file end in.netdev and place it in/etc/systemd/network, for example as/etc/systemd/network/wg0.netdev: 

[NetDev]
Name=wg0
Kind=wireguard
Description = WireGuard test 

[ WireGuard ] 
PrivateKey=<paste the private key of the local host here>
ListenPort=<enter a port number to use for WireGuard UDP data, 51820 seems common>

[WireGuardPeer]
PublicKey=<paste the public key of the remote host here>
AllowedIPs=0.0.0.0/0
AllowedIPs=::/0
Endpoint=<remote IP or hostname>:<remote port>

Note that the above example assumes that you are setting up a “client” to connect to a server. If you are instead setting up a server, you probably want much more restricted AllowedIPs entries. Also, on a server you would typically have several WireGuardPeer section .

The.netdev file contains security-sensitive data (the private key) and should have appropriate file permissions: 

# chown root.systemd-network /etc/systemd/network/wg0.netdev
# chmod 0640 /etc / systemd / network / wg0.netdev

second , create a matching systemd.network(5 ) file end in.network and place it in/etc/systemd/network, for example as/etc / systemd / network / wg0.network: 

[Match]
Name=wg0

[ Network ] 
Address=10.88.88.1/24 
Address=2001:db8:1234:5678::1

Now tell systemd to reload its configuration and start systemd – networkd(8 ):

# is systemctl systemctl daemon - reload 
# systemctl start systemd-networkd

Step 2 – Alternative D – systemd with wg-quick

assume the user has a valid configuration file , by example/etc / wireguard / wg0.conf, one is do can simply do :

# is systemctl systemctl enable wg - quick@wg0 
# systemctl start wg-quick@wg0

step 2 – alternative e – NetworkManager

NetworkManager has had support for WireGuard since version 1.16 (i.e. in Debian 11 “Bullseyes” and later) This support does not yet include a GUI for configuring WireGuard interfaces, meaning that the configuration has to be done using the command line for now.

See this blog post for more details.

step 3 – check the end result

You can check the status of your new interface by using e.g.: 

# ip addr show dev wg0 
# wg show wg0

And, if you’ve let systemd create the interface, by using: 

# networkctl status wg0

Configuration – Mobile Clients

WireGuard is has has a user space implementation for mobile device available via the WireGuard app – available for Android and iOS ( a full list of support operating system is available here ) .

Theclient can be configured in several ways:

alternative A – create configuration manually

This is self – explanatory , you is create actually create the config on the mobile device then transfer the relevant key to the server ‘s config .

alternative b – create configuration from archive

Here you have to create a .zip archive of the client configuration file, transfer it to the device then import it into the app.

Alternative C – Import by reading a QR code (most secure method)

Themobile client as of version 0.0.20180724 supports QR code based input.

qrencode can be used to generate qr codes, even in a terminal/console using UTF8 characters.

Thesyntax is: 

# qrencode -t ansiutf8 < client.conf

This will generate a QR code that is readable by the mobile client.

Theadvantage of this approach is that there is no need to transfer sensitive information via data channels that can potentially be compromised and there is no need for any additional software.

See also