Posted on Sun 21 July 2019

VPN with Wireguard

Today I spent some time setting up a Wireguard VPN on a Linode VPS.

Overall the process is not too complicated, but there are some things I was confused about initially. Initially I followed the [cached]guide on the Linode website, but then I switched over to this excellent article: [cached]How to setup a VPN server using WireGuard (with NAT and IPv6).

My biggest confusion was about the distinction between the private IP assigned to the server/client within the VPN, and the externally visible IP of the server (the client does not need a public IP). Importantly, the "Address" in the Interface section of the config refers to the VPN internal private IP. This can be anything you want, as long as it's a valid IP on a subnet that's not used for anything else yet.

My final server config (/etc/wireguard/wg0.conf) to enable forwarding all traffic through the server looked like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
[Interface]
Address = 192.168.37.1/32
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <removed>

[Peer]
PublicKey = <removed>
AllowedIPs = 192.168.37.2/32

Similarly, on the client:

1
2
3
4
5
6
7
8
9
[Interface]
Address = 192.168.37.2/32
ListenPort = 57841
PrivateKey = <removed>

[Peer]
PublicKey = <removed>
Endpoint = <removed>:51820
AllowedIPs = 0.0.0.0/0,::/0

The only place where you need the public IP of your server is this Endpoint in the client config!

Also, the private IP you pick in the Address field should match what the AllowedIPs.

Tags: security, vpn

© Julian Schrittwieser. Built using Pelican. Theme by Giulio Fidente on github. .