From eff9a304c221631aae5d27bbce771fd3df89abec Mon Sep 17 00:00:00 2001 From: leslitagordita Date: Mon, 1 Apr 2019 09:26:39 -0400 Subject: [PATCH 1/4] Deploy WireGuard with One-Click draft --- .../index.md | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md diff --git a/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md b/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md new file mode 100644 index 00000000000..56ecdfcb493 --- /dev/null +++ b/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md @@ -0,0 +1,103 @@ +--- +author: + name: Linode Community + email: docs@linode.com +description: 'Deploy a WireGuard Server on Linode with One-Click Apps.' +keywords: ['vpn','wireguard','tunnel'] +license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)' +published: 2019-03-28 +modified: 2019-03-28 +modified_by: + name: Linode +title: "Deploy WireGuard with One-Click Apps" +contributor: + name: Linode +external_resources: +- '[WireGuard Quick Start](https://www.wireguard.com/quickstart/)' +--- +## WireGuard One-Click App + +WireGuard is a simple, fast, and modern virtual private network (VPN) which utilizes state-of-the-art cryptography. It aims to be faster and leaner than other VPN protocols such as OpenVPN and IPSec, with its much smaller source code footprint. + +Configuring WireGuard is as simple as configuring SSH. A connection is established by an exchange of public keys between server and client, and only a client whose public key is present in the server's configuration file is considered authorized. WireGuard sets up standard network interfaces which behave similarly to other common network interfaces, like `eth0`. This makes it possible to configure and manage WireGuard interfaces using standard networking tools such as ifconfig and ip. + +## Deploy WireGuard with One-Click Apps + +{{< content deploy-one-click-apps >}} + +### WireGuard Options + +{{< note >}} +We recommend that you have your WireGuard client's public key available before deploying a WireGuard server. If you deploy a WireGuard server without your client's public key, you will need to [connect to your Linode via SSH](/docs/getting-started/#connect-to-your-linode-via-ssh) and manually update and enable the `wg0.conf` file. For details on manually configuring your WireGuard server's configuration file, see the [Configure Wiregard Server](/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/#configure-wireguard-server) section of our WireGuard guide. +{{}} + +| **Field** | **Description** | +|:--------------|:------------| +| **SSH Key** | Your SSH public key. *Advanced Configuration*. | +| **Port** | Set your WireGuard server's listening port number. The default is: `51820`. *Advanced Configuration*. | +| **Private IP** | Your WireGuard server's private IP address and subnet in CIDR notation. The default is: `192.0.2.0/24`. *Advanced Configuration*. | +| **Public Key (Client)** | Your WireGuard client's public key. *Advanced Configuration* | +| **Private IP (Client)** | Your WireGuard client's private IP address and subnet in CIDR notation. The default is: `192.0.2.1/24`. *Advanced Configuration* | + +### Linode Options + +After providing the app specific options, provide configurations for your Linode server: + +| **Configuration** | **Description** | +|:--------------|:------------| +| **Select an Image** | Debian 9 is currently the only image supported by WireGuard One-Click Apps, and it is pre-selected on the Linode creation page.. *Required* | +| **Region** | The region where you would like your Linode to reside. In general, it's best to choose a location that's closest to you. For more information on choosing a DC, review the [How to Choose a Data Center](/docs/platform/how-to-choose-a-data-center) guide. You can also generate [MTR reports](/docs/networking/diagnostics/diagnosing-network-issues-with-mtr/) for a deeper look at the network routes between you and each of our data centers. *Required*.* | +| **Linode Plan** | Your Linode's [hardware resources](/docs/platform/how-to-choose-a-linode-plan/#hardware-resource-definitions). You can use any size Linode for your WireGuard App. The Linode plan that you select should be appropriate for the amount of data transfer, users, and other stress that may affect the performance of your VPN. You can create your VPN on a Nanode 1GB or a Linode 2GB with low risk for performance hits, unless you expect intensive data transfer to happen on your VPN. *Required* | +| **Linode Label** | The name for your Linode, which must be unique between all of the Linodes on your account. This name will be how you identify your server in the Cloud Manager’s Dashboard. *Required*. | +| **Root Password** | The primary administrative password for your Linode instance. This password must be provided when you log in to your Linode via SSH. It must be at least 6 characters long and contain characters from two of the following categories: lowercase and uppercase case letters, numbers, and punctuation characters. Your root password can be used to perform any action on your server, so make it long, complex, and unique. *Required* | + +When you've provided all required Linode Options, click on the **Create** button. **Your WireGuard app will complete installation anywhere between 2-5 minutes after your Linode has finished provisioning**. + +### Getting Started After Deployment + +#### Test Your WireGuard Client's Connection + +This test should be performed once you have configured a WireGuard client and updated your WireGuard server to include the client's peer information. See the [WireGuard client](/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/#wireguard-client) section of our WireGuard guide for more information on setting up a client. + +1. Access your WireGuard client and ping the WireGuard server. Replace `192.0.2.0` with your WireGuard server's public IP address: + + ping 192.0.2.0 + +1. Use the WireGuard utility to verify your client's latest handshake: + + wg show + + The last two lines of the output from running the wg command should be similar to: + + {{< output >}} +latest handshake: 1 minute, 17 seconds ago +transfer: 98.86 KiB received, 43.08 KiB sent + {{}} + +#### Update the WireGuard Server's Configuration File + +The location of your WireGuard configuration file is `/etc/wireguard/wg0.conf`. To update the values in this file: + +1. [Connect to your Linode via SSH](/docs/getting-started/#connect-to-your-linode-via-ssh). + +1. Bring down the `wg0` interface: + + wg-quick down wg0 + +1. Open the `/etc/wireguard/wg0.conf` file and update as needed. Save your changes when done. + +1. Bring the `wg0` interface back up: + + wg-quick up wg0 + + {{< note >}} + `wg-quick` is a convenient wrapper for many of the common functions in `wg`. To learn more about all the available commands for each utility, issue the `wg --help` and `wg-quick --help` commands from your Linode's command line. + {{}} + + +### Software Included + +| **Software** | **Description** | +|:--------------|:------------| +| **WireGuard** | VPN software | +| **UFW (UncomplicatedFireWall** | Firewall utility. The Port assigned during the [WireGuard Options](#wireguard-options) step of the deployment will allow outgoing and incoming traffic. | From 87012753ec55ff23a07de5887ab542ec58d7d31f Mon Sep 17 00:00:00 2001 From: leslitagordita Date: Tue, 2 Apr 2019 16:27:05 -0400 Subject: [PATCH 2/4] Fix vale error --- .../one-click/deploy-wireguard-with-one-click-apps/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md b/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md index 56ecdfcb493..f1579f2d09c 100644 --- a/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md +++ b/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md @@ -28,7 +28,7 @@ Configuring WireGuard is as simple as configuring SSH. A connection is establish ### WireGuard Options {{< note >}} -We recommend that you have your WireGuard client's public key available before deploying a WireGuard server. If you deploy a WireGuard server without your client's public key, you will need to [connect to your Linode via SSH](/docs/getting-started/#connect-to-your-linode-via-ssh) and manually update and enable the `wg0.conf` file. For details on manually configuring your WireGuard server's configuration file, see the [Configure Wiregard Server](/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/#configure-wireguard-server) section of our WireGuard guide. +We recommend that you have your WireGuard client's public key available before deploying a WireGuard server. If you deploy a WireGuard server without your client's public key, you will need to [connect to your Linode via SSH](/docs/getting-started/#connect-to-your-linode-via-ssh) and manually update and enable the `wg0.conf` file. For details on manually configuring your WireGuard server's configuration file, see the [Configure WireGuard Server](/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/#configure-wireguard-server) section of our WireGuard guide. {{}} | **Field** | **Description** | From 7d74167e746e2cae05e10dbe9cfc43d12ab2f939 Mon Sep 17 00:00:00 2001 From: nmelehan Date: Sun, 7 Apr 2019 02:46:09 -0400 Subject: [PATCH 3/4] Tech/copy edit --- .../index.md | 106 ++++++++++++------ 1 file changed, 69 insertions(+), 37 deletions(-) diff --git a/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md b/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md index f1579f2d09c..bf04cc3ed3e 100644 --- a/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md +++ b/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md @@ -14,10 +14,11 @@ contributor: name: Linode external_resources: - '[WireGuard Quick Start](https://www.wireguard.com/quickstart/)' +- '[WireGuard Conceptual Overview](https://www.wireguard.com/#conceptual-overview)' --- ## WireGuard One-Click App -WireGuard is a simple, fast, and modern virtual private network (VPN) which utilizes state-of-the-art cryptography. It aims to be faster and leaner than other VPN protocols such as OpenVPN and IPSec, with its much smaller source code footprint. +WireGuard is a simple, fast, and modern virtual private network (VPN) which utilizes state-of-the-art cryptography. It aims to be faster and leaner than other VPN protocols such as OpenVPN and IPSec, and it has a much smaller source code footprint. Configuring WireGuard is as simple as configuring SSH. A connection is established by an exchange of public keys between server and client, and only a client whose public key is present in the server's configuration file is considered authorized. WireGuard sets up standard network interfaces which behave similarly to other common network interfaces, like `eth0`. This makes it possible to configure and manage WireGuard interfaces using standard networking tools such as ifconfig and ip. @@ -28,76 +29,107 @@ Configuring WireGuard is as simple as configuring SSH. A connection is establish ### WireGuard Options {{< note >}} -We recommend that you have your WireGuard client's public key available before deploying a WireGuard server. If you deploy a WireGuard server without your client's public key, you will need to [connect to your Linode via SSH](/docs/getting-started/#connect-to-your-linode-via-ssh) and manually update and enable the `wg0.conf` file. For details on manually configuring your WireGuard server's configuration file, see the [Configure WireGuard Server](/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/#configure-wireguard-server) section of our WireGuard guide. +The WireGuard One-Click form includes a field for your WireGuard client's *public key*. If you have already installed the WireGuard software on your client prior to setting up your WireGuard One-Click App, then you may have also [generated this public key](https://www.wireguard.com/quickstart/#key-generation). If you do have this key, you can enter it into the app's creation form, and your server's configuration will be pre-populated with the key. Please note that a public key generated by WireGuard will not resemble [a public key that you might use for SSH connections](/docs/security/authentication/use-public-key-authentication-with-ssh/); when in doubt, leave the form's **Public Key (Client)** field blank. + +If you do not have this key, you can leave this field blank. After the app is deployed, visit the [Configure and Connect your WireGuard Client and Server](#configure-and-connect-your-wireguard-client-and-server) section to generate a key and then insert it into your server's configuration. After you complete these instructions you should be able to [test](#test-your-wireguard-client-s-connection) and use your WireGuard connection. {{}} -| **Field** | **Description** | -|:--------------|:------------| -| **SSH Key** | Your SSH public key. *Advanced Configuration*. | +| **Field**                                  | **Description** | +|-----------|-----------------| +| **SSH Key** | Your SSH [public key](/docs/security/authentication/use-public-key-authentication-with-ssh/). The public key will be stored in the `/root/.ssh/authorized_keys` file on your Linode, and you will be able to use it to login as root over SSH. *Advanced Configuration*. | | **Port** | Set your WireGuard server's listening port number. The default is: `51820`. *Advanced Configuration*. | -| **Private IP** | Your WireGuard server's private IP address and subnet in CIDR notation. The default is: `192.0.2.0/24`. *Advanced Configuration*. | -| **Public Key (Client)** | Your WireGuard client's public key. *Advanced Configuration* | -| **Private IP (Client)** | Your WireGuard client's private IP address and subnet in CIDR notation. The default is: `192.0.2.1/24`. *Advanced Configuration* | +| **Private IP** | Your WireGuard server's private IP address and subnet in CIDR notation. The default is: `192.168.2.1/24`. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates. *Advanced Configuration*. | +| **Public Key (Client)** | Your WireGuard client's public key. *Advanced Configuration*. | +| **Private IP (Client)** | Your WireGuard client's private IP address and subnet in CIDR notation. The default is: `192.168.2.2/24`. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates. *Advanced Configuration*. | ### Linode Options -After providing the app specific options, provide configurations for your Linode server: +After providing the app-specific options, provide configurations for your Linode server: | **Configuration** | **Description** | -|:--------------|:------------| -| **Select an Image** | Debian 9 is currently the only image supported by WireGuard One-Click Apps, and it is pre-selected on the Linode creation page.. *Required* | -| **Region** | The region where you would like your Linode to reside. In general, it's best to choose a location that's closest to you. For more information on choosing a DC, review the [How to Choose a Data Center](/docs/platform/how-to-choose-a-data-center) guide. You can also generate [MTR reports](/docs/networking/diagnostics/diagnosing-network-issues-with-mtr/) for a deeper look at the network routes between you and each of our data centers. *Required*.* | +|-------------------|-----------------| +| **Select an Image** | Debian 9 is currently the only image supported by the WireGuard One-Click App, and it is pre-selected on the Linode creation page. *Required* | +| **Region** | The region where you would like your Linode to reside. In general, it's best to choose a location that's closest to you. For more information on choosing a DC, review the [How to Choose a Data Center](/docs/platform/how-to-choose-a-data-center) guide. You can also generate [MTR reports](/docs/networking/diagnostics/diagnosing-network-issues-with-mtr/) for a deeper look at the network routes between you and each of our data centers. *Required*. | | **Linode Plan** | Your Linode's [hardware resources](/docs/platform/how-to-choose-a-linode-plan/#hardware-resource-definitions). You can use any size Linode for your WireGuard App. The Linode plan that you select should be appropriate for the amount of data transfer, users, and other stress that may affect the performance of your VPN. You can create your VPN on a Nanode 1GB or a Linode 2GB with low risk for performance hits, unless you expect intensive data transfer to happen on your VPN. *Required* | | **Linode Label** | The name for your Linode, which must be unique between all of the Linodes on your account. This name will be how you identify your server in the Cloud Manager’s Dashboard. *Required*. | | **Root Password** | The primary administrative password for your Linode instance. This password must be provided when you log in to your Linode via SSH. It must be at least 6 characters long and contain characters from two of the following categories: lowercase and uppercase case letters, numbers, and punctuation characters. Your root password can be used to perform any action on your server, so make it long, complex, and unique. *Required* | When you've provided all required Linode Options, click on the **Create** button. **Your WireGuard app will complete installation anywhere between 2-5 minutes after your Linode has finished provisioning**. -### Getting Started After Deployment +## Getting Started after Deployment -#### Test Your WireGuard Client's Connection +### Configure and Connect your WireGuard Client and Server -This test should be performed once you have configured a WireGuard client and updated your WireGuard server to include the client's peer information. See the [WireGuard client](/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/#wireguard-client) section of our WireGuard guide for more information on setting up a client. +After your One-Click App has provisioned your WireGuard server, you can proceed with setting up your WireGuard client and establishing a connection to the server. -1. Access your WireGuard client and ping the WireGuard server. Replace `192.0.2.0` with your WireGuard server's public IP address: +If you did not provide a public key for WireGuard when you first set up your One-Click App, you will need to follow the next set of steps. These instructions will set up your client and inform your server of your client's public key. If you did provide a public key when deploying the One-Click App and have set up your client, skip to the second collection of steps in this section. - ping 192.0.2.0 +1. Follow the [WireGuard Client](/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/#wireguard-client) section of our WireGuard guide to generate a public/private keypair for your client, and to set up the WireGuard network interface configuration on your client. -1. Use the WireGuard utility to verify your client's latest handshake: +1. [Connect to your One-Click App's Linode via SSH](/docs/getting-started/#connect-to-your-linode-via-ssh). - wg show +1. Bring down the `wg0` interface on the server: - The last two lines of the output from running the wg command should be similar to: + wg-quick down wg0 + +1. Open the `/etc/wireguard/wg0.conf` file. You will see a line that reads `PublicKey =`. Add your client's public key to this line and save the file. + +1. Bring the `wg0` interface back up on the server: + + wg-quick up wg0 + + {{< note >}} +`wg-quick` is a convenient wrapper for many of the common functions in `wg`. To learn more about all the available commands for each utility, issue the `wg --help` and `wg-quick --help` commands from your Linode's command line. +{{}} + +You should now have your server configuration completed. At this point, you still need to complete your client's configuration; specifically, you need to add your server as a peer to the client: + +1. [Connect to your One-Click App's Linode via SSH](/docs/getting-started/#connect-to-your-linode-via-ssh). + +1. Just like your client, your server also has a public/private keypair of its own. Use the `grep` command to get the value of your server's private key from its configuration: + + grep PrivateKey /etc/wireguard/wg0.conf + +1. You should see output similar to the following: {{< output >}} -latest handshake: 1 minute, 17 seconds ago -transfer: 98.86 KiB received, 43.08 KiB sent - {{}} +PrivateKey = AH2SpJVfM174dqyG5srCzc1l6uHBsoADGGifP7T0flk= +{{< /output >}} + +1. Run this command to translate the server's private key into its public key: -#### Update the WireGuard Server's Configuration File + grep PrivateKey /etc/wireguard/wg0.conf | cut -d' ' -f3 | wg pubkey -The location of your WireGuard configuration file is `/etc/wireguard/wg0.conf`. To update the values in this file: +1. You should see a random string similar to: -1. [Connect to your Linode via SSH](/docs/getting-started/#connect-to-your-linode-via-ssh). + {{< output >}} +ZlV8LQ+KbY0lj/UEfKsCJKy1nGNUUGRHS/+7VKZnSUM= +{{< /output >}} -1. Bring down the `wg0` interface: +1. Copy this value (which is your server's public key), then use it to complete steps 1 and 2 of the [Connect the Client and Server](/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/#connect-the-client-and-server) of our WireGuard guide. Enter your server's private WireGuard IP (using the `/24` CIDR notation) as the value for the `AllowedIPs` setting. These steps will establish the server as the client's peer. - wg-quick down wg0 +### Test your WireGuard Client's Connection -1. Open the `/etc/wireguard/wg0.conf` file and update as needed. Save your changes when done. +This test should be performed once you have configured a WireGuard client and updated your WireGuard server to include the client's peer information: -1. Bring the `wg0` interface back up: +1. Access your WireGuard client and ping the WireGuard server. Replace `192.168.2.1` with the private IP address you assigned to the WireGuard server in the One-Click App creation form: - wg-quick up wg0 + ping 192.168.2.1 - {{< note >}} - `wg-quick` is a convenient wrapper for many of the common functions in `wg`. To learn more about all the available commands for each utility, issue the `wg --help` and `wg-quick --help` commands from your Linode's command line. - {{}} +1. Use the WireGuard utility to verify your client's latest handshake: + + wg show + + The last two lines of the output from running the wg command should be similar to: + {{< output >}} +latest handshake: 1 minute, 17 seconds ago +transfer: 98.86 KiB received, 43.08 KiB sent +{{}} ### Software Included | **Software** | **Description** | -|:--------------|:------------| -| **WireGuard** | VPN software | -| **UFW (UncomplicatedFireWall** | Firewall utility. The Port assigned during the [WireGuard Options](#wireguard-options) step of the deployment will allow outgoing and incoming traffic. | +|--------------|-----------------| +| [**WireGuard**](https://www.wireguard.com) | VPN software. | +| [**UFW (UncomplicatedFireWall)**](https://wiki.ubuntu.com/UncomplicatedFirewall) | Firewall utility. The Port assigned during the [WireGuard Options](#wireguard-options) step of the deployment will allow outgoing and incoming traffic. | From 40230e2a7dd00b6cf338114e33f1aa96fa74222e Mon Sep 17 00:00:00 2001 From: nmelehan Date: Mon, 8 Apr 2019 15:05:44 -0400 Subject: [PATCH 4/4] Explain new form fields, rename some existing fields --- .../index.md | 67 +++++++++++++------ 1 file changed, 48 insertions(+), 19 deletions(-) diff --git a/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md b/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md index bf04cc3ed3e..cc04e584e4e 100644 --- a/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md +++ b/docs/platform/one-click/deploy-wireguard-with-one-click-apps/index.md @@ -6,7 +6,6 @@ description: 'Deploy a WireGuard Server on Linode with One-Click Apps.' keywords: ['vpn','wireguard','tunnel'] license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)' published: 2019-03-28 -modified: 2019-03-28 modified_by: name: Linode title: "Deploy WireGuard with One-Click Apps" @@ -15,32 +14,45 @@ contributor: external_resources: - '[WireGuard Quick Start](https://www.wireguard.com/quickstart/)' - '[WireGuard Conceptual Overview](https://www.wireguard.com/#conceptual-overview)' +- '[WireGuard man page](https://manpages.debian.org/unstable/wireguard-tools/wg.8.en.html)' --- + ## WireGuard One-Click App WireGuard is a simple, fast, and modern virtual private network (VPN) which utilizes state-of-the-art cryptography. It aims to be faster and leaner than other VPN protocols such as OpenVPN and IPSec, and it has a much smaller source code footprint. Configuring WireGuard is as simple as configuring SSH. A connection is established by an exchange of public keys between server and client, and only a client whose public key is present in the server's configuration file is considered authorized. WireGuard sets up standard network interfaces which behave similarly to other common network interfaces, like `eth0`. This makes it possible to configure and manage WireGuard interfaces using standard networking tools such as ifconfig and ip. +The WireGuard One-Click App will create a Linode instance and set up a WireGuard network device named `wg0` on it. This device will have a simple configuration which can send and receive traffic to/from a single WireGuard peer (which will also be referred to as your WireGuard *client*). + +{{< note >}} +The peer configurations provided by the One-Click App and this guide will allow you to directly connect your WireGuard server and client. This configuration will *not* enable forwarding of all of your client's traffic through the WireGuard server to the public Internet (though that arrangement is possible with WireGuard). + +Your WireGuard configuration can be adjusted after you first set up your One-Click App; review the [WireGuard man page](https://manpages.debian.org/unstable/wireguard-tools/wg.8.en.html) for more information about the options that are available. +{{< /note >}} + ## Deploy WireGuard with One-Click Apps {{< content deploy-one-click-apps >}} ### WireGuard Options +The WireGuard One-Click form includes fields for your WireGuard client's [*public key*](https://www.wireguard.com/quickstart/#key-generation), and for your client's *endpoint IP* (which is your client's public IP address). If you have already set up your client and installed the WireGuard software on it prior to setting up your WireGuard One-Click App, then you may already have this information. If you do have the key and the endpoint IP for the client, you can enter them into the app's creation form, and your server's configuration will be pre-populated with those values. + {{< note >}} -The WireGuard One-Click form includes a field for your WireGuard client's *public key*. If you have already installed the WireGuard software on your client prior to setting up your WireGuard One-Click App, then you may have also [generated this public key](https://www.wireguard.com/quickstart/#key-generation). If you do have this key, you can enter it into the app's creation form, and your server's configuration will be pre-populated with the key. Please note that a public key generated by WireGuard will not resemble [a public key that you might use for SSH connections](/docs/security/authentication/use-public-key-authentication-with-ssh/); when in doubt, leave the form's **Public Key (Client)** field blank. +Please note that a public key generated by WireGuard will not resemble [a public key that you might use for SSH connections](/docs/security/authentication/use-public-key-authentication-with-ssh/); when in doubt, leave the form's **Public Key (Client)** field blank. +{{< /note >}} -If you do not have this key, you can leave this field blank. After the app is deployed, visit the [Configure and Connect your WireGuard Client and Server](#configure-and-connect-your-wireguard-client-and-server) section to generate a key and then insert it into your server's configuration. After you complete these instructions you should be able to [test](#test-your-wireguard-client-s-connection) and use your WireGuard connection. -{{}} +If you do not have the values for these fields, you can leave them empty. After the app is deployed, visit the [Configure and Connect your WireGuard Client and Server](#configure-and-connect-your-wireguard-client-and-server) section to set up your client and generate a key. The instructions in that section will also show you how to insert the key and the endpoint IP for your client into your server's configuration. | **Field**                                  | **Description** | |-----------|-----------------| | **SSH Key** | Your SSH [public key](/docs/security/authentication/use-public-key-authentication-with-ssh/). The public key will be stored in the `/root/.ssh/authorized_keys` file on your Linode, and you will be able to use it to login as root over SSH. *Advanced Configuration*. | | **Port** | Set your WireGuard server's listening port number. The default is: `51820`. *Advanced Configuration*. | -| **Private IP** | Your WireGuard server's private IP address and subnet in CIDR notation. The default is: `192.168.2.1/24`. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates. *Advanced Configuration*. | -| **Public Key (Client)** | Your WireGuard client's public key. *Advanced Configuration*. | -| **Private IP (Client)** | Your WireGuard client's private IP address and subnet in CIDR notation. The default is: `192.168.2.2/24`. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates. *Advanced Configuration*. | +| **Tunnel IP** | Your WireGuard server's tunnel IP address and subnet in CIDR notation. The default is: `10.0.1.1/24`. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates. *Advanced Configuration*. | +| **WireGuard Public Key (Client)** | Your WireGuard client's public key. *Advanced Configuration*. | +| **Tunnel IP (Client)** | Your WireGuard client's tunnel IP address and subnet in CIDR notation. The default is: `10.0.1.2/24`. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates. *Advanced Configuration*. | +| **Endpoint IP (Client)** | The Internet address of your WireGuard client. If your WireGuard client is another Linode, then the Endpoint IP is the public IP of that Linode, which is visible in the Linode's dashboard in the Linode Cloud Manager. *Advanced Configuration*. | ### Linode Options @@ -72,7 +84,11 @@ If you did not provide a public key for WireGuard when you first set up your One wg-quick down wg0 -1. Open the `/etc/wireguard/wg0.conf` file. You will see a line that reads `PublicKey =`. Add your client's public key to this line and save the file. +1. Open the `/etc/wireguard/wg0.conf` file in a text editor ([nano](/docs/quick-answers/linux/use-nano-to-edit-files-in-linux/), for example). + +1. You will see a line that reads `PublicKey = ` under the `[Peer]` section. Append your client's public key to this line. + +1. You will also see a line that reads `Endpoint = `. Append your client's Internet address to this line and then save the file. If your WireGuard client is also a Linode, user your Linode's public IP. If your client is on your home computer, visit a site like [whatismyip.com](https://www.whatismyip.com) to get your address. 1. Bring the `wg0` interface back up on the server: @@ -86,35 +102,48 @@ You should now have your server configuration completed. At this point, you stil 1. [Connect to your One-Click App's Linode via SSH](/docs/getting-started/#connect-to-your-linode-via-ssh). -1. Just like your client, your server also has a public/private keypair of its own. Use the `grep` command to get the value of your server's private key from its configuration: +1. Just like your client, your server also has a public/private keypair of its own. The One-Click App script leaves a copy of these keys in the root user's home folder: - grep PrivateKey /etc/wireguard/wg0.conf - -1. You should see output similar to the following: + ls /root {{< output >}} -PrivateKey = AH2SpJVfM174dqyG5srCzc1l6uHBsoADGGifP7T0flk= +wg-private.key wg-public.key {{< /output >}} -1. Run this command to translate the server's private key into its public key: +1. Use the `cat` command to get the value of the server's WireGuard public key: - grep PrivateKey /etc/wireguard/wg0.conf | cut -d' ' -f3 | wg pubkey + cat /root/wg-public.key 1. You should see a random string similar to: {{< output >}} -ZlV8LQ+KbY0lj/UEfKsCJKy1nGNUUGRHS/+7VKZnSUM= +FngGVypEJ13KU8+OeBGG1sOd2i+aazsj7qPL3ZxacG8= {{< /output >}} -1. Copy this value (which is your server's public key), then use it to complete steps 1 and 2 of the [Connect the Client and Server](/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/#connect-the-client-and-server) of our WireGuard guide. Enter your server's private WireGuard IP (using the `/24` CIDR notation) as the value for the `AllowedIPs` setting. These steps will establish the server as the client's peer. +1. Copy the output of your server's public key, then use it to complete **steps 1 and 2** of the [Connect the Client and Server](/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/#connect-the-client-and-server) section of our WireGuard guide. These steps will tell you to append `[Peer]` section to your client's existing WireGuard configuration and then how to enable the service on your client. + + Enter your server's WireGuard tunnel IP (using the `/24` CIDR notation) as the value for the `AllowedIPs` setting, and set the server's public IP address and WireGuard port to be the Endpoint. Here's an example template for a completed client configuration: + + {{< file >}} +[Interface] +PrivateKey = +Address = 10.0.1.2 + +[Peer] +PublicKey = +AllowedIPs = 10.0.1.1 +Endpoint = :51820 +{{< /file >}} + + After you complete steps 1 and 2 from that section, you will have established the server as the client's peer. ### Test your WireGuard Client's Connection This test should be performed once you have configured a WireGuard client and updated your WireGuard server to include the client's peer information: -1. Access your WireGuard client and ping the WireGuard server. Replace `192.168.2.1` with the private IP address you assigned to the WireGuard server in the One-Click App creation form: +1. Access your WireGuard client and ping the WireGuard server. Replace `10.0.1.1` with the tunnel IP address you assigned to the WireGuard server in the One-Click App creation form: - ping 192.168.2.1 + ping 10.0.1.1 1. Use the WireGuard utility to verify your client's latest handshake: