From 1fd832cabe18019e9569ddc9b481fab4c73964ea Mon Sep 17 00:00:00 2001 From: j0eybrinkman Date: Sun, 18 Aug 2024 19:46:00 -0500 Subject: [PATCH] added wireguard vpn article --- docs/guides/security/wireguard_vpn.md | 261 ++++++++++++++++++++++++++ 1 file changed, 261 insertions(+) create mode 100644 docs/guides/security/wireguard_vpn.md diff --git a/docs/guides/security/wireguard_vpn.md b/docs/guides/security/wireguard_vpn.md new file mode 100644 index 0000000000..9783d1c19c --- /dev/null +++ b/docs/guides/security/wireguard_vpn.md @@ -0,0 +1,261 @@ +--- +title: WireGuard VPN +author: Joseph Brinkman +tested_with: 9.4 +tags: + - security + - vpn +--- + +# Wireguard VPN + +## Introduction + +[WireGuard](https://www.wireguard.com/) is a free and open-source peer-to-peer (P2P) Virtual Private Network (VPN). It is a light-weight and secure modern alternative to more conventional VPNs with large codebases that rely on TCP connections. Since WireGuard is a P2P VPN, each computer added to the WireGuard network communicates directly with eachother. For the purposes of this guide, we will be using a hub-spoke model, using a wireguard peer assigned a public IP address as a gateway to pass all traffic through. The purpose of doing this is allowing wireguard traffic to bypass Carrier Grade NAT (CGNAT) without needing to enable port-forwarding on your router. This requires a Rocky Linux system that is assigned a public IP address. The easiest way to achieve this is to spin-up a virtual private server (VPS) through a cloud provider of your choice; at the time of writing Google Cloud Platform offers an always free tier for their e2-micro instances. + +## Prerequisites and assumptions + +The following are minimum requirements for using this procedure: + +* The ability to run commands as the root user or use `sudo` to elevate privileges +* A Rocky Linux system with a publicly accessible IP address + +## Installing Wireguard + +Install Extra Packages for Enterprise Linux(EPEL): + +```bash +sudo dnf install epel-release +``` + +Update your systems packages: + +```bash +sudo dnf upgrade +``` + +Install Wireguard: + +```bash +sudo dnf install wireguard-tools +``` + +## Configuring WireGuard Server + +Create a folder to put your wireguard configuration files and keys: + +```bash +sudo mkdir -p /etc/wireguard +``` + +Create a configuration file, this can be named whatever you like, but it must end with `.conf` extension: + +!!! Note + + You can create multiple Wireguard VPN tunnels on the same machine, each using a different configuration file, network address, and UDP port. + +```bash +sudo touch wg0.conf +``` + +Generate a new private and public key pair for the WireGuard server: + +```bash +wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey +``` + +Edit the configuration file with your editor of choice. + +```bash +sudo vim /etc/wireguard/wg0.conf +``` + +Paste the below text: + + +```bash +[Interface] + +PrivateKey = server_privatekey + +Address = x.x.x.x/24 + +ListenPort = 51820 +``` + +You will need to replace `privatekey` with the privatekey generated earlier. You can view the privatekey using the below command in order to copy it and replace the placeholder. + +```bash +sudo cat /etc/wireguard/privatekey +``` + +Next, you will need to replace `x.x.x.x/24` with a network address within the private IP address range defined by [RFC 1918](https://datatracker.ietf.org/doc/html/rfc1918). For the purposes of this guide, we will use `10.255.255.0/24`. + +Finally, you can choose any UDP port to accept connections with Wirguard VPN. We will use `51820` for the purposes of this guide. + +## Enable IP forwarding + +IP forwarding allows the routing of packets between networks. To enable IP forwarding on your Wireguard server, use the below command to open the config file where you will put a rule stating IP forwarding is on. + +```bash +sudo vim /etc/sysctl.d/99-sysctl.conf +``` + +Now add the below rules to turn IP forwarding on for IPv4 and IPv6. This will allow internal devices to communicate with each other through the WireGuard tunnel. + +```bash +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1 +``` + +Apply these configuration changes with the below command. + +```bash +sudo sysctl -p +``` + +## Configure firewalld + +If firewalld is not installed, install it: + +```bash +sudo dnf install firewalld -y +``` + +After installing firewalld, enable it: + +```bash +sudo systemctl enable --now firewalld +``` + +Use the command below to create a permanent firewall rule allowing traffic on UDP port 51820 in the public zone. + +```bash +sudo firewall-cmd --permanent --zone=public --add-port=51820/udp +``` + +Next, allow traffic from the Wireguard interface to other interfaces in the internal zone. + +```bash +sudo firewall-cmd --permanent --add-interface=wg0 --zone=internal +``` + +Also, add a firewall rule to enable IP masquerading on internal traffic. This means that packets sent between peers will be replaced with the server's IP address. + +```bash +sudo firewall-cmd --permanent --zone=internal --add-masquerade +``` + +Finally, reload firewalld. + +```bash +sudo firewall-cmd --reload +``` + +## Configure Wireguard Peer + +Since all computers in a WireGuard network technically are peers, this process is nearly identical to configuring the Wireguard server, but there are some slight differences in the configuration. + +Create a folder to put your wireguard configuration files and keys: + +```bash +sudo mkdir -p /etc/wireguard +``` + +Create a configuration file, this can be named whatever you like, but it must end with `.conf` extension: + +```bash +sudo touch wg0.conf +``` + +Generate a new private and public key pair: + +```bash +wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey +``` + +Edit the configuration file with your editor of choice: + +Paste the below text: + +```bash +[Interface] +PrivateKey = peer_privatekey +Address = 10.255.255.2/24 + +[Peer] +PublicKey = server_publickey +AllowedIPs = 10.255.255.1/24 +Endpoint = serverip:51820 +PersistentKeepalive = 25 +``` + +Replace `peer_privatekey` with the peer's private key stored in `/etc/wireguard/privatekey` on the peer. + +You can use the below command to output the key so you can copy it: + +```bash +sudo cat /etc/wireguard/privatekey +``` + +Replace `server_publickey` with the server's public key stored in `/etc/wireguard/publickey` on the server. + +You can use the below command to output the key so you can copy it: + +```bash +sudo cat /etc/wireguard/publickey +``` + +Replace `serverip` with the public IP of the WireGuard server. + +You can find the server's public IP address using the following command on the server: + +```bash +ip a | grep inet +``` + +## Add the client key to the WireGuard server config + +Output the peer's public key and copy it + +```bash +sudo cat /etc/wiregaurd/publickey +``` + +On the server, run the following command, replacing `peer_publickey` with the peers public key: + +```bash +sudo wg set wg0 peer peer_publickey allowed-ips 10.255.255.2 +``` + +It is worth mentioning you can manually edit and peers to the configuration file. + +## Enable WireGuard VPN + +To enable Wireguard, you will run the following command on both the server and peer: + +```bash +sudo systemctl enable wg-quick@wg0 +``` + +Then start the VPN by running the below command on both the server and peer: + +```bash +systemctl start wg-quick@wg0 +``` + +You can view WireGuard information on both the server and peer with the below command: + +```bash +sudo wg +``` + +You can test connectivity by sending a ping to the server from the peer: + +```bash +ping 10.255.255.1 +``` + +## Conclusion + +By following this guide, you've successfully set up a WireGuard VPN using a hub-spoke model. This configuration provides a secure, modern, and efficient way to connect multiple devices across the internet. For further reading, checkout the [official WireGuard website](https://www.wireguard.com/).