VPN

Links

• https://www.stavros.io/posts/how-to-configure-wireguard/

• https://wiki.archlinux.org/index.php/WireGuard#Key_generation

• https://www.wireguard.com/quickstart/

• https://wiki.debian.org/Wireguard

Testing on kb-vpn server and X220 laptop…

Create a Droplet on Digital Ocean (smallest one possible).

ssh into the server, then apt update and apt upgrade

Tip

The following needs to be done on all the peers (client and server)

Install:

sudo -i
apt install wireguard

Create keys:

cd /etc/wireguard/
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Tip

umask 077 sets the default for files created from this point.

Create /etc/wireguard/wg0.conf:

vim /etc/wireguard/wg0.conf

In /etc/wireguard/wg0.conf on the server:

[Interface]
Address = 10.10.2.1
PrivateKey = <server's privatekey>
ListenPort = 51820

[Peer]
PublicKey = <client1's publickey>
AllowedIPs = 10.10.2.2/32

[Peer]
PublicKey = <client2's publickey>
AllowedIPs = 10.10.2.3/32

On the server, /etc/sysctl.conf:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

In /etc/wireguard/wg0.conf on the clients:

[Interface]
Address = 10.10.2.2
PrivateKey = <client's privatekey>
# 13/11/2020, Malcolm thinks we don't need a 'ListenPort' on the client
# ListenPort = 51820

[Peer]
PublicKey = <server's publickey>
Endpoint = <server's ip>:51820
AllowedIPs = 10.10.2.0/24

# This is for if you're behind a NAT and want the connection to be kept alive.
PersistentKeepalive = 25

To test the VPN, run the following:

wg-quick up wg0
# to take the interface down
wg-quick down wg0

Auto-start the service:

systemctl enable wg-quick@wg0.service

To start or stop the service:

sudo systemctl start wg-quick@wg0.service
sudo systemctl stop wg-quick@wg0.service