Getting Started Building Your Own Wireguard VPN Server

LTS_Tom · December 1, 2020, 11:48am

I covered that in the video for the client side setup
This will route all traffic over the tunnel
AllowedIPs = 0.0.0.0/0 # Forward all traffic
This will route only traffic for 192.168.50.0/24 over the tunnel
AllowedIPs = 192.168.50,0/24 # Forward only these networks

innz · January 7, 2021, 4:56pm

@LTS_Tom

Thanks for the guide. Used bits of it to get wireguard on untangle connected.

tvjay · February 1, 2021, 2:49am

Tykisson, I had the same issue with DNS. I forgot I blocked all DNS so once I specified DNS = 10.1.1.1 everything worked.

911pcdoc · February 9, 2021, 4:08pm

so I have a stack of 5 static IPs can this be used to route a different IP to each client connecting to a single wireguard server?

LTS_Tom · February 9, 2021, 4:58pm

It’s possible but much more complex than what I covered in the video as you would have to create the Linux networking rules to get that working.

Trance · February 19, 2021, 3:41am

Good news though! I got 3x Ubuntu so far hosted on different companies, they all got kernel 5.4.0 and I used to get an error when I was trying to start it with systemctl start wg-quick@wg0, however if I run systemctl enable wg-quick@wg0 in the first place and then reboot the machine, I’ve it running on boot.

iambenqazy · February 20, 2021, 9:57pm

So the Endpoint Public IP address and port number is a requirement to get the VPN working?

LTS_Tom · February 21, 2021, 10:18am

Yes, at least one of the end points needs to have a public IP address.

iambenqazy · February 21, 2021, 10:27pm

Oh okay that makes sense now. Thanks

mwasi · March 21, 2021, 3:00am

Hi All,

I’m having an issue with this step of Tom’s instructions.

Blockquote Linux Client Side Setup
Install wireguard
apt-get install wireguard

Go to to the Wireguard config cd /etc/wireguard and then run the following command to generate the public and private keys for the server.
umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Blockquote

When I attempt to cd /etc/wireguard I receive the following error:

Blockquote
mwasi@HP-Home:~$ cd /
mwasi@HP-Home:/$ ls
bin dev lib media proc sbin sys usr
boot etc lib64 mnt root srv timeshift var
cdrom home lost+found opt run swapfile tmp

Blockquote
mwasi@HP-Home:/$ cd /etc/wireguard
bash: cd: /etc/wireguard: Permission denied
mwasi@HP-Home:/$ cd /etc
mwasi@HP-Home:/etc$ cd /wireguard
bash: cd: /wireguard: No such file or directory

Blockquote
mwasi@HP-Home:/etc$ ls
acpi hddtemp.db printcap
adduser.conf hdparm.conf profile
adjtime host.conf profile.d
alsa hostname protocols
alternatives hosts pulse
anacrontab hosts.allow python2.7
apg.conf hosts.deny python3
apm hp python3.8
apparmor ifplugd qemu-ifdown
apparmor.d ImageMagick-6 qemu-ifup
apport init rc0.d
appstream.conf init.d rc1.d
apt initramfs-tools rc2.d
avahi inputrc rc3.d
bash.bashrc inxi.conf rc4.d
bash_completion iproute2 rc5.d
bash_completion.d issue rc6.d
bindresvport.blacklist issue.net rcS.d
binfmt.d java request-key.conf
bluetooth java-11-openjdk request-key.d
brlapi.key kernel resolv.conf
brltty kernel-img.conf rmt
brltty.conf kerneloops.conf rpc
ca-certificates ldap rsyslog.conf
ca-certificates.conf ld.so.cache rsyslog.d
ca-certificates.conf.dpkg-old ld.so.conf samba
calendar ld.so.conf.d sane.d
casper.conf legal sasl2
catdocrc libao.conf security
chatscripts libaudit.conf selinux
cifs-utils libblockdev sensors3.conf
conky libibverbs.d sensors.d
console-setup libnl-3 services
cracklib libpaper.d sgml
cron.d libreoffice shadow
cron.daily libvirt shadow-
cron.hourly lightdm shells
cron.monthly lintianrc signond.conf
crontab linuxmint signon-ui
cron.weekly locale.alias skel
cryptsetup-initramfs locale.gen snmp
cups localtime speech-dispatcher
cupshelpers logcheck splashtop-streamer.conf
dbus-1 login.defs ssh
dconf logrotate.conf ssl
debconf.conf logrotate.d subgid
debian_version lsb-release subgid-
default ltrace.conf subuid
deluser.conf lvm subuid-
depmod.d machine-id sudoers
dhcp magic sudoers.d
dictionaries-common magic.mime sysctl.conf
dkms mailcap sysctl.d
dnsmasq.d mailcap.order systemd
dnsmasq.d-available manpath.config terminfo
doc-base menu-methods thermald
dpkg mime.types thunderbird
e2scrub.conf mke2fs.conf timeshift
emacs modprobe.d timezone
environment modules timidity
environment.d modules-load.d tmpfiles.d
ethertypes mtab ubuntu-advantage
firefox mtools.conf ucf.conf
fonts mysql udev
fprintd.conf nanorc udisks2
fstab netplan ufw
fuse.conf network updatedb.conf
fwupd networkd-dispatcher update-manager
gai.conf NetworkManager update-motd.d
gamemode.ini networks update-notifier
gdb newt UPower
geoclue nsswitch.conf upstream-release
ghostscript openal usb_modeswitch.conf
gimp openvpn usb_modeswitch.d
glvnd opt vdpau_wrapper.cfg
gnome os-release vim
gnome-app-install PackageKit vnstat.conf
GNUstep pam.conf vtrgb
groff pam.d vulkan
group papersize wgetrc
group- passwd wireguard
grub.d passwd- wpa_supplicant
gshadow pcmcia X11
gshadow- perl xattr.conf
gss pki xdg
gtk-2.0 pm xfe
gtk-3.0 pnm2ppa.conf xml
guest-session polkit-1 zsh_command_not_found
gufw ppp
mwasi@HP-Home:/etc$
Blockquote
I’m using:
System: Kernel: 5.9.0-050900-generic x86_64 bits: 64 compiler: N/A Desktop: Cinnamon 4.8.6
wm: muffin dm: LightDM Distro: Linux Mint 20.1 Ulyssa base: Ubuntu 20.04 focal

I’m able to access other files and folders in the /etc directory, but just not the wireguard folder.

Any assistance would be much appreciated.

Thank you.

mouseskowitz · March 21, 2021, 4:24am

If I remember correctly, I needed to be root to make those edits. I just used

sudo su

to do the elevation.

mwasi · March 21, 2021, 7:38am

Thank you very much, that solved my issue. I hope you day is filled with much joy, peace and happiness!

CoUsT · July 2, 2021, 3:14am

Hey @LTS_Tom, would be amazing if you updated your original post a bit.

In the “PostUp” and “PostDown” you assume the default interface is eth0 but some machines like Oracle Cloud Compute Instances have “ens3” instead of “eth0” and it took me a while to figure things out.

Please add info that people should run “ifconfig” and find their default main interface. It should be either “eth0” or “ens3” and edit that “PostUp” and “PostDown” line to match their interface.

kevdog · July 2, 2021, 3:37pm

@CoUsT

Nice pick up. You are aware that you change change default interface naming a couple of different ways if you had to. I’ve modified udev.d to do this. Here’s the reference for how to do it: Network configuration - ArchWiki

I’m aware that some distributions no longer use eth0.

harishpillay · July 26, 2021, 10:49am

Thanks for the post - it is very crisp and clear.

Your post did not mention opening up the firewall to port 51820/UDP if the client is behind a firewall.

Can you clarify that your client does not need an open UCP port on the firewall for the wireguard link to be setup?

I had to open the port on mine.

Thanks again for a wonderful resource.

Harish

LTS_Tom · July 26, 2021, 11:23am

The server has public ports open so the clients behind the firewall don’t need to as they are reaching out to the server.

ronnienobiz · September 13, 2021, 4:07am

I followed the guide exactly but didn’t want to route all traffic through the server. So I changed the allowed IPs for the clients to: 192.168.69.1/24, which seems to do what I want.

Client 1 and Client 2 are on the same local network and both are Windows 10 machines. However, when I try to transfer files over LAN using the LAN IPs (10.242.1.0/24), the speeds become really slow and it looks like it’s tunneling the traffic through the VPN (based off the transfer speeds). I’ve tried to put Table = off in the client configurations but that doesn’t help. If I deactivate Wireguard on either client 1 or client 2, the transfer speeds go back to normal.

The server configuration is exactly as the guide shows and the client configurations are the same except: AllowedIPs = 192.168.69.1/24. Does anyone know what the problem is?

LTS_Tom · September 13, 2021, 10:21am

When you have this setting in the [peer]
AllowedIPs = 0.0.0.0/0 # Forward all traffic to server

It will send all traffic, even local, over to the Wiregaurd server.

ronnienobiz · September 13, 2021, 10:56am

Thanks for the reply, Tom. I have that line changed to:
AllowedIPs = 192.168.69.1/24

Not sure if it is tunneling the traffic over the VPN or some other problem causing the speeds to be slow. I assume it is tunneling because the transfer speed matches the upload speed of the internet connection. And to be clear, this is using the LAN’'s IP which is 10.242.1.0/24 range.

StoneMonarch · September 25, 2021, 7:34pm

I am trying to use WireGuard to VPN into my home network. My intention is to have WG available for 3 of my networks VLANs (30 (Server), 50 (Private), 90(Otter)). the WireGuard Server (VM on XCP-ng) on the network has 3 interfaces, one for each network. Following your guide I could not get WG to connect. Upon further investigation WG is responding to the handshake request on a different interface than it is receiving it on, and this, I assume, is why the client is saying “Handshake failed, no reply after 5s”

Output of sudo tcpdump -ttttni any 'udp port 51820' showing the reply on a different interface:

2021-09-25 15:11:02.550824 IP 209.171.88.242.28461 > 10.10.30.6.51820: UDP, length 148
2021-09-25 15:11:02.551415 IP 10.10.90.5.51820 > 209.171.88.242.28461: UDP, length 92

My intent is to get just one connection working and then add the separate interfaces for each VLAN. Then after that make each peer show up on the network with its own IP rather than the servers IP. I think this is just not having WG do the NAT stuff.

Im just not sure on how to get WG to respond on the interface the the request comes in on, assuming thats why my config isn’t working.

Thanks.