WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
Pre-requisite: Docker
Steps:
Create a folder for wireguard and for its configuration
$ cd ~
$ mkdir -p docker
$ mkdir -p docker/wireguard
$ mkdir -p docker/wireguard/config
$ nano docker/wireguard/docker-compose.yml
Customize the configuration based on your taste. Important part to change are the SERVERURL, PEERS and PEERDNS.
SERVERURL must be your VPS IP address.
PEERS must be the client device name, the config will be generated for these devices. Alternatively, you can also use PEER=n in which n is the number of client config to be generated, the resulting configuration would be named peer_1, peer_2 and so on.
PEERDNS is the DNS that will be used by the cilents. Leave this to auto is you aren not sure, or change them to a more private DNS such as AdGuard or Quad9 which offers Adblocking, Adult Content blocking and more.
The TZ for the Time Zone. See this article on Wikipedia for the list of TZ
docker-compose.yml contents:
version: '2.1'
services:
wireguard:
container_name: wireguard
image: ghcr.io/linuxserver/wireguard
environment:
- PUID=1000
- PGID=1000
- TZ=Asia/Manila
- SERVERURL=XXX.XXX.XXX.XXX
- SERVERPORT=51820
- PEERS=CLIENT1,CLIENT2,CLIENT3
- PEERDNS=auto
- INTERNAL_SUBNET=10.0.0.0
ports:
- 51820:51820/udp
volumes:
- type: bind
source: ./config/
target: /config/
- type: bind
source: /lib/modules
target: /lib/modules
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
Execute the command below to build and run the Wireguard server.
$ docker-compose up -d
Sample output:
Creating network "wireguard_default" with the default driver
Pulling wireguard (ghcr.io/linuxserver/wireguard:)...
latest: Pulling from linuxserver/wireguard
705a6d38fd2f: Pull complete
e4d5374cbb84: Pull complete
240d7b85f16c: Pull complete
...
Creating wireguard ... done
At this point, we are now ready to view the client config using the logs of docker.
View the log:
$ docker-compose logs -f wireguard
It should display the peers with QR Code. Later we can use this code to import the configuration to the Wireguard client on our smart phone.
wireguard | **** Server mode is selected ****
wireguard | **** External server address is set to XXX.XXX.XXX.XXX ****
wireguard | **** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
wireguard | **** Internal subnet is set to 10.0.0.0 ****
wireguard | **** AllowedIPs for peers 0.0.0.0/0, ::/0 ****
wireguard | **** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.0.0.1 to use wireguard docker host's DNS. ****
wireguard | **** Server mode is selected ****
wireguard | **** Server related environment variables changed, regenerating 1 server and CLIENT1,CLIENT2,CLIEN3 peer/client confs ****
wireguard | PEER CLIENT1 QR code:
...
[QR CODE]
...
To scan the QR Code that was displayed earlier, we can download Wireguard on your smart phone from F-droid or Play Store and App Store. For other clients, visit https://www.wireguard.com/install/.
After the installation of the Wireguard client on the smartphone, open the app, press the + button then select the Scan from QR Code.Scan the QR Code for the client device. Finally
To use the configuration with our desktop or laptop computers, we need to install the wireguard client for our target platform. For us to get the configuration for our client without QR Code, simply display the content of the peer configuration that can be found on the directory config.
Displaying the contents:
$ sudo ls config
$ sudo ls config/CLIENT1
$ sudo cat config/CLIENT1/peer_CLIENT1.conf
Copy the output of the peer_CLIENT1.conf to your desktop and import it to the Wireguard client.
Sample output:
$ sudo ls config
coredns peer_CLIENT1 peer_CLIENT2 peer_CLIENT3 server templates wg0.conf
$ sudo ls config/CLIENT1
peer_CLIENT1.conf peer_CLIENT1.png privatekey-peer_CLIENT1 publickey-peer_CLIENT1
$ cat config/CLIENT1/peer_CLIENT1.conf
[Interface]
Address = 10.0.0.2
PrivateKey = [REDACTED]
ListenPort = 51820
DNS = 10.0.0.1
[Peer]
PublicKey = [REDACTED]
Endpoint = XXX.XXX.XXX.XXX:51820
AllowedIPs = 0.0.0.0/0, ::/0
Important configuration information:
The DNS is set to 10.0.0.1 when you select the PEERDNS=auto on the docker-compose.yml file, otherwise you can use any public DNS. If you do not have IPv6 connection be sure to remove ::/0 from the AllowedIPs line.
Installation on Debian
To install the Wireguard client on Debian, simply execute:
$ sudo apt install wireguard
Create a configuration /etc/wireguard/wg0.conf paste the configuration earlier.
To intiate the wireguard client connection, execute the command below:
$ sudo wg-quick up wg0
Sample output:
# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.2 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
...
To check whether your IP address has changed, execute the command below:
$ curl icanhazip.com
Sample output:
XXX.XXX.XXX.XXX
To disconnect to the Wireguard client, execute the command below:
$ sudo wg-quick down wg0
Sample output:
$ sudo wg-quick down wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.2 dev wg0
...
[#] nft -f /dev/fd/63
References:
https://github.com/linuxserver/docker-wireguard/pkgs/container/wireguard