Make sure to replace ens3 after -A POSTROUTING to match the name of your public network interface. This allows traffic to leave the server, giving the VPN clients access to the Internet. In this example, we’re using iptables to enable masquerading. PostUp - Command or script that is executed before bringing the interface up. SaveConfig - When set to true, the current state of the interface is saved to the configuration file when shutdown. (To see the contents of the file type: sudo cat /etc/wireguard/privatekey) PrivateKey - A private key generated by the wg genkey command. The settings in the interface section have the following meaning:Īddress - A comma-separated list of v4 or v6 IP addresses for the wg0 interface. The interface can be named anything, however it is recommended to use something like wg0 or wgvpn0. Address = 10.0.0.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = SERVER_PRIVATE_KEY PostUp = iptables -A FORWARD -i %i -j ACCEPT iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE The device can be set up either from the command line using the ipĪnd wg commands, or by creating the configuration file with a text editor.Ĭreate a new file named wg0.conf and add the following contents: sudo nano /etc/wireguard/wg0.conf The next step is to configure the tunnel device that will route the VPN traffic. This key is optional and must be unique for each peer pair. Wireguard also supports a pre-shared key, which adds an additional layer of symmetric-key cryptography. The private key should never be shared with anyone and should always be kept secure. You can view the contents of the files with cat The files will be generated in the /etc/wireguard directory. Run the following command to generate the key pair: wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey The wg and wg-quick command-line tools allow you to configure and manage the WireGuard interfaces.Įach device in the WireGuard VPN network needs to have a private and public key. This will install the WireGuard module and tools. To install it, run the following commands: sudo apt update sudo apt install wireguard WireGuard is available from the default Ubuntu repositories. We’ll also configure the system to route the clients’ traffic through it. We’ll start by installing WireGuard on the Ubuntu machine and set it up to act as a server. To follow this guide, you’ll need an Ubuntu 20.04 server with root or sudo access This setup can be used as a protection against Man in the Middle attacks, surfing the web anonymously, bypassing Geo-restricted content, or allowing your colleagues who work from home to connect to the company network securely. The client’s traffic will be routed through the Ubuntu 20.04 server. We’ll also show you how to configure WireGuard as a client. In this article, we’ll discuss how to set up a WireGuard VPN on Ubuntu 20.04 that will act as a VPN server. Public keys are mapped with a list of IP addresses that are allowed in the tunnel. Peers authenticate each other by exchanging and validating public keys, mimicking the SSH model. It works by creating a network interface on each peer device that acts as a tunnel. Depending on its configuration, a peer can act as a traditional server or client. Wireguard is a peer-to-peer VPN it does not use the client-server model.
0 Comments
Leave a Reply. |