====== WireGuard VPN ======

===== Installation =====

<code>
sudo apt update
sudo apt install wireguard wireguard-tools
</code>

===== Konfiguration =====

==== Server ====
create private key and remove permissions for any one other than root
<code>
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
</code>

create public key
<code>
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
</code>

<code>
sudo nano /etc/wireguard/wg0.conf
</code>

<code bash>
[Interface]
PrivateKey = <private key server>
Address = 10.1.2.254/32
ListenPort = 51820
SaveConfig = false

[Peer]
PublicKey = <public key client>
AllowedIPs = 10.1.2.1/32
</code>

Dienst aktivieren und starten
<code>
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
</code>

==== Client ====

<code bash>
[Interface]
PrivateKey = <private key client>
Address = 10.1.2.1/32
DNS = 10.1.2.254

[Peer]
PublicKey = <public key server>
AllowedIPs = 10.1.2.1/32
Endpoint = vpn.example.com:51820
PersistentKeepalive = 25
</code>

==== Inter-Client Communication ====

IPv4 Packet Forwarding aktivieren
<code>
sudo sysctl -w net.ipv4.ip_forward=1                       # IPv4 Packet Forwarding aktivieren
sudo sysctl -p                                             # Änderung anwenden
</code>

Kommunikation wg0 <-> wg0 erlauben
<code>
sudo iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT           # ans Ende der chain (append)
sudo iptables -I FORWARD -i wg0 -o wg0 -j ACCEPT           # an den Anfand der Chain
</code>

==== Internetzugriff ====

Server
IPv4/IPv6 Packet Forwarding aktivieren
<code>
sudo sysctl -w net.ipv4.ip_forward=1                       # IPv4 Packet Forwarding aktivieren
sudo sysctl -w net.ipv6.ip_forward=1                       # IPv4 Packet Forwarding aktivieren
sudo sysctl -p                                             # Änderung anwenden
</code>

Server
<code bash>
[Interface]
PrivateKey = <private key server>
Address = 10.1.2.254/32
ListenPort = 51820
SaveConfig = false
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <public key client>
AllowedIPs = 10.1.2.1/32
</code>

Client
<code bash>
[Interface]
PrivateKey = <private key client>
Address = 10.1.2.1/32
DNS = 10.1.2.254 #, 1.1.1.1

[Peer]
PublicKey = <public key server>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:51820
PersistentKeepalive = 25
</code>

==== DNS-Suffix und Suchliste ====

Client interface Anpassen
<code bash>
[Interface]
PrivateKey = <private key client>
Address = 10.1.2.1/32
DNS = 10.1.2.254, lab.local, wg0.lab.local

[Peer]
PublicKey = <public key server>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:51820
PersistentKeepalive = 25
</code>

==== Windows Client ====

<code>
wireguard /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\config.conf"
wireguard /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\config.conf.dpapi"
wireguard /installmanagerservice
wireguard /uninstallmanagerservice
wireguard /update 2> C:\path\to\update\log.txt
</code>