====== WireGuard VPN ====== ===== Installation ===== sudo apt update sudo apt install wireguard wireguard-tools ===== Konfiguration ===== ==== Server ==== create private key and remove permissions for any one other than root wg genkey | sudo tee /etc/wireguard/private.key sudo chmod go= /etc/wireguard/private.key create public key sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key sudo nano /etc/wireguard/wg0.conf [Interface] PrivateKey = Address = 10.1.2.254/32 ListenPort = 51820 SaveConfig = false [Peer] PublicKey = AllowedIPs = 10.1.2.1/32 Dienst aktivieren und starten sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 ==== Client ==== [Interface] PrivateKey = Address = 10.1.2.1/32 DNS = 10.1.2.254 [Peer] PublicKey = AllowedIPs = 10.1.2.1/32 Endpoint = vpn.example.com:51820 PersistentKeepalive = 25 ==== Inter-Client Communication ==== IPv4 Packet Forwarding aktivieren sudo sysctl -w net.ipv4.ip_forward=1 # IPv4 Packet Forwarding aktivieren sudo sysctl -p # Änderung anwenden Kommunikation wg0 <-> wg0 erlauben sudo iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT # ans Ende der chain (append) sudo iptables -I FORWARD -i wg0 -o wg0 -j ACCEPT # an den Anfand der Chain ==== Internetzugriff ==== Server IPv4/IPv6 Packet Forwarding aktivieren sudo sysctl -w net.ipv4.ip_forward=1 # IPv4 Packet Forwarding aktivieren sudo sysctl -w net.ipv6.ip_forward=1 # IPv4 Packet Forwarding aktivieren sudo sysctl -p # Änderung anwenden Server [Interface] PrivateKey = Address = 10.1.2.254/32 ListenPort = 51820 SaveConfig = false PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = AllowedIPs = 10.1.2.1/32 Client [Interface] PrivateKey = Address = 10.1.2.1/32 DNS = 10.1.2.254 #, 1.1.1.1 [Peer] PublicKey = AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = vpn.example.com:51820 PersistentKeepalive = 25 ==== DNS-Suffix und Suchliste ==== Client interface Anpassen [Interface] PrivateKey = Address = 10.1.2.1/32 DNS = 10.1.2.254, lab.local, wg0.lab.local [Peer] PublicKey = AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = vpn.example.com:51820 PersistentKeepalive = 25 ==== Windows Client ==== wireguard /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\config.conf" wireguard /installtunnelservice "C:\Program Files\WireGuard\Data\Configurations\config.conf.dpapi" wireguard /installmanagerservice wireguard /uninstallmanagerservice wireguard /update 2> C:\path\to\update\log.txt