Wireguard

more information

WireGuard is not based on a client-server structure, which is perfect for this use-case. WireGuard used a peer-to-peer architecture.

This means it can be used without a static server. When a node disconnects only the connection drops. If the other node has other peer-to-peer connections, the vNet will still be up. (Mesh Topology).

This comes with a downside that every node must be connected manually to each node. There are distributed VPN services like VPN0, however for this use-case we will only use peer-to-peer VPN connections. This is because adding another node to the network is highly unlikely at the moment.

Setting up WireGuard

Installing

WireGuard is not yet added to the kernel, therefore we need the Header packets.

apt-get install linux-generic
add-apt-repository ppa:wireguard/wireguard

apt-get install wireguard-dkms wireguard-tools

Add wireguard to the boot options

echo "wireguard" | sudo tee -a /etc/modules

Load the module

modprobe wireguard

Setting up the VPN

Make sure that both servers (nodes) have a static IP. In the example we configured a vNet with static IPs so we are good to go.

Create Public and Private Keys

Don't create another psk key on the other node. Copy it from the other one.

cd /etc/wireguard
wg genkey > private.key
wg pubkey > public.key < private.key
wg genpsk > psk.key

Make sure only the root can read those files

cd /etc/wireguard
chmod 700 *

Create Network Interface

ip link add wg0 type wireguard
ip addr add 10.1.1.2/24 dev wg0
wg set wg0 private-key ./private.key

Start the interface

ip link set wg0 up

Check everything

save the Listening Port for later peering

wg

Peer the clients

Copy the preshared key (psk.key) of the first node to the other node. On both servers, the psk must be the same.

Do the previous steps on the other node aswell. Then come back and do also this step on both nodes

wg set wg0 peer "Public Key of Client 2" preshared-key "Preshared Key File of Client 1 and 2" allowed-ips 10.1.1.2/32 endpoint VNETIP:LISTENPORT

VNETIP The configured vnet ipaddress of the other client

Preshared Key the file in /etc/wireguard/psk.key

LISTENPORT The listen port of the other client

Setting Static Configuration

This is important, because the top configuration is only active while the node is not restarted.

Create /etc/wireguard/wg0.conf:

wg showconf wg0 > /etc/wireguard/wg0.conf

create a script that peers the connections and add it to crontab for every restart /etc/wireguard/peer_wireguard.sh

ip link add wg0 type wireguard
ip addr add 10.1.1.2/24 dev wg0
wg setconf wg0 /etc/wireguard/wg0.conf
ip link set wg0 up

List of sources

PreviousVPNNextFirewall

Last updated

Was this helpful?