Generate a WireGuard VPN tunnel configuration to allow multiple clients access to the internet via a server.
Copyright (C) 2019 Christian Garbs mitch@cgarbs.de
Licensed under GNU GPL v3 (or later)
Homepage: https://github.com/mmitch/wireguard-vpn-masquerade
This guide talks about three different actors that are part of the whole:
-
The server is the system where the VPN tunnel ends and the client's traffic emerges into the internet. It needs a static IP address or name resolvable by DNS so the clients know where to connect to.
-
A client is a device that uses the VPN tunnel to connect to the internet. It can be a laptop, a desktop pc or a mobile device.
-
The configurator is the host that
wg-confruns on. It can be run on the server or on a client or a completely different system. Private keys will be kept here and the generated configuration must be copied to the server and clients eventually. Because thewg(8)binary is needed, the server is a good candidate for the configurator.
................
: : .------.
: client 1 <----VPN-TUNNEL----> | |
: : | | __ ,-.
: : | | ( " \
: client 2 <----VPN-TUNNEL----> | | <-----> ( ` )
: : | | `--_____"
: : | | internet
: client 3 <----VPN-TUNNEL----> | |
: : `------'
: : server
: evil network :
:..............:
On the configurator:
- edit
wg-conf.serverand include your network configuration - edit
wg-conf.clientsand include all your clients
In both cases, replace every PRIVATE-KEY placeholder with the result
of wg genkey. Run it once for every client so that all keys are
different.
- run
wg-conf serverand copy the generated configuration to your server - run
wg-conf clientfor all clients and copy the configuration to your clients- for mobile clients run
wg-conf qrinstead and scan the generated QR code from the app
- for mobile clients run
If your clients change, repeat steps 2 to 4 from above: edit
wg-conf.clients and re-generate the configuration for both the
server and any changed client.
Be aware that both wg-conf.server and wg-conf.clients have been
added to .gitignore so that you don't accidentially check in your
configuration and reveal it to the world.
If you want to check in your configuration anyways, you can use git add --force.
Better yet: set up a local branch for your local configuration, remove
both files from .gitignore in that branch and check in your
configuration. Then merge (or rebase) any official changes from the
master branch as needed.
These things have to be done only once.
- install
wireguard-vpn-masquerade(eg.github clone https://github.com/mmitch/wireguard-vpn-masquerade) - install
wg(8)- either install full
wireguard(see server setup) - or just copy the
wgbinary from the server if possible (wg(8)is only needed forwg genkeyandwg pubkey)
- either install full
- install
qr-encode(eg.apt install qrencode) if you want to generate QR codes for mobile clients
-
install
wireguard, see https://www.wireguard.com/install/
For me, the following worked on Debian Buster:echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable apt update apt install wireguard
-
activate masquerading
- when using
nftables, it is something like this:table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; } chain postrouting { type nat hook postrouting priority 100; policy accept; oifname ++EXTERNAL_INTERFACE++ masquerade } } - when using
iptables, that would beiptables -t nat -A POSTROUTING -o ++EXTERNAL_INTERFACE++ -j MASQUERADE
In both cases
++EXTERNAL_INTERFACE++must be replaced with the name of the external interface on your server. - when using
-
activate forwarding
- to try it out once, use
echo "1" > /proc/sys/net/ipv4/ip_forward
- for a persistent configuration, look at
/etc/sysctl.confand addnet.ipv4.ip_forward=1
- to try it out once, use
- install
wireguard- for mobiles, install the app
- otherwise see server setup above