WireGuard: Difference between revisions
No edit summary |
No edit summary |
||
| Line 323: | Line 323: | ||
Next we need to open UDP traffic on our port. Do it in stronger_firewall. | Next we need to open UDP traffic on our port. Do it in stronger_firewall. | ||
Welll I can't ping... i wonder if that port is just not going through the hotspot...? | |||
I'm going to switch to using the DNS port (53) and retrying. I wiped wireguard to try tailscale, so we need to redo it all again. | |||
Revision as of 13:25, 11 December 2024
Wireguard is loved FOSS software that is simpler and smaller and WAY FASTER than OpenVPN so, let's have at it.
Configuration
All client configs are here:
/home/m/apps/Wireguard
All server configs are here:
sudo su - cd /etc/wireguard
Status
Service:
systemctl status [email protected]
Systemd journal log:
journalctl -xeu [email protected]
Adding a client
Here is an excellent youtube overview.
Android
- On the server, generate a client keypair using the script tool
- Keep the server QR code handy, it apparently contains everything the client will need, once you add the client key (!!)
- On the phone, download the wireguard android app, and add the server connection via the QR code
That's it? Really? Then I can use the hotspot from the laptop? Reallly??
Installation
Simplest installation can be done with this script. I'm tired and not sure why there is not a dedicated PPA as the version baked into Ubuntu is f'in old... so let's just try this...
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh chmod +x wireguard-install.sh ./wireguard-install.sh
My choices:
🌵 m@bitpost [~] sudo ./wireguard-install.sh Welcome to the WireGuard installer! The git repository is available at: https://github.com/angristan/wireguard-install I need to ask you a few questions before starting the setup. You can keep the default options and just press enter if you are ok with them. IPv4 or IPv6 public address: 136.47.226.130 Public interface: enp10s0f0 WireGuard interface name: wg0 Server WireGuard IPv4: 192.168.22.199 Server WireGuard IPv6: fd42:42:42::1 Server WireGuard port [1-65535]: 53 First DNS resolver to use for the clients: 192.168.22.1 Second DNS resolver to use for the clients (optional): 1.1.1.1 WireGuard uses a parameter called AllowedIPs to determine what is routed over the VPN. Allowed IPs list for generated clients (leave default to route everything): 0.0.0.0/0,::/0 Okay, that was all I needed. We are ready to setup your WireGuard server now. You will be able to generate a client at the end of the installation. Press any key to continue...
Something went wrong...
* Applying /etc/sysctl.conf ... net.ipv4.ip_forward = 1 Job for [email protected] failed because the control process exited with error code. See "systemctl status [email protected]" and "journalctl -xeu [email protected]" for details.
Remove so we can try again...
🌵 m@bitpost [~] sudo ./wireguard-install.sh Welcome to WireGuard-install! The git repository is available at: https://github.com/angristan/wireguard-install It looks like WireGuard is already installed. What do you want to do? 1) Add a new user 2) List all users 3) Revoke existing user 4) Uninstall WireGuard 5) Exit Select an option [1-5]: 4 WARNING: This will uninstall WireGuard and remove all the configuration files! Please backup the /etc/wireguard directory if you want to keep your configuration files. Do you really want to remove WireGuard? [y/n]: y Removed /etc/systemd/system/multi-user.target.wants/[email protected]. Reading package lists... Done Building dependency tree... Done Reading state information... Done The following package was automatically installed and is no longer required: libqrencode4 Use 'sudo apt autoremove' to remove it. The following packages will be REMOVED: qrencode wireguard wireguard-tools 0 upgraded, 0 newly installed, 3 to remove and 0 not upgraded. After this operation, 411 kB disk space will be freed. (Reading database ... 139965 files and directories currently installed.) Removing qrencode (4.1.1-1) ... Removing wireguard (1.0.20210914-1ubuntu2) ... Removing wireguard-tools (1.0.20210914-1ubuntu2) ... Processing triggers for man-db (2.10.2-1) ... * Applying /etc/sysctl.d/10-console-messages.conf ... kernel.printk = 4 4 1 7 * Applying /etc/sysctl.d/10-ipv6-privacy.conf ... net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 * Applying /etc/sysctl.d/10-kernel-hardening.conf ... kernel.kptr_restrict = 1 * Applying /etc/sysctl.d/10-magic-sysrq.conf ... kernel.sysrq = 176 * Applying /etc/sysctl.d/10-network-security.conf ... net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.all.rp_filter = 2 * Applying /etc/sysctl.d/10-ptrace.conf ... kernel.yama.ptrace_scope = 1 * Applying /etc/sysctl.d/10-zeropage.conf ... vm.mmap_min_addr = 65536 * Applying /etc/sysctl.d/20_MDM_sysctl.conf ... fs.inotify.max_user_watches = 524288 * Applying /etc/sysctl.d/30-postgresql-shm.conf ... * Applying /usr/lib/sysctl.d/50-default.conf ... kernel.core_uses_pid = 1 net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.default.accept_source_route = 0 sysctl: setting key "net.ipv4.conf.all.accept_source_route": Invalid argument net.ipv4.conf.default.promote_secondaries = 1 sysctl: setting key "net.ipv4.conf.all.promote_secondaries": Invalid argument net.ipv4.ping_group_range = 0 2147483647 net.core.default_qdisc = fq_codel fs.protected_hardlinks = 1 fs.protected_symlinks = 1 fs.protected_regular = 1 fs.protected_fifos = 1 * Applying /usr/lib/sysctl.d/50-pid-max.conf ... kernel.pid_max = 4194304 * Applying /usr/lib/sysctl.d/99-protect-links.conf ... fs.protected_fifos = 1 fs.protected_hardlinks = 1 fs.protected_regular = 2 fs.protected_symlinks = 1 * Applying /etc/sysctl.d/99-sysctl.conf ... net.ipv4.ip_forward = 1 * Applying /etc/sysctl.conf ... net.ipv4.ip_forward = 1 WireGuard uninstalled successfully. 🌵 m@bitpost [~]
Frankly I'm baffled by what I am supposed to use for the wireguard ipv6. Here are some generic notes...
In a typical IPv6 LAN setup, devices might be assigned addresses from a prefix, such as 2001:db8:1234::/64. For example:
2001:db8:1234:0000:0000:0000:0000:0001 2001:db8:1234:0000:0000:0000:0000:0002 2001:db8:1234:0000:0000:0000:0000:0003
I'll try this???
2022:db8:1234:0000:0000:0000:0000:0001
no good... use the default and change some other stuff instead...
🌵 m@bitpost [~] sudo ./wireguard-install.sh Welcome to the WireGuard installer! The git repository is available at: https://github.com/angristan/wireguard-install I need to ask you a few questions before starting the setup. You can keep the default options and just press enter if you are ok with them. IPv4 or IPv6 public address: 136.47.226.130 Public interface: enp10s0f0 WireGuard interface name: wg0 Server WireGuard IPv4: 192.168.22.199 Server WireGuard IPv6: 2022:db8:1234:0000:0000:0000:0000:0001 Server WireGuard IPv6: fd42:42:42::1 Server WireGuard port [1-65535]: (readacted by me) First DNS resolver to use for the clients: 192.168.22.1 Second DNS resolver to use for the clients (optional): 1.1.1.1 WireGuard uses a parameter called AllowedIPs to determine what is routed over the VPN. Allowed IPs list for generated clients (leave default to route everything): 0.0.0.0/0 Okay, that was all I needed. We are ready to setup your WireGuard server now. You will be able to generate a client at the end of the installation. Press any key to continue... Hit:1 http://us.archive.ubuntu.com/ubuntu jammy InRelease Get:2 http://us.archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB] Get:3 http://us.archive.ubuntu.com/ubuntu jammy-backports InRelease [127 kB] Get:4 http://us.archive.ubuntu.com/ubuntu jammy-security InRelease [129 kB] Fetched 384 kB in 1s (676 kB/s) Reading package lists... Done Reading package lists... Done Building dependency tree... Done Reading state information... Done resolvconf is already the newest version (1.84ubuntu1). iptables is already the newest version (1.8.7-1ubuntu5.2). The following additional packages will be installed: wireguard-tools The following NEW packages will be installed: qrencode wireguard wireguard-tools 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/115 kB of archives. After this operation, 411 kB of additional disk space will be used. Selecting previously unselected package qrencode. (Reading database ... 139878 files and directories currently installed.) Preparing to unpack .../qrencode_4.1.1-1_amd64.deb ... Unpacking qrencode (4.1.1-1) ... Selecting previously unselected package wireguard-tools. Preparing to unpack .../wireguard-tools_1.0.20210914-1ubuntu2_amd64.deb ... Unpacking wireguard-tools (1.0.20210914-1ubuntu2) ... Selecting previously unselected package wireguard. Preparing to unpack .../wireguard_1.0.20210914-1ubuntu2_all.deb ... Unpacking wireguard (1.0.20210914-1ubuntu2) ... Setting up qrencode (4.1.1-1) ... Setting up wireguard-tools (1.0.20210914-1ubuntu2) ... wg-quick.target is a disabled or a static unit not running, not starting it. Setting up wireguard (1.0.20210914-1ubuntu2) ... Processing triggers for man-db (2.10.2-1) ... Scanning processes... Scanning candidates... Scanning processor microcode... Scanning linux images... The processor microcode seems to be up-to-date. Restarting services... systemctl restart polkit.service Service restarts being deferred: /etc/needrestart/restart.d/dbus.service systemctl restart networkd-dispatcher.service systemctl restart unattended-upgrades.service No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. * Applying /etc/sysctl.d/10-console-messages.conf ... kernel.printk = 4 4 1 7 * Applying /etc/sysctl.d/10-ipv6-privacy.conf ... net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 * Applying /etc/sysctl.d/10-kernel-hardening.conf ... kernel.kptr_restrict = 1 * Applying /etc/sysctl.d/10-magic-sysrq.conf ... kernel.sysrq = 176 * Applying /etc/sysctl.d/10-network-security.conf ... net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.all.rp_filter = 2 * Applying /etc/sysctl.d/10-ptrace.conf ... kernel.yama.ptrace_scope = 1 * Applying /etc/sysctl.d/10-zeropage.conf ... vm.mmap_min_addr = 65536 * Applying /etc/sysctl.d/20_MDM_sysctl.conf ... fs.inotify.max_user_watches = 524288 * Applying /etc/sysctl.d/30-postgresql-shm.conf ... * Applying /usr/lib/sysctl.d/50-default.conf ... kernel.core_uses_pid = 1 net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.default.accept_source_route = 0 sysctl: setting key "net.ipv4.conf.all.accept_source_route": Invalid argument net.ipv4.conf.default.promote_secondaries = 1 sysctl: setting key "net.ipv4.conf.all.promote_secondaries": Invalid argument net.ipv4.ping_group_range = 0 2147483647 net.core.default_qdisc = fq_codel fs.protected_hardlinks = 1 fs.protected_symlinks = 1 fs.protected_regular = 1 fs.protected_fifos = 1 * Applying /usr/lib/sysctl.d/50-pid-max.conf ... kernel.pid_max = 4194304 * Applying /usr/lib/sysctl.d/99-protect-links.conf ... fs.protected_fifos = 1 fs.protected_hardlinks = 1 fs.protected_regular = 2 fs.protected_symlinks = 1 * Applying /etc/sysctl.d/99-sysctl.conf ... net.ipv4.ip_forward = 1 * Applying /etc/sysctl.d/wg.conf ... net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 * Applying /etc/sysctl.conf ... net.ipv4.ip_forward = 1 Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] → /lib/systemd/system/[email protected]. Client configuration The client name must consist of alphanumeric character(s). It may also include underscores or dashes and can't exceed 15 chars. Client name: bitpost Client WireGuard IPv4: 192.168.22.1 Client WireGuard IPv6: fd42:42:42::1 Here is your client config file as a QR Code: (redacted) Your client config file is in /home/m/wg0-client-bitpost.conf If you want to add more clients, you simply need to run this script another time! WireGuard is running. You can check the status of WireGuard with: systemctl status wg-quick@wg0 If you don't have internet connectivity from your client, try to reboot the server. 🌵 m@bitpost [~]
I think that did it!
🌵 m@bitpost [~] sudo wg interface: wg0 public key: (readacted by me) private key: (hidden) listening port: (readacted by me) peer: (readacted by me) preshared key: (hidden) allowed ips: 192.168.22.1/32, fd42:42:42::1/128
Next we need to open UDP traffic on our port. Do it in stronger_firewall.
Welll I can't ping... i wonder if that port is just not going through the hotspot...?
I'm going to switch to using the DNS port (53) and retrying. I wiped wireguard to try tailscale, so we need to redo it all again.