Tags Archives: vpn

Can’t ping or access devices on a Zerotier VPN

 After rebooting, you may find you cannot ping or access another of your Zerotier hosts on your VPN eg by SSH. 

 

 

The solution to this is as follows:

 

On both machines that cant access or ping each other, run the following to find their Zerotier ID

 

sudo zerotier-cli info

 

eg

 

200 info **999xxxxx99** 1.6.2 ONLINE

 

Then, on each machine stop the zerotier service:

 

sudo systemctl stop zerotier-one

 

Next, delete the peer data for each machine on both machines:

 

eg in this case:

 

sudo rm /var/lib/zerotier-one/peers.d/999xxxxx99.peer

 

Then, having done that – on both machines that have the problem, restart the zerotier service:

 

sudo systemctl start zerotier-one

 

both machines should now be reachable in both directions via your Zerotier VPN.

 

Continue Reading

Setting Up a VPN Network Using Zerotier-One

Zerotier-One is an established VPN multiple peer-to-peer system provided by a company based in California, USA, who distribute and maintain the Zerotier VPN software.

 

The basic Zerotier-One VPN service is free and can support a high number of node computers. The company provides added-value services but the free service is adequate for many smaller businesses, organizations and domestic users.

 

 

How Zerotier Works

 

Zerotier run so-called Zerotier “root servers” known as “planets” which provide the functionality for the network.

 

The system is easier to configure than for example OpenVPN or Wireguard.  Zerotier provides a Web-based dashboard for managing your VPN, as well as a command-line interface.

 

Unlike conventional VPN proxy services. Zerotier can’t see your network traffic. As with OpenVPN, you are responsible for creating and operating your own VPN servers. Zerotier uses a peer-to-peer model which means there are no conventional-style “VPN servers” for Zerotier.

 

 

All participants in your Zerotier VPN are equal nodes.

 

 

 

The only drawback with Zerotier is that VPN network access is managed via my.zerotier.com. If this server should get hacked or suffer an outage then your VPN network could potentially be accessible to an intruder or VPN could be adversely affected or unreachable.

 

You can set up multiple VPN networks with Zerotier should you wish to run different WANs for specific purposes. The web-based dashboard makes it easy to manage your VPN/s from anywhere. 

 

Zerotier divides the virtual connection into two parts:

 

The first is Virtual Layer 1 or VL1. This is the p2p component that manages encryption and direct communication. I is a virtualization of the physical layer in the OSI Networking System.

 

The second is Virtual Layer 2 or VL2 – the virtual Ethernet component that handles machine authorization, access control, network rules, etc.

 

VL1 is designed to operate with no configuration. Instead, it relies on the existence of the Zerotier “planet” or root server system.  This layer is what creates the actual virtual network.

 

It also deploys UDP “Hole Punching” to circumvent any NAT configurations where they are found. 

 

VL2 is a Virtualized LAN protocol with Software-Defined Network (SDN) management features. It deploys secure VLAN boundaries, multicasting, and capability-based security, and certificate-based access control mechanisms.

 

This is the layer that takes care of the data packet transmission across the VPN.

Zerotier Infrastructure

Zerotier currently provide a network of 12 root servers or “planets” located in different global regions to operate VL1 functionality for all the hosted VPNs on the system.

 

If you wish, you can also set up your own replica “root servers” on your own VPN – these are known as “moons”. These help reduce the network overhead on the Zerotier root servers, and can also help increase network speeds and reduce latency. However, in most individual cases, this is not necessary.

 

 Once the VL1 connection has been established, Zerotier clients then contact the network controller.

 

Every Zerotier VPN has a network controller. This is a node tasked with admitting members to the VPN, issuing certificates, and providing default configuration information when required.

 

The network controller distributes network configurations for VL2 participation among the client nodes and deploys cryptographic methods for authenticating the members.

 

Setting up a Zerotier VPN is simple and the system will generally work straight “out of the box” with minimal configuration.

 

For detailed instructions see  https://zerotier.atlassian.net/wiki/spaces/SD/pages/8454145/Getting+Started+with+ZeroTier

 

The Zerotier Knowledge Base is at: https://zerotier.atlassian.net/wiki/spaces/SD/overview

 

 

Installation and Configuration of Zerotier VPN

 

 

First of all create an account with Zerotier. The basic account is free. Go to https://my.zerotier.com/

 

 

Next, while logged into the ZeroTier service at https://my.zerotier.com/, navigate to the Networks tab.

 

 

Select:

 

“Create New Network”

 

Your Network ID will be listed in the interface.

 

Click on your network and you will then be presented with the dashboard page for your Zerotier VPN network.

 

Make sure you set your access control to PRIVATE!

 

 

 

Install the Zerotier client on all machines:

 

on ubuntu machines, you can now use the apt command:

 

apt install zerotier

 

 

The official Zerotier Download page is at https://www.zerotier.com/download/

 

 

Alternatively, you can use the following piped Zerotier installation command as follows:

 

curl -s ‘https://pgp.mit.edu/pks/lookup?op=get&search=0x1657198823E52A61’ | gpg –import && if z=$(curl -s ‘https://install.zerotier.com/’ | gpg); then echo “$z” | sudo bash; fi

 

 

This uses a GPG-signed script that ensures the code you download is verified as published by ZeroTier.

 

 

the curl command imports the ZeroTier public key from MIT.

 

curl -s ‘https://pgp.mit.edu/pks/lookup?op=get&search=0x1657198823E52A61’

 

gpg –import

 

This section of the piped command adds the ZeroTier public key to your local keychain of authorities to trust for packages you install.

 

The next section will execute provided the GPG import completes successfully:

 

if z=$(curl -s ‘https://install.zerotier.com/’ | gpg); then echo “$z”

 

Basically, this says: “Provided the cryptographically-signed install script downloaded from ZeroTier.com successfully passes the GPG test – and is not rejected as unsigned by ZeroTier, then output that information on the screen.”

 

sudo bash; fi – This executes the newly-validated installer script.

 

 

Admit a machine to your Zerotier VPN:

 

You do this using the zerotier join command:

 

on the machine you want to join to your VPN network, execute:

 

sudo zerotier-cli join YourNetworkID

 

 

You should then receive a 200 join OK message, confirming the ZeroTier service on your machine has understood the command.

 

You then need to approve the machine in your My Zerotier dashboard at https://my.zerotier.com/

 

IMPORTANT: Until you complete these two actions your machine will not be able to participate in your VPN network!

 

 

Choose Public or Private Access

 

This is important for security:

 

There are two ways to configure access to your VPN: Public or Private

 

Public Network: This means anyone who knows the Network ID can connect. This is the most insecure option and not generally recommended if you don’t need to provide public access.

 

Private Network: This is the most secure option and generally the default you will be wanting to use. This requires all connecting machines to first be approved through the ZeroTier interface before they are permitted to connect.

 

Set a name for your network. This can be anything, it is just a label character string.

 

In the Auth section, you click on the boxes to approve each machine you want to give access to.

 

 

If you then do an ifconfig you should then see your virtual ethernet device listed for your Zerotier VPN:

 

for example:

 

ztppizdp4o: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 2800
inet 10.147.18.14 netmask 255.255.255.0 broadcast 10.147.18.255
inet6 fe80::908b:6eff:fe55:e7ab prefixlen 64 scopeid 0x20<link>
ether 92:8b:6e:55:e7:ab txqueuelen 1000 (Ethernet)
RX packets 842271 bytes 2196053299 (2.1 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 454784 bytes 62851965 (62.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@asus:~#

 

 

 

You can then define /etc/hosts machine name entries for your VPN virtual interface IPs as the virtual IPs for Zerotier always remain the same for each node.

 

 

Continue Reading

How To Configure Wireguard

To quote from Wikipedia:

 

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface. It aims for better performance and more power-saving than the IPsec and OpenVPN tunneling protocols. The WireGuard protocol passes traffic over UDP.

 

Wireguard is a peer-to-peer VPN, in other words, it does not use the traditional client-server model. A Wireguard peer can act as a traditional server or a client. Wireguard operates by establishing a network interface on each peer device that then acts as a tunnel.

 

Wireguard peers then authenticate each other by exchanging and validating their public keys. These keys are mapped with a list of IP addresses that are permitted to access the tunnel.

 

In comparison with other VPN solutions, such as OpenVPN and IPsec , WireGuard is much faster, is easier to configure, and also has a smaller footprint. Wireguard will run on Linux, Windows, Android, and macOS.

 

 

 

How to install Wireguard on Ubuntu

 

 

Wireguard is Peer-to-Peer – NOT client-server!

 

NOTE: Wireguard operates using a peer-to-peer architecture, not client-server. In the description below I refer to one of my machines on which I am installing Wireguard as server and the other as client, but this is merely my own designation and has no relevance for Wireguard itself.

 

 

The wireguard package contains two binaries:

 

wg — a tool for managing the configuration of WireGuard interfaces
wg-quick — a tool for easily starting and stopping WireGuard interfaces

 

 

To install on Ubuntu:

 

apt update

apt install wireguard

 

root@intel:/home/kevin# apt install wireguard
Reading package lists... Done
Building dependency tree 
Reading state information... Done
The following packages were automatically installed and are no longer required:
libphonenumber7 libprotobuf17
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
wireguard-tools
The following NEW packages will be installed:
wireguard wireguard-tools
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 86,6 kB of archives.
After this operation, 344 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://de.archive.ubuntu.com/ubuntu focal-updates/universe amd64 wireguard-tools amd64 1.0.20200513-1~20.04.2 [83,3 kB]
Get:2 http://de.archive.ubuntu.com/ubuntu focal-updates/universe amd64 wireguard all 1.0.20200513-1~20.04.2 [3.264 B]
Fetched 86,6 kB in 0s (378 kB/s) 
Selecting previously unselected package wireguard-tools.
(Reading database ... 235908 files and directories currently installed.)
Preparing to unpack .../wireguard-tools_1.0.20200513-1~20.04.2_amd64.deb ...
Unpacking wireguard-tools (1.0.20200513-1~20.04.2) ...
Selecting previously unselected package wireguard.
Preparing to unpack .../wireguard_1.0.20200513-1~20.04.2_all.deb ...
Unpacking wireguard (1.0.20200513-1~20.04.2) ...
Setting up wireguard-tools (1.0.20200513-1~20.04.2) ...
wg-quick.target is a disabled or a static unit, not starting it.
Setting up wireguard (1.0.20200513-1~20.04.2) ...
Processing triggers for man-db (2.9.1-1) ...
root@intel:/home/kevin#

 

Basic Wireguard Configuration

 

The wg and wg-quick Wireguard command-line tools are used to configure and manage the WireGuard interfaces.

 

Each device in the WireGuard VPN network must have a private and public key.  Generate the key pair with this command:

 

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

 

root@intel:~# wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
Y+BuUdkyp+9pJlyfyBcYkCRgcbFqSv/TENH8TGyT6iA=
root@intel:~#

 

(this is your public key)

 

Always keep the private keys private and do not share with anyone!

 

Next, configure the tunnel device that will be used to route the Wireguard VPN traffic.  This tunnel device can be set up either from the command line using the ip and wg commands, or else by creating the configuration file as below.

 

Create a new file named wg0.conf and copy-paste the following contents:

 

nano /etc/wireguard/wg0.conf

 

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

 

NOTE – this is just an initial template. You must replace ens3 after -A POSTROUTING to match the name of your public network interface.  In my case, the public internet interface for my machine is wlp2s0

 

so we have:

 

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlp2s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlp2s0 -j MASQUERADE

 

explanation:

 

Address – A comma-separated list of v4 or v6 IP addresses for the wg0 interface. Use IPs from a range that is reserved for private networks (10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16).

 

ListenPort – The listening port.

 

PrivateKey – A private key generated by the wg genkey command. (To see the contents of the file type: sudo cat /etc/wireguard/privatekey) Replace SERVER_PRIVATE_KEY with your copy-pasted private key – NOT the path to the privatekey file but the actual contents of the file!

 

SaveConfig – When set to true, the current state of the interface is saved to the configuration file when shutdown.

 

PostUp – Command or script that is executed before bringing the interface up. In this example, we’re using iptables to enable masquerading. This allows traffic to leave the server, giving the VPN clients access to the Internet.

 

 

Replace the network interface ens0 with your own public internet interface.

 

 

You can find this with:

 

root@intel:/etc/wireguard# ip -o -4 route show to default | awk '{print $5}'
wlp2s0
root@intel:/etc/wireguard#

Note for this installation instance Wireguard will be listening on port 51820.

 

 

Firewall Config for Wireguard

 

So you must also open this port in your firewall/s:

 

ufw allow 51820/udp

 

Note we are just opening the port for UDP, not for TCP!

 

Activate firewall if necessary with:

 

root@intel:~# ufw status 
Status: inactive
root@intel:~#


root@intel:~# ufw enable
Firewall is active and enabled on system startup
root@intel:~#

check with:

root@intel:~# ufw verbose
Status: active


To Action From
-- ------ ----
2812 ALLOW Anywhere 
51820/udp ALLOW Anywhere 
2812 (v6) ALLOW Anywhere (v6) 
51820/udp (v6) ALLOW Anywhere (v6)

root@intel:~#

 

and make sure you save the firewall config:

 

root@intel:~# iptables-save > /etc/iptables.rules

 

Then set the file permissions:

 

root@intel:/etc/wireguard# chmod 600 /etc/wireguard/{privatekey,wg0.conf}
root@intel:/etc/wireguard#

 

and then you should be all set to start the Wireguard interface:

 

root@intel:/etc/wireguard# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlp2s0 -j MASQUERADE
root@intel:/etc/wireguard#

 

ifconfig shows that the device has been created, and has a virtual IP in the range we specified:

 

root@intel:/etc/wireguard# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.0.0.1 netmask 255.255.255.0 destination 10.0.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 174 dropped 0 overruns 0 carrier 0 collisions 0
root@intel:/etc/wireguard#

 

 

How To Remove a Wireguard Network Interface

 

 

Normally you would not want to do this, but you may wish to in some cases, including if you are deinstalling or deactivating Wireguard. I needed to do this in order to configure the systemd scripts for Wireguard:

 

root@intel:~# ifconfig wg0
wg0: flags=144<POINTOPOINT,NOARP> mtu 1420
inet 10.0.0.1 netmask 255.255.255.0 destination 10.0.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 1179 dropped 0 overruns 0 carrier 0 collisions 0


root@intel:~# ip link delete dev wg0
root@intel:~# ifconfig wg0
wg0: error fetching interface information: Device not found
root@intel:~#

root@intel:~# ip link delete dev wg0
root@intel:~# ifconfig wg0
wg0: error fetching interface information: Device not found
root@intel:~# 
root@intel:~# systemctl enable wg-quick@wg0
Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service → /lib/systemd/system/wg-quick@.service.
root@intel:~# systemctl start wg-quick@wg0
root@intel:~# systemctl status wg-quick@wg0
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2021-06-02 14:06:48 CEST; 3s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 16684 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
Main PID: 16684 (code=exited, status=0/SUCCESS)


Jun 02 14:06:48 intel systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Jun 02 14:06:48 intel wg-quick[16684]: [#] ip link add wg0 type wireguard
Jun 02 14:06:48 intel wg-quick[16684]: [#] wg setconf wg0 /dev/fd/63
Jun 02 14:06:48 intel wg-quick[16684]: [#] ip -4 address add 10.0.0.1/24 dev wg0
Jun 02 14:06:48 intel wg-quick[16684]: [#] ip link set mtu 1420 up dev wg0
Jun 02 14:06:48 intel wg-quick[16684]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlp2s0 -j MASQUERADE
Jun 02 14:06:48 intel systemd[1]: Finished WireGuard via wg-quick(8) for wg0.
root@intel:~#

The device is then automatically created by the systemd scripts:

 

root@intel:~# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.0.0.1 netmask 255.255.255.0 destination 10.0.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 144 dropped 0 overruns 0 carrier 0 collisions 0

root@intel:~#


root@intel:~# wg
interface: wg0
public key: Y+BuUdkyp+9pJlyfyBcYkCRgcbFqSv/TENH8TGyT6iA=
private key: (hidden)
listening port: 51820
root@intel:~#

root@intel:~# wg --help
Usage: wg <cmd> [<args>]


Available subcommands:
show: Shows the current configuration and device information
showconf: Shows the current configuration of a given WireGuard interface, for use with `setconf'
set: Change the current configuration, add peers, remove peers, or change peers
setconf: Applies a configuration file to a WireGuard interface
addconf: Appends a configuration file to a WireGuard interface
syncconf: Synchronizes a configuration file to a WireGuard interface
genkey: Generates a new private key and writes it to stdout
genpsk: Generates a new preshared key and writes it to stdout
pubkey: Reads a private key from stdin and writes a public key to stdout
You may pass `--help' to any of these subcommands to view usage.
root@intel:~#

When you want a client to be given permission to connect to your Wireguard VPN tunnel, you add the following to the wg0.conf:

 

[Peer] PublicKey = <public_key_of_your_peer> # OPTIONAL, its also possible to define a pre-shared key for additional security.

 

PresharedKey = <pre-shared key> # at least one peer needs to provide this one.

 

Endpoint = <end_point_hostname_or_ip:port> # in theory this could be restricted to dn42 networks, however it is easier to do this with iptables/bgp filters/routing table instead just like for openvpn-based peering.

 

AllowedIPs = 0.0.0.0/0,::/0

 

Manual Configuration of Wireguard server/client hosts

 

 

syntax:

 

wg set wg0 listen-port 51820 private-key /path/to/peer_A.key

 

so we do ON server, then on client: same but with different ip – also check the respective network interface device names are correct!

 

server:

root@gemini:/etc/wireguard# ip link add dev wg0 type wireguard
root@gemini:/etc/wireguard# ip addr add 10.0.0.1/24 dev wg0
root@gemini:/etc/wireguard# wg set wg0 listen-port 51820 private-key privatekey
root@gemini:/etc/wireguard# ip link set wg0 up



root@gemini:/etc/wireguard# wg
interface: wg0
public key: L+sHb++AKFZkhDzrSLAhhhxM6SfrpQhVmRFDfUp7lSo=
private key: (hidden)
listening port: 51820
root@gemini:/etc/wireguard#



client:
root@intel:/etc/wireguard# ip link add dev wg0 type wireguard
root@intel:/etc/wireguard# ip addr add 10.0.0.2/24 dev wg0 
root@intel:/etc/wireguard# wg set wg0 listen-port 51820 private-key privatekey
root@intel:/etc/wireguard# ip link set wg0 up

root@intel:/etc/wireguard# wg
interface: wg0
public key: F8OQkGTjovRIxzvr4YKfpeq7vhAFqQjPKUyh9Eauf04=
private key: (hidden)
listening port: 51820
root@intel:/etc/wireguard#

 

then – ESSENTIAL – DO NOT FORGET – this sets the peer relationship – else no connection possible:

root@intel:/etc/wireguard# wg set wg0 peer L+sHb++AKFZkhDzrSLAhhhxM6SfrpQhVmRFDfUp7lSo= allowed-ips 10.0.0.1 endpoint 10.147.18.185:51820
root@intel:/etc/wireguard# wg
interface: wg0
public key: F8OQkGTjovRIxzvr4YKfpeq7vhAFqQjPKUyh9Eauf04=
private key: (hidden)
listening port: 51820

peer: L+sHb++AKFZkhDzrSLAhhhxM6SfrpQhVmRFDfUp7lSo=
endpoint: 10.147.18.185:51820
allowed ips: 10.0.0.1/32
root@intel:/etc/wireguard#

 

and on the other machine:

root@gemini:/etc/wireguard# wg set wg0 peer F8OQkGTjovRIxzvr4YKfpeq7vhAFqQjPKUyh9Eauf04= allowed-ips 10.0.0.2 endpoint 10.147.18.84:51280




root@gemini:/etc/wireguard#

root@gemini:/etc/wireguard# wg interface: wg0 public key: L+sHb++AKFZkhDzrSLAhhhxM6SfrpQhVmRFDfUp7lSo= private key: (hidden)

listening port: 51820 peer: F8OQkGTjovRIxzvr4YKfpeq7vhAFqQjPKUyh9Eauf04= endpoint: 10.147.18.84:51280 allowed ips: 10.0.0.2/32 transfer: 0 B received, 1.30 KiB sent

root@gemini:/etc/wireguard# 


 

Set IP Forwarding:

 

root@intel:/etc/wireguard# sysctl -w net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.forwarding = 1
root@intel:/etc/wireguard# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
root@intel:/etc/wireguard# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
root@intel:/etc/wireguard#


root@gemini:/etc/wireguard# sysctl -w net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.forwarding = 1
root@gemini:/etc/wireguard# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
root@gemini:/etc/wireguard# sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.accept_ra = 2
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
root@gemini:/etc/wireguard#

 

root@intel:/etc/wireguard# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.0.0.2 netmask 255.255.255.0 destination 10.0.0.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 117 dropped 0 overruns 0 carrier 0 collisions 0

root@intel:/etc/wireguard# wg
interface: wg0
public key: F8OQkGTjovRIxzvr4YKfpeq7vhAFqQjPKUyh9Eauf04=
private key: (hidden)
listening port: 48886
root@intel:/etc/wireguard#


server:

root@gemini:/etc/wireguard# wg
interface: wg0
public key: L+sHb++AKFZkhDzrSLAhhhxM6SfrpQhVmRFDfUp7lSo=
private key: (hidden)
listening port: 43193

peer: F8OQkGTjovRIxzvr4YKfpeq7vhAFqQjPKUyh9Eauf04=
endpoint: 10.147.18.84:36244
allowed ips: 10.0.0.2/32
root@gemini:/etc/wireguard#

root@gemini:/etc/wireguard# cat wg0.conf
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ztppizdp4o -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ztppizdp4o -j MASQUERADE
ListenPort = 43193
PrivateKey = (hidden)

[Peer]
PublicKey = F8OQkGTjovRIxzvr4YKfpeq7vhAFqQjPKUyh9Eauf04=
AllowedIPs = 10.0.0.2/32
Endpoint = 10.147.18.84:36244
root@gemini:/etc/wireguard#

 

 

Demo Wireguard Server Connection for Testing Purposes

 

Wireguard also provides a test script and external server facility for demo purposes which you can use. See below.

 

After installing WireGuard, you can test your connection using the Wireguard script client.sh located in
/usr/local/bin/wireguard-tools/plain/contrib/examples/ncat-client-server#

 

$ sudo contrib/examples/ncat-client-server/client.sh

 

 

Run this script and it will automatically setup interface wg0, though using a very insecure transport link only suitable for demo purposes:

 

 

root@intel:/usr/local/bin/wireguard-tools/plain/contrib/examples/ncat-client-server# ./client.sh
root@intel:/usr/local/bin/wireguard-tools/plain/contrib/examples/ncat-client-server# 



root@intel:/usr/local/bin/wireguard-tools/plain# wg
interface: wg0
public key: RORt0LWXzqYdeJ1YYusvyly5JdiBmWrT8hmNgfNlVkk=
private key: (hidden)
listening port: 49101


peer: JRI8Xc0zKP9kXk8qP84NdUQA04h6DLfFbwJn4g+/PFs=
endpoint: 163.172.161.0:12912
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 25 seconds ago
transfer: 40.77 KiB received, 114.82 KiB sent
persistent keepalive: every 25 seconds
root@intel:/usr/local/bin/wireguard-tools/plain#




root@intel:/usr/local/bin/wireguard-tools/plain/contrib/examples/ncat-client-server# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 192.168.4.46 netmask 255.255.255.0 destination 192.168.4.46
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 102 bytes 47496 (47.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1173 bytes 227352 (227.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@intel:/usr/local/bin/wireguard-tools/plain/contrib/examples/ncat-client-server#



root@intel:/usr/local/bin/wireguard-tools/plain/contrib/examples/ncat-client-server# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.178.1 0.0.0.0 UG 600 0 0 wlp2s0
10.147.18.0 0.0.0.0 255.255.255.0 U 0 0 0 ztppizdp4o
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 virbr0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
192.168.178.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp2s0
root@intel:/usr/local/bin/wireguard-tools/plain/contrib/examples/ncat-client-server#



You can then test loading the hidden website at http://192.168.4.1 in a web-browser and sending pings: (you can use any browser, just point browser at the http://192.168.4.1

 

 

To redirect your internet traffic using the Wireguard demo server, you can configure it as:

 

$ sudo contrib/examples/ncat-client-server/client.sh default-route
$ curl zx2c4.com/ip
163.172.161.0
demo.wireguard.com
curl/7.49.1

However, as Wireguard states, “By connecting to this server, you acknowledge that you will not use it for any abusive or illegal purposes and that your traffic may be monitored.”

 

 

When you have finished the test you should disconnect the link:

 

wg-quick down wg0

root@intel:~# wg-quick down wg0
[#] wg showconf wg0
[#] ip link delete dev wg0
[#] iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ztppizdp4o -j MASQUERADE
root@intel:~# wg
root@intel:~#

 

Wireguard Debug Info

If you’re using the Linux kernel module and your kernel supports dynamic debugging, you can get useful runtime output by enabling dynamic debug for the module:

 

# modprobe wireguard && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

 

If you’re using a userspace implementation, set the environment variable export LOG_LEVEL=verbose.

 

 

For more info, visit https://www.wireguard.com/quickstart/

 

Continue Reading