Build a VPN Tunnel with WireGuard

Tunneled

After completing the setup, the laptop, which acts as a server in our case, will take responsibility for transporting the network packets and will reside between the client and, for example, any websites it visits, accepting requests and returning responses. This connection is encrypted in both directions. Visited websites only see the server's IP address, not your own.

Setting up a VPN with WireGuard is easier than with its competitors (which sometimes require a demanding configuration that is easily beyond a beginner's capabilities). With the recent addition of WireGuard to the mainline kernel, its adoption is expected to continue to grow; over time, the configuration is likely to be simplified with additional tools.

Installing WireGuard

Unlike its competitors, WireGuard uses the same software on the server and the clients. After installing the wireguard package via the server's and the clients' package managers, start the process of generating private and public keys; this is comparable to the same procedure in SSH. You need to create a key pair for each device that will have access to the VPN. The two computers on either end of the WireGuard tunnel each need the public keys from the other end. WireGuard does not care whether the server is on the Internet or a local network.

If you are using Ubuntu 20.04, the best way to install WireGuard is to type the following at the command line

sudo apt install wireguard

rather than using the graphical package manager, which only gives you an outdated third-party snap package (Figure 1). Also make sure that the header files are installed to match the kernel.

Figure 1: Ubuntu 20.04 LTS offers two different WireGuard packages. The Ubuntu Software Center gives you an outdated third-party snap. Instead, use the wireguard package, which you can install at the command line.

After installing the package, you still need to enable IP forwarding on the designated WireGuard server. As root, open the /etc/sysctl.conf file in an editor and uncomment the lines #net.ipv4.ip_forward=1 for IPv4 or #net.ipv6.conf.all.forwarding=1 for IPv6 (Listing 1). Then reload the system configuration (Listing 2) by typing:

sudo sysctl -p

Listing 1

Enabling IP Forwarding

[...]
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
[...]
# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1
[...]

Listing 2

Reloading WireGuard

### Install Wireguard
$ sudo apt update
$ sudo apt install wireguard resolvconf
### Only on the Wireguard server:
$ sudo nano /etc/sysctl.conf
$ sudo sysctl -p

Key Services

Now create the required private and public keys on the server and clients (shown in Listing 3). Finally, check that the keys have been created with the ls command (Figure 2). It is best to copy both public keys into a text file and save them on a USB stick for later configuration.

Listing 3

Creating Private and Public Keys

$ sudo -s
$ cd /etc/wireguard
### Generate key on server:
$ umask 077; wg genkey | tee <client1>.key | wg pubkey > <client1>.pub
### Generate key on client:
$ umask 077; wg genkey | tee <client2>.key | wg pubkey > <client2>.pub
### Check key on server:
$ ls -al
total 24
drwx------   2 root root  4096 Apr 30 19:49 .
drwxr-xr-x 131 root root 12288 Apr 30 19:47 ..
-rw-------   1 root root    45 Apr 30 19:49 client1.key
-rw-------   1 root root    45 Apr 30 19:49 client1.pub
$ cat /etc/wireguard/client1.key
YBwK1N1O7OwOEtWCFnxwF9aVB0GK5YUNxEtU1pyVuUs=
$ cat /etc/wireguard/client1.pub
LnEReQTHUY7FIMaAR6qVcCfk95ucPY6O/zb4OfdfYh4=
Figure 2: Creating the cryptographic keys is reminiscent of SSH. Repeat the commands on every computer that is involved.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Mistborn

    Mistborn bundles important Internet services on your home network and secures them with a WireGuard VPN tunnel, Pi-hole, iptables rules, and separate containers.

  • Core Technologies

    Prise the back off Linux and find out what really makes it tick.

  • NEWS

    In the news: Linux Usage Is on the Rise; Lenovo Is Jumping on the Linux Laptop Bandwagon; A New Linux Laptop Is in the Making; Ubuntu 20.04 Released; and Git 2.26 Released.

  • Mozilla VPN Now Available for Linux

    The promised subscription-based VPN service from Mozilla is now available for the Linux platform.

  • FOSSPicks

    Graham looks at Gimp 2.10, Font Finder, Mixxx 2.1, SoundStage VR, VVave, and more!

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News