Installation and configuration of WireGuard server and client

 VPN is a completely free software application that will allow us to establish VPN tunnels. This complete software combines all necessary communication and encryption protocols to operate on multiple clients andEstablish a virtual private network between them. linebacker Provides better performance than IPsec protocol and OpenVPN (in terms of connection speed and connection latency), today we will explain its main features and how to install and configure it easily.

WireGuard function

wireguard VPN is a software Create a Virtual Private Network (VPN) Very Easy to configure , very fast (faster than IPsec and OpenVPN), and uses Most modern encryption by default , without having to choose between different symmetric encryption algorithms (asymmetric and hashing). WireGuard VPN's goal is to become a standard and get more home users and businesses to start using it instead of using IPsec or the popular OpenVPN, which is harder to configure and slower. The software is intended for use by all audiences, from home users to supercomputers.

Using WireGuard VPN No need to manage connections As with IPsec, you can also worry about the state of the virtual private network itself, the management processes, or understanding what the software is doing underneath it to make it work properly, so you'll usually want to look at the logs and investigate what's going on. Another advantage is that the configuration is very basic, but the functionality is very powerful.

this This software is L3 VPN , now it's right Use tunnel only , this is not OpenVPN as we can work in transport mode or tunnel mode. In this case we will always use tunnel mode, besides, it is compatible with both modes IPv4 network and IPv6 network , in addition, it can encapsulate IPv4 packets in IPv6 and vice versa. The transport layer protocol used by WireGuard is UDP , so we have to open a certain port in the router that performs NAT (to select the port that can be changed).

Operating system compatibility

This new VPN software was originally designed for of kernel, but Cross-platform , because it is related to ,Linux,,FreeBSD, system and system operating system . One of the advantages of this software is that the configuration of client and server is exactly the same in different operating systems using the same syntax, so you can configure the server and client in Linux and then "pass" the configuration to the other via Device: Other operating systems inside.

cryptography used

With IPsec and OpenVPN protocols, both client and server must "agree" on the encryption protocols used in IPsec Phase 1 and Phase 2 and (OpenVPN's) control and data channels), otherwise the connection will not be established correctly. linebacker Provides a complete password "package" , ensuring connectivity without any selection. If at some point one of the encryption protocols used by this VPN is deemed insecure, it would be as easy as launching a second version of WireGuard using a new protocol without the security holes, and "version 2" would be indicated between the client and server, Be completely transparent with us.

Another very important detail is that this VPN uses Very small source code . Compared to StrongSwan or OpenVPN, there are very few lines of code, so audits can be performed in a short time and possible vulnerabilities or security holes can be easily discovered. With fewer lines of code, the possible attack surface for VPN programming is smaller.

WireGuard VPN currently uses ChaCha20 For symmetric encryption, pass Poly1305 , constructed using AEAD. It also uses Curve25519 For ECDH, Blake 2 For hashing, SipHash24 supply Hash table key and Hong Kong Association for the Advancement of Democracy For key derivation, this means we are using the most modern cryptographic algorithms, aiming to provide maximum security and performance.

Roaming and kill switch support

The software is designed to be able to Roam easily and quickly , if our device changes networks and logically changes the public IP (for example, when we pass from the operator's Wi-Fi network and the 4G / LTE network), the VPN connections will remain unblocked because they will quickly Re-authenticate the VPN server so that we will always be connected to the VPN.

we can also Enable Kill-Switch on the device , this way, if the VPN connection is interrupted, the software itself will also be responsible for interrupting all network traffic until the VPN connection is re-established, allowing us to navigate without the protection provided by this VPN.

WireGuard installation

Installation of this software is very simple, we just need Go to WireGuard’s official website , and then download the executable file for Windows or MacOS operating systems. If you use a Linux-based operating system that has a corresponding repository, you may have to add the specific WireGuard repository, as it is not currently in the "stable" branch by default.

For example, we have The latest version has a VPN server installed and in order to install it we have followed the steps indicated on the official website. Superuser privileges are required to perform the installation correctly.
sudo echo "deb http://deb.debian.org/debian/ stable main'> /etc/apt/sources.list.d/unstable.list sudo printf 'Packages: */nPin: release a = unstable/nPin-priority: 90 /n'> /etc/apt/preferences .d/limit-unstable sudo apt update sudo apt install wireguard
Let us not forget that this VPN is also compatible with operating systems such as FreeBSD, OpenBSD and even OpenWRT for routers, as it is usually just a matter of installing it via "opkg" since all other software is usually installed.

If you want to install a VPN client on your smartphone with Android or iOS, we currently have the official app so you can install it without problems Google Play as well as App Store respectively:

WireGuard configuration: public key, private key and configuration file

Once we have WireGuard properly installed on the computer that acts as the server and all the clients we want to connect to, we must configure it. The first thing we have to do is create public and private key pairs on the server and all clients we want to connect to. We have used the Debian operating system to generate keys and configure the server, however, we can also do it directly in the Windows software.

The path to run WireGuard server on Debian is /etc/wireguard/, so we will go to that path using the following command:

cd /etc/wireguard/

Server's even-public-private key generation

To generate a public and private key pair at this location, we just need to enter:

wg genkey | tee claveprivadaservidor | wg pubkey > clavepublicaservidor

Now we will have two files, one with the public key and one with the private key:

  • Private key: 6JcquylvtJsHNCdWrYMj28XsLIFJUVjlr2y5o27rO2c =
  • Public key: xeTkJjjBUyp8paxTgajwDa + qWjrD2RpXlJRSHMwcGDQ =

These keys are the ones we will use for the WireGuard VPN «Server».

Client public and private key generation

To generate another pair of public and private keys that will be used in the client, we can create them in a new folder or create them in the same location with a different name.

wg genkey | tee claveprivadacliente1 | wg pubkey > clavepublicacliente1

Now we will have two files, one with the public key and one with the private key:

  • Private key: yPMpP2raY4FoCEJkmzQMlxzm/6RBIW9HkjY6pVFIOnI=
  • Public key: 6c12jLkKzgU9len1kQ / 6Fc61xm + LL98TPPlLsri8klE =

These keys are the ones we will use with the WireGuard VPN client.

Server configuration file

The configuration of WireGuard server is very simple compared to IPsec or OpenVPN server, however, we must consider the following points.

In the server we will have to have a " interface ” section, in this section we can indicate Dedicated IP address The server that identifies the server when a client connects. We must remember that this VPN is L3, so we can put any private IP address that is not in use at any given time. For example, in OpenVPN the default subnet is 10.8.0.0/24, here we can also put the same or any other subnet 192.168.2.0/24 (whereas 192.168.2.1 is the server itself and other IPs are clients). Use the syntax of « address »We will place the required VPN subnet.

exist" PrivateKey »We will have to enter the private key we generated previously for the server. exist" listening port » We will place the UDP port that we want to use for the server, if we are behind a router with NAT, this port is the port that we will have to "open" in NAT later.

Finally, in this section of "Interfaces" we can also define the commands that are executed after the virtual interface is raised with "PostUp" and after the virtual interface is raised with "PostDown". As you can see, we currently have a comment on this since we don't want to NAT this interface, but it can be done perfectly.

exist" peep ” is where we have to put the list of clients allowed to connect. In this case we will connect only one “peer”, so we will define your public key with «. public key » that we created previously (or that the client has given us, since it was probably generated by him), and we can also indicate whether this client is allowed to connect using a specific IP address. and" Allowed IPs » directive, we can filter the source IP address, if we enter 0.0.0.0/0, it means we allow any IP address.

This configuration file can be called «wg0.conf» because WireGuard uses this name to create virtual interfaces and is therefore perfect for distinguishing them. To run this profile, just run:

root@debian-vm:/etc/wireguard# wg-quick up wg0

When you start it, WireGuard will take care of creating the virtual interface, putting the IP address, MTU in it, and even creating the corresponding route in the routing table:

 root@debian-vm:/etc/wireguard# wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 192.168.2.1 dev wg0 [ #] ip link set mtu 1420 up dev wg0 [#] wg set wg0 fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ] ip -4 rule add table main suppress_prefixlength 0 [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 [#] iptables-restore -n

Client configuration file

WireGuard client configuration is very simple compared to IPsec or OpenVPN servers, however, we must consider the following points.

In the client we must have a " interface ” section, in this section we can indicate Dedicated IP address Identify the client when we connect. We must remember that this VPN is L3, so we can put any private IP address that is not in use at any given time. For example, in OpenVPN the default subnet is 10.8.0.0/24, here we can also put the same or any other subnet 192.168.2.0/24 (and 192.168.2.1 is the server itself and the address 192.168.2.2 from now on , become a customer, the syntax is " address ”, we will place the required VPN subnet.

exist" PrivateKey »We will have to enter the private key generated previously for the client.

exist" peep "We will have to put the public key in it" public key WireGuard server that we want to connect to", that is, the server must provide us with this public key. In this case we can also use " Allowed IPs ” directive, but the operation is different, in this case we can define whether we only want to reach a certain subnet (or a few subnets) through the VPN, or whether we want to forward everything through the Virtual Private Networkflow. If you separate the subnets with commas, you can access multiple subnets on the server, and if you want to forward all traffic, just put 0.0.0.0/0 in IPsec.

at last, endpoint » directive, we will define the public IP address of the server running WireGuard VPN, followed by two dots (:) for the UDP port used. We must remember that WireGuard uses UDP, so we should not filter it on the firewall.

If the software and communication with WireGuard is not used, it is as unnoticeable as possible, i.e. it does not continuously send data through the VPN to keep the tunnel active, perfect for saving battery and mobile data on your smartphone. In most usual configurations this works perfectly, but if we are using NAT or firewall, it is possible that communication is interrupted due to no data transmission, so it is necessary to configure "keep alive". To configure Keep Alive, simply indicate the "PersistentKeepAlive" directive and enter an integer representing the number of seconds to keep alive. According to the official documentation, for most firewalls and NAT systems, setting 25 seconds is enough, if set to 0, this feature is disabled. This directive will be necessary if we are behind a NAT or firewall and want to receive incoming connections without traffic for a long time, otherwise we might not use it.

In Windows OS we can import the same configuration and we can connect, although we can connect the client from scratch, the generated public key must be "passed" to the WireGuard server.

It is also very important to check the WireGuard logs to verify that the VPN connection was established correctly. We cannot put a private IP address that is already in use in the Windows client in the "Interfaces/Addresses" section because the connection will go wrong.

As you can see, WireGuard VPN is very simple and quick to configure

WireGuard VPN performance compared to L2TP/IPsec and OpenVPN

In RedesZone, we checked the performance of WireGuard VPN compared to L2TP/IPsec and OpenVPN. The tests were conducted in a local network to avoid problems with the operator and so we could measure the ones that offer us the best value. Actual maximum performance. Hardware specific.

The VPN server configuration we use (for L2TP/IPsec, OpenVPN and WireGuard) is as follows:

  • QNAP TS-1277:Ryzen 7 2700 processor; Memory: 64GB RAM DDR4; Network connection: QNAP QXG-10G2T-107, 10 Gbps with Cat7 cable, D-Link DXS-1210-10TS switch .
  • VPN software for L2TP/IPsec and OpenVPN (using UDP) is QNAP’s QVPN 2
  • In a second test using OpenVPN (using UDP) and AES-256-GCM, we used Virtualization Station with Debian.
  • iperf3 is installed manually in QTS and virtualized Debian.

The VPN client configuration we use (for L2TP/IPsec, OpenVPN and WireGuard) is as follows:

  • PC with AMD Ryzen 7 3800x processor; RAM memory: 32GB RAM DDR4 3200MHz; Network connection: ASUS XG-C100C CAT10 cable connects at 7Gbps D-Link DXS-1210-10TS switch Used to connect both equipment . Operating systems used in testing: 1909.
  • Windows 10 L2TP/IPsec client
  • Latest version of OpenVPN (2.4.8)
  • iperf 3 in Windows 10.

The performance obtained during testing is as follows:

As you can see, WireGuard is actually twice as fast as L2TP/IPsec or OpenVPN, so we can say that this VPN is really fast.

We hope you found this setup tutorial helpful and that you can easily deploy WireGuard servers and clients to securely connect to our homes, businesses, or the Internet from anywhere.

score

Leave a Reply

Your email address will not be published. Required fields are marked *