Remote Access Roadwarrior Example
With WireGuard, a Road Warrior VPN config is similar to a site-to-siteVPN. It just lacks the address and port statements.
In the following example, the IPs for the remote clients are defined inthe peers. This allows the peers to interact with one another.
wireguard wg0 peer iPhone port 2224}
The following is the config for the iPhone peer above. Itâs important tonote that the AllowedIPs wildcard setting directs all IPv4 and IPv6 trafficthrough the connection.
PrivateKey = ARAKLSDJsadlkfjasdfiowqeruriowqeuasdf=Address = 10.172.24.20/24, 2001:DB8:470:22::20/64DNS = 10.0.0.53, 10.0.0.54PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc=AllowedIPs = 0.0.0.0/0, ::/0Endpoint = 192.0.2.1:2224PersistentKeepalive = 25
However, split-tunneling can be achieved by specifing the remote subnets.This ensures that only traffic destined for the remote site is sent over the tunnel.All other traffic is unaffected.
PrivateKey = 8Iasdfweirousd1EVGUk5XsT+wYFZ9mhPnQhmjzaJE6Go=Address = 10.172.24.30/24, 2001:DB8:470:22::30/64PublicKey = RIbtUTCfgzNjnLNPQ/ulkGnnB2vMWHm7l2H/xUfbyjc=AllowedIPs = 10.172.24.30/24, 2001:DB8:470:22::/64Endpoint = 192.0.2.1:2224PersistentKeepalive = 25
Delete a keypair, this can be either the default key, or any othernamed key-pair.
Ip And Routing Configuration
Lastly, IP and routing information must be configured to allow traffic to be sent over the tunnel.
/ip/addressadd address=10.255.255.1/30 interface=wireguard1/ip/routeadd dst-address=10.1.101.0/24 gateway=wireguard1
/ip/addressadd address=10.255.255.2/30 interface=wireguard1/ip/routeadd dst-address=10.1.202.0/24 gateway=wireguard1
Extra: Securing Your Internet
One of the benefits to this setup is that you no longer need to expose your Internet-facing servers SSH port publicly. You can use the VPN to access it instead.
# turn on ufw ufw enable# allow inbound access to WireGuard's port ufw allow 51820/udp# allow VPN IPs to access SSH on port 22 ufw allow from 10.222.0.0/24 to any port 22 proto tcp# remove default SSH allow rules ufw delete allow SSH ufw delete allow 22/tcp
Now you should only be able to access SSH on your Internet-facing server via the VPN IP address, 10.222.0.1.
Recommended Reading: How To Change Netflix Location With VPN
Configuring Local Wg0 Interface
Now that we have the key pairs of each host, we can procceed to configure the wg0 interfaces. In /etc/wireguard/ directory, we create a wg0.conf file on each host with the info of the local wireguard interface wg0.
Host-A wg0.conf file:
# Host-APrivateKey=< Host-A-Private-key> Address=192.168.250.1/30ListenPort=51830
Host-B wg0.conf file:
# Host-BPrivateKey=< Host-B-Private-key> Address=192.168.250.2/30ListenPort=51831
Configuring The Interface Section
We need to define the VPN IP address this node will use and the port that it will listen on for connections from peers. Begin by adding ListenPort and SaveConfig lines so that your file looks like this:
generated_private_keyListenPort = 5555SaveConfig = true
This sets the port that WireGuard will listen on. This can be any free, bindable port, but in this guide we will set up our VPN on port 5555 for both servers. Set the ListenPort on each host to the port youâve selected:
We also set SaveConfig to true. This will tell the wg-quick service to automatically save its active configuration to this file at shutdown.
Note: When SaveConfig is enabled, the wg-quick service will overwrite the contents of the /etc/wireguard/wg0.conf file whenever the service shuts down. If you need to modify the WireGuard configuration, either shut down the wg-quick service prior to editing the /etc/wireguard/wg0.conf file or make the changes to the running service using the wg command . Any changes made to the configuration file while the service is running will be overwritten when wg-quick stores its active configuration.
Next, add a unique Address definition to each server so that the wg-quick service can set the network information when it brings up the WireGuard interface. We will use the 10.0.0.0/24 subnet as the address space for our VPN. For each computer, you will need to pick a unique address within this range and specify the address and subnet using CIDR notation.
You May Like: What Is The Safest VPN
Setting Up The Tunnels
There are a lot of ways to brind up a WireGuard tunnel . I prefer to starting it as a service, and enabling it if I want the tunnel to always be up. So following this the commands to run on each host are:
Now if you force the tunnel with a ping request, the tunnel will initiate a handshake and start working. Execute a wg command to see relevant information about the wireguard VPN tunnels.
Note that some static routes, regarding the encryption domain are added to the route table. So traffic generated from Host-A LAN will be masquerated-NATed behind the wg0 IP address of Host-A. If you want you can remove the static route, and add another one with next hop the wg0 IP address of Host-B respectively, or just install FRR and run a dynamic protocol on top of Wireguard! )
Starting Wireguard And Enabling It At Boot
With the configuration in place, we are ready to start the server. WireGuard has a convenient wrapper called wg-quick that can be used to start new interfaces without needing to go into the setup details. You can use it to start your configuration using the following command.
wg-quick up wg0
You should see an output like below upon successfully starting the interface.
ip link add wg0 type wireguard wg setconf wg0 /dev/fd/63 ip -4 address add 10.0.0.1/24 dev wg0 ip link set mtu 1420 up dev wg0 iptables -A FORWARD -i wg0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Your WireGuard server is then running. You can check your configuration with the following command.
interface: wg0 public key: pcDxSxSZp5x87cNoRJaHdAOzxrxDfDUn7pGmrY/AmzI= private key: listening port: 51820peer: gCQKfJL8Xff2MNmvceVQ0nQAmLsSM0tXClhvVNzSil4= allowed ips: 10.0.0.2/32
To enable WireGuard to start automatically at system boot, also enable the systemd service.
In case you get an error starting the server such as the example below.
RTNETLINK answers: Operation not supportedUnable to access interface: Protocol not supported
Make sure your server software is fully up-to-date.
sudo apt-get update & & sudo apt-get upgrade -y
Then check that the WireGuard kernel module is loaded with the command below. If successful, you should not see any output.
sudo modprobe wireguard
If you get an error saying the module is missing, restart your WireGuard server and try again.
Read Also: How To VPN On Pc
Application Deployment With Ansible
With the infrastructure in place, now we can use Ansible to install and configure the applications.
$ ansible-playbook playbook-wireguard.yml...PLAY RECAP *************************************aws-ubuntu-priv-web : ok=12 changed=10 unreachable=0 failed=0 skipped=33 rescued=0 ignored=0 aws-ubuntu-pub-wg : ok=40 changed=27 unreachable=0 failed=0 skipped=6 rescued=0 ignored=0 gcp-ubuntu-priv-web : ok=12 changed=10 unreachable=0 failed=0 skipped=33 rescued=0 ignored=0 gcp-ubuntu-pub-wg : ok=40 changed=27 unreachable=0 failed=0 skipped=6 rescued=0 ignored=0 localhost : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
When complete, you will have WireGuard endpoints on both sides, and the VPN site-to-site tunnel will be established. Per the diagram below, you can see that each /etc/wireguard/wg0.conf has the other listed as its peer.
Adding The Missing Peer Information On The Command Line
On the first server , enter the peering information manually using the following format. The second serverâs public key can be found in the output of sudo wg from the second server:
You can confirm that the information is now in the active configuration by typing sudo wg again on the first server:
private key: listening port: 5555peer: public_key_of_second_serverpublic_IP_of_second_server:5555 allowed ips: 10.0.0.2/32
Our point-to-point connection should now be available. Try pinging the VPN address of the second server from the first:
Output on first serverPING 10.0.0.2 56 bytes of data.64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.635 ms64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.615 ms64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.841 ms--- 10.0.0.2 ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 1998msrtt min/avg/max/mdev = 0.615/0.697/0.841/0.102 ms
If everything is working correctly, you can save the configuration on the first server back to the /etc/wireguard/wg0.conf file by restarting the service:
If you want to start the tunnel at boot, you can enable the service on each machine by typing:
The VPN tunnel should now be automatically started whenever the machine boots.
Don’t Miss: Free VPN Server List With Username And Password
Building Out The Wireguard Tunnel
Step 1: In the Main Office Router well create the WireGuard Interface. All you have to do, is give it a name. It will auto generate the Public and Private Keys on its own. Each side of the tunnel will have different public and private keys. I used UDP port 51820 because the WireGuard Project used that particular port in their documentation. I also experimented with the MikroTik default of 13231 and other ports and, of course, it worked just fine.
Step 2: Repeat Step 1 for Satellite Office Gateway.
Step 3 & 4: Set the Peers on each side. The Allowed Address field needs to contain all subnets that you will need to reach on the far side. At the time of this writing, there is a bug in Winbox with the Endpoint Port. To set the Endpoint Port, you must configure it in the CLI on both sides as shown. Dont forget that if you make changes here, it may remove the Endpoint port, which you can only confirm/ fix from the CLI.
Step 7 & 8: Add a static route to each side, just as you would with any other tunnel.
Step 9: Verify Connectivity. On the tunnel interface, you should see TX and RX packets . Notice, if you disable and re-enable the tunnel just how quickly the tunnel forms and can start passing packets again. Once you have bi-directional traffic flowing, use Host A & B to send data back and forth.
Notes about performance
Deploy A New Cloud Server
Deploying a new server on UpCloud is an easy and straightforward process. To get started, log into your UpCloud Control Panel and select to Deploy a server under the Servers section.
The deployment page shows a number of options for customizing a new cloud server.
You can find more detailed instructions on server deployment at the UpCloud newcomers tutorials.
Also Check: Which VPN Gives Free Data
Extra: Alternative Wireguard Distributions
The official WireGuard distribution comes as a kernel mod. While the official implementation is best, there are also some alternatives that run in userspace, if youre unwilling/unable to install a kernel mod:
- wireguard-go – This is WireGuards official userspace implementation, written in Go. Recommended.
- wireguard-rs – Another userspace implementation, also by the WireGuard authors, written in Rust. WIP, not recommended for production.
Best VPNs That Support Wireguard
Many VPN users are showing a preference for VPNs that run using WireGuard.
It makes sense this protocol has several benefits! My best VPN for WireGuard is NordVPN.
NordVPN combines with WireGuard to provide watertight security and speeds required for an uninterrupted VPN experience.
In this guide, Ill connect you to an entire list of best WireGuard VPNs and discuss what you can expect from each service.
Continue reading for a detailed overview of my top WireGuard VPN picks.
You May Like: Can I Add VPN To My Router
Provision Infrastructure Using Terraform
Start the build using the following commands.
# make ssh auth key for VMs that will be builtmake create-keypair# validate that AWS credentials and GCP credentials existsmake serviceaccount-prereq
Build the AWS infrastructure WARNING: AWS will bill you for this usage!
$ cd aws-infra$ terraform init$ terraform apply -auto-approve...Apply complete! Resources: 19 added, 0 changed, 0 destroyed.Outputs:aws-ubuntu-priv-web-private_ip = "172.16.2.129"aws-ubuntu-pub-wg_private_ip = "172.16.1.10"aws-ubuntu-pub-wg_public_ip = "18.104.22.168"# go back to main directory$ cd ..
Build the GCP infrastructure WARNING: GCP will bill you for this usage!
$ cd gcp-infra$ terraform init$ terraform apply -auto-approve...Apply complete! Resources: 12 added, 0 changed, 0 destroyed.Outputs:gcp-ubuntu-priv-web-private_ip = "172.17.2.129"gcp-ubuntu-pub-wg_private_ip = "172.17.1.10"gcp-ubuntu-pub-wg_public_ip = "22.214.171.124"# go back to main directory$ cd ..
Now that the infrastructure has been built, parse the specific IP addresses and populate the Ansible inventory and group variables.
Where Does Wireguard Beat Openvpn Ipsec And L2tp
|Very fast with little overhead and state-of-the-art cryptography||Popular and open source but, not based on standards as it uses custom security protocols with SSL/TLS||Standard protocol for secure communication. Developed by Cisco and Microsoft|
|Uses Curve25519, ChaCha20, Poly1305, and BLAKE2 protocols for encryption||Uses OpenSSL library and TLS protocols for encryption||Uses algorithms such as AES, Camellia, Blowfish and 3DES for encryption|
|No known major security vulnerabilities. Its smaller code base also enables easy audits for everyone.||No known major security vulnerabilities. But must be careful while implementing. Secure encryption algorithms should be implemented.||No known major security vulnerabilities, however, leaked NSA presentation indicates it can be compromised.|
|Very high speed with low overhead||Can match IPSec if used with UDP connection instead of TCP||Faster than OpenVPN but does not match WireGuard|
|Can be configured on any port with UDP||Can be configured on any port with both TCP and UDP||500 for initial key exchange, 4500 for NAT traversal, and 50 for IPSec encrypted data.|
You May Like: Should I Leave VPN On All The Time
Opnsense Wireguard VPN Site
The Open Source firewall OPNsense supports several technologies for setting up VPN connections.In addition to IPsec and OpenVPN, OPNsense version 19.7 offers the possibility to set up a VPN with WireGuard. In this article we show the configuration of the WireGuard VPN service to connect two OPNsense firewalls to a Site-to-Site VPN.
Testing The VPN Tunnel
With all the steps done on all of your Peers we can test the tunnel connectivity. I have no firewalls in place, therefore I just used simple ping from both sites.
As you can see in the picture both sites respond to the ping test! This confirms that we have successfully connected remote and local site. However, we are not done yet! Remember, we wanted to access my LAN network from the Remote site! so let’s try that now:
This doesn’t work out of the box and we get to why in the next section.
Don’t Miss: How To Run VPN On Ps4
Vyprvpn Owns And Manages All Its Wireguard Servers
VyprVPNs website doesnt explain how it implements WireGuard.
So, I used the Live Chat feature to fish for details.
My support agent, Yas, was quick to help.
According to VyprVPN support, the provider offers NAT Firewall, an extra layer of security that prevents your activity from being scanned for information.
The difference between a NAT and a double NAT system is that the former uses a single router to do its bidding, while double NAT directs traffic through two routed networks.
The double NAT system is better for security, but this extra tunnel can slow your speeds, which may be why PIA, CyberGhost, and VyprVPN outdid NordVPN in the speed department .
My speed test result for VyprVPN:
NAT Firewalls also assign each user a unique private IP address, with the idea of masking your whereabouts.
The downfall of this supportive WireGuard implementation is your uniquely assigned IP address can still be tracked by the VPN provider or any third party they share this information with.
So, while no logs are stored, and your real IP address and online activity remain encrypted, theres still a speck of trackability.
This concern can, however, be counteracted by VyprVPNs Swiss jurisdiction. Switzerland scores 96/100 on Freedom House, making it one of the most privacy-friendly locations in the world.
Chances are, the request for any of your information will be denied.
Customize > Connections > Manage VyprVPN > Enable NAT Firewall
NordVPN, Surfshark, and CyberGhost own some servers.
Opening The Firewall And Starting The VPN
First, open up the WireGuard port in the firewall on each server:
Now, start the wg-quick service using the wg0 interface file we defined:
This will start of the wg0 network interface on the machine. We can confirm this by typing:
Output on first server6: wg0: < POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1 link/none inet 10.0.0.1/24 scope global wg0 valid_lft forever preferred_lft forever
We can use the wg tool to view information about the active configuration of the VPN:
On the server without a peer definition, the display will look something like this:
Output on first serverpublic_key_of_this_server private key: listening port: 5555
On the server with a peer configuration already defined, the output will also contain that information:
Output on second server private key: listening port: 5555peer: public_key_of_first_serverpublic_IP_of_first_server:5555 allowed ips: 10.0.0.1/32
To complete the connection, we now need to add the second serverâs peering information to the first server using the wg command.
Read Also: Why Use VPN For Streaming
Endpoint With Changing Ip
After resolving a server’s domain, WireGuard will not check for changes in DNS again.
If the WireGuard server is frequently changing its IP-address due DHCP, Dyndns, IPv6, etc., any WireGuard client is going to lose its connection, until its endpoint is updated via something like wg set “$INTERFACE” peer “$PUBLIC_KEY” endpoint “$ENDPOINT”.
Also be aware, if the endpoint is ever going to change its address , just updating DNS will not be enough, so periodically running reresolve-dns might make sense on any DNS-based setup.
Luckily, wireguard-tools provides an example script /usr/share/wireguard-tools/examples/reresolve-dns/reresolve-dns.sh, that parses WG configuration files and automatically resets the endpoint address.
One needs to run the /usr/share/wireguard-tools/examples/reresolve-dns/reresolve-dns.sh /etc/wireguard/wg.conf periodically to recover from an endpoint that has changed its IP.
One way of doing so is by updating all WireGuard endpoints once every thirty seconds via a systemd timer:
Description=Periodically reresolve DNS of all WireGuard endpointsOnCalendar=*:*:0/30WantedBy=timers.target
Description=Reresolve DNS of all WireGuard endpointsWants=network-online.targetAfter=network-online.targetType=oneshotExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf do /usr/share/wireguard-tools/examples/reresolve-dns/reresolve-dns.sh "$i" done'
Wireguard Pros And Cons
WireGuard is an incredibly sleek protocol. Where OpenVPN requires roughly 400,000 lines of code, WireGuard has under 4000. That makes it more lightweight and easier for VPNs to implement, reduces the risk of flaws or vulnerabilities, and makes the code easier to audit.
WireGuard also uses the very latest super-fast cryptographic primitives .
This combination of simplicity and high-speed encryption methods allows for excellent performance and reliability. Where the complexities of OpenVPN or IPSec sometimes lead to slowed connections, WireGuard can actually boost your speeds.
It also allows you to connect or reconnect to your VPN almost instantaneously, with fewer disconnections.
This is especially useful if you use your VPN on your smartphone or other mobile devices. With WireGuard, you experience no downtime from your VPN even when switching between networks .
But this new technology isn’t perfect. For starters, WireGuard admits that it’s not entirely finished. It’s still undergoing testing and has yet to be independently audited.
Next, the way WireGuard assigns you an IP address could contradict the strict no-logs policies employed by most VPNs.
Unlike OpenVPN or other tunneling protocols, WireGuard can’t dynamically assign IP addresses. Instead, it assigns you a static IP address.
You May Like: Why Does My Internet Speed Slow Down When Using VPN