QUOTE: Be the change, make a difference.

Linux Guide

Useful commands and tips for the Linux ecosystem.

12. Oct 2023 toc: disabled view: slim

VPN Server with WireGuard

A quick guide on how to setup a WireGuard server on your linux system.

Installation

Install WireGuard for Fedora.

sudo dnf install wireguard-tools

Generating key-pairs

Generate a new key-pair for your server.

Create a new private key and store it in a file.

wg genkey | sudo tee /etc/wireguard/private.key

Generate the public key from the contents of the private key file and store the output in a separate public key file.

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Server setup

Create a new config file and add the following configuration.

/etc/wireguard/wg0.conf

[Interface]
PrivateKey = <PRIVATE_KEY> # private key of the server
Address = 10.0.0.1/8 # server IP
ListenPort = 51820
SaveConfig = false # disable automatic config changes
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;

Activate the WireGuard endpoint.

sudo wg-quick up wg0

Start the WireGuard service.

sudo systemctl start wg-quick@wg0.service

Firewall and port-forwarding

Allow the following ports to pass through the firewall.

sudo firewall-cmd --add-port=51820/tcp --permanent
sudo firewall-cmd --add-port=51821/tcp --permanent
sudo firewall-cmd --add-port=51820/udp --permanent
sudo firewall-cmd --add-port=51821/udp --permanent

Additionally you also need to enable port-forwarding for these ports on your router.

Add a peer-connection

Create another pair of key-pairs for your device, like mention in chapter "Generating key-pairs" but this time with different filenames.

Create a new WireGuard configuration for your device.

/etc/wireguard/device-wg0.conf

[Interface]
PrivateKey = <PRIVATE_KEY> # private key of the client/device
Address = 10.0.0.2/8 # client/device IP
SaveConfig = false

[Peer]
PublicKey = <PUBLIC_KEY> # public key of the server
Endpoint = <IP_ADDR/DOMAIN>:51820
AllowedIPs = 192.168.2.0/24 # only traffic which is in the specified IP range will be routed other the VPN
PersistentKeepalive=30 # required in order to maintain a permanent connection

Add the new peer-connection to the server configuration file.

/etc/wireguard/wg0.conf

...

[Peer]
PublicKey = <PUBLIC_KEY> # public key of client/device
AllowedIPs = 10.0.0.2/32 # client/device IP

Import the client configuration on your device and try establish the VPN connection.

With the following command you can see if a connection was successfully established.

sudo wg show

For a more in detail explantion on how to setup a VPN Server with WireGuard see the guide from DigitalOcean How To Set Up WireGuard on Ubuntu 20.04.

SSH key-based authentication

Generate SSH key-pairs

Create a new SSH key without a passphrase.

ssh-keygen -t rsa -b 4096

Copy the SSH key to the remote device you want to log in.

ssh-copy-id -i <ID_RSA> <USER@HOST>

Configure SSH connection

Add the following snippet to your SSH config file which is located at ~/.ssh/config. This links the host address with a specific private key.

$HOME/.ssh/config

Host <IP_ADDRESS>
  User <USER>
  IdentityFile ~/.ssh/<PRIVATE_KEY>
  IdentitiesOnly yes