Those who want to set up a virtual private network often struggle with a configuration that is not that simple. Wireguard promises that tunnel construction can also be easier and quicker.

Introduction

VPNs (Virtual Private Networks) are considered a secure number when it comes to connecting the home office to the company network, company headquarters to the head office or business travelers with their customer database. Private users use VPNs, for example, to securely access the home weather station with a connected database server via the Internet.

Linux has several solutions for virtual private networks. Popular representatives include OpenVPN and those based on the IPsec protocol, which includes LibreSwan, OpenSwan, and StrongSwan. In this article, we will take a deep look into the Wireguard VPN solution. Security researcher and consultant Jason Donenfeld and his company Edge Security have been working on Wireguard (Fast and Secure Kernel Space VPN) since 2015. He released it under GPLv2

Wireguard works exclusively on layer 3 of the OSI model (IPv4, IPv6, IPv4-over-IPv6, and IPv6-over-IPv4). It is considered less complicated than the VPN top dog IPsec and is more powerful than OpenVPN. The VPN software consists of less than 4000 lines of source code and uses strong encryption algorithms, for which Donenfeld takes Trevor Perrins Noise Protocol Framework [9] on board. The WireGuard protocol uses Curve25519 (ECDHE) for key exchange and Chacha20-poly1305 for data transport.

Wireguard already offers the repositories of numerous distributions, so that those keen to experiment can easily install it using the appropriate package management. Various installation instructions can be found on the project website

Wireguard affirms to be “the most secure, simple to use and easiest VPN solution in the business”. Right now, Wireguard is under overwhelming improvement and hasn’t experienced the same number of security audits and reviews as OpenVPN. Notwithstanding, the underlying impression of the open-source network is acceptable. It has been applauded for its standards of effortlessness to restrict attack surface.

Operating System Compatibility

WireGuard should work very well across various platforms. WireGuard supports Mac OS, Android, iOS and Linux, with Windows support. This new VPN program was first released for the Linux Kernel, yet it is cross-platform since it is well suited with Windows, Linux, macOS, FreeBSD, Android and iOS operating systems. One of the qualities of this program is that the client and server setup is the same in various operating systems, using the same syntax.

Download and Installation

The installation of this program is extremely simple, we simply need to go to the official site of WireGuard and download the executable for Windows or macOS operating systems. If you have a Linux-based operating system with its relating repositories, you will most likely need to include the particular WireGuard repositories.

For instance, we have installed the VPN server in a Debian Buster, to install it we have followed the steps shown on the official site. Superuser permissions are required to play out the installation accurately. The following given steps are for Debian OS only, just visit the official website for other OSes.

# echo “deb http://deb.debian.org/debian/ unstable main” > /etc/apt/sources.list.d/unstable.list

# printf ‘Package: *\nPin: release a=unstable

\nPin-Priority: 90\n’ > /etc/apt/preferences.d/limit-unstable

# apt update

# apt install wireguard

If you have to install the VPN client on your cell phone with Android or iOS, you can introduce it without issues from Google Play and App Store separately.

Configuring Client and Server

When we have effectively installed WireGuard, both on the systems that go about as a server, just as on all the clients that we need to interface, it is important to configure it. The main thing we should do is make the Public-Private key pair, both on the server and on all the clients that we need to connect. We have used a Debian Operating system to produce the keys and further more to configure the server, we could likewise do it straightforwardly in the Windows operating system.

The path for WireGuard server and client on Debian is /etc/wireguard/ (installed at this location), so we go to this path with the following command:

cd /etc/wireguard/

Public-Private Key Pair generation for the Server

$ wg genkey > private #This command will generate a private key at the same location.

For example : Private Key – *******************************************=

$ wg pubkey < private #will generate public key using private key at the same location.

For example : Public Key –  *******************************************=

These keys will be used for the WireGuard VPN Server system.

Public-Private Key Pair generation for the Client (if you have more than one client, do this for all)

$ wg genkey > private #This command will generate a private key at the same location.

For example : Private Key – *******************************************=

$ wg pubkey < private #will generate public key using private key at the same location.

For example : Public Key –  *******************************************=

These keys will be used for the WireGuard VPN Client system or systems.

Next, You need to create a new Network Interface (e.g wg0) for Wireguard on both the systems (Client and Server) using the following commands. Then allocate IP addresses to the new network interface created.

# ip link add wg0 type wireguard (adding new interface wg0)

# ip addr add 10.0.0.1/24 dev wg0 (assigning the IPs and Peers) 

# wg set wg0 private-key ./private (adding the interface with the generated private key)

# ip link set wg0 up (making the interface to listen up)

Run all the above commands on both the systems, but in case of the second command, just type 10.0.02/24, not 10.0.0.1/24 (two machines can not have the same IP in the same network).

Now, You have to look for the attached network interfaces on the systems and their IPs. Use the following command. First, find out the IP of the interface which your machine is using for the internet (Ethernet enps0s8 or Wireless wpl0) and second find out the IP of interface wg0.

# ip add (for interfaces and their IPs) 

Suppose Client IPs  (interface enps0s8 as I am using ethernet, if you are using wireless then it would be wpl0, these interface names would be different on different machines)IPs – enps0s8 192.168.1.1/24 and wg0 10.0.0.1/24

Suppose Server IPs

IPs – enps8 192.168.1.2/24 and wg0 10.0.0.2/24

Now, run the command wg on both machines, you will see the public key, private key and port number of the machine.

Next, allocate the public and private key for each system to the wg0 network interface and bring up the interface.

For Client

# wg set wg0 “Paste the public key of server without including quotes” allowed-ips 10.0.0.2/32 endpoint 192.168.1.2:”Paste port number of server without quotes”

For Server

# wg set wg0 “Paste the public key of client without including quotes” allowed-ips 10.0.0.1/32 endpoint 192.168.1.1:”Paste port number of client without quotes”

Now the wireguard VPN tunnel is created, trying pinging to the server from the client ten run the wg utility once again to confirm a handshake between the machines.

# ping 10.0.0.2

More Information

1. QuickStart – https://www.wireguard.com/quickstart/

2. WhitePaper – https://www.wireguard.com/papers/wireguard.pdf

Biplab Das
mobomotion.tech@gmail.com
My name is Biplab Das. I’m a writer, Blogger, Youtuber and full time IT support engineer whose childhood obsession with science fiction never quite faded. A quarter-century later, the technology that I coveted as a kid is woven into the fabric of everyday life. I’ve spent the past years to learn these technologies, I recently published a book on computer science fundamentals. People say smartphones are boring these days, but I think everyone is beginning to take this wonderful technology marvel for granted.

Leave a Reply

Your email address will not be published. Required fields are marked *