WireGuard

Updated 31 Janvier 2020

WireGuard

WireGuard is an extremely simple but fast VPN, that uses the most efficient encryption algorithms. It was meant to be faster, easier, more efficient that IPsec and OpenVPN, while providing more functionality. WireGuard was originally designed as an all-in-one VPN to work on both built-in interfaces and supercomputers suitable for a bunch of different tasks. WireGuard first came as a component of the Linux kernel. It has since become cross-platform, supported on Windows, macOS, BSD, iOS, and Android devices.

WireGuard was designed to be easy to install and configure. It can be easily implemented in several lines of code and easily checked for security issues. Compared to such mammoths as Swan/IPsec and OpenVPN/OpenSSL, where code parsing is beyond the reach of even important security experts, anyone can parse the WireGuard code on their own. WireGuard uses the best encryption protocols, such as Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF. Combining ultimate high-speed encryption algorithms and being part of the Linux kernel results in highly efficient secure networking. Check the documentation for detailed info on the protocol: PDF.

Server configuration

Installation

To install the modules and the tools required by WireGuard, run:

emerge -a net-vpn/wireguard-tools net-vpn/wireguard-modules

Key generation

Go the WireGuard configuration directory:

cd /etc/wireguard

Create a public and a private key:

wg genkey | tee privkey | wg pubkey > publickey

View both the public and the private keys:

tail -n +1 publickey privkey
==> publickey <==
ACMHojZjwV616cIsToFrQowXMJRxwEThFoEsvJnL/QM=

==> privkey <==
UBrksRvBtaRz0X33E7fvNd43eXC/SpwNsA8wKATVA3w=

Tunnel configuration

Edit the configuration file on the server, adding to it the following:

  • Network interface IP for server
  • connection port
  • private key generated on the server side (i.e. its contents):

For instance, your server's IP might be 192.168.50.1, and your connection port be 51820. For those, the configuration file will look like this:

/etc/wireguard/wg0.conf

[Interface]
# WireGuard network address
Address = 192.168.50.1/24
# Expected connection port
ListenPort = 51820
# Private key for server
PrivateKey = UBrksRvBtaRz0X33E7fvNd43eXC/SpwNsA8wKATVA3w=

Important

If the server uses a firewall, edit its settings for connection via the specified port.

Configure access rights to the configuration file and to the keys:

chmod 600 wg0.conf privkey publickey

Forward configuration

To set up traffic forwarding between the server's interfaces, add the following lines:

/etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv4.conf.all.forwarding=1
net.ipv6.conf.all.forwarding=1

To apply the modifications, run:

sysctl -p /etc/sysctl.conf

Routing configuration with Iptables

The server must be configured for dealing with this traffic - to send it over NAT, for example. To route client traffic to the Internet over NAT, run:

iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE

Replace eth0 with the local network interface of your server.

Save the routing rules and add them to autostart:

/etc/init.d/iptables save

rc-update add iptables

Routing coniguration with Shorewall

To use Shorewall, follow the configuration procedure as described in the manual.

Starting a server

Add WireGuard to autostart:

rc-update add wireguard

Run the server:

/etc/init.d/wireguard start

Adding the client to the servers' settings

Add client information to the WireGuard settings by specifying the WireGuard interface IP and the public key for the client:

/etc/wireguard/wg0.conf

[Peer]
# Public key for the client
PublicKey = rT9yZRcg2pscyGkder/xTGds5/sy+mX0+Z/yq2RM4HU=
AllowedIPs = 192.168.50.2

Restart WireGuard on the server:

/etc/init.d/wireguard restart

Client configuration

Installation

To install the modules and the tools required by WireGuard, run:

emerge net-vpn/wireguard-tools net-vpn/wireguard-modules

Key generation

Go the WireGuard configuration directory:

cd /etc/wireguard

Create a public and a private key:

wg genkey | tee privkey | wg pubkey > publickey

View both the public and the private keys:

tail -n +1 publickey privkey
==> publickey <==
rT9yZRcg2pscyGkder/xTGds5/sy+mX0+Z/yq2RM4HU=

==> privkey <==
gFDdeXHCIFEY5t4Tn3ETiZba/ElCxEIj1W8wX/YFVE4=

Tunnel configuration

Edit the configuration file on the client, namely specifying:

  • Network interface IP for client
  • connection port
  • private key generated on the client side (i.e. its contents)

For instance, IP address 192.168.50.2, connection port 51820. For those, the configuration file will look like this:

/etc/wireguard/wg0.conf

[Interface]
Address = 192.168.50.2/24
# Private key for the client
PrivateKey = gFDdeXHCIFEY5t4Tn3ETiZba/ElCxEIj1W8wX/YFVE4=
DNS = 8.8.8.8

[Peer]
# Public key for the server
PublicKey = ACMHojZjwV616cIsToFrQowXMJRxwEThFoEsvJnL/QM=
AllowedIPs = 0.0.0.0/0
# External IP and connection port for the server
Endpoint = wg.example.org:51820
PersistentKeepalive = 20
Excluding private networks

To exclude private networks from routing over the tunnel, set the following values in AllowedIPs instead of ~0.0.0.0/0:

0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32

Configure access rights to the configuration file and to the keys:

chmod 600 wg0.conf privkey publickey

Tunnelling

Add WireGuard to autostart:

rc-update add wireguard

Start WireGuard:

/etc/init.d/wireguard start

You can verify the connection on the client side with the route command, or check the external IP address from the client host:

dig +short myip.opendns.com @resolver1.opendns.com

To monitor the connection, run:

wg
interface: wg0
public key: 6BfFNvPQbHKKDENJMRGXu0vVYaOsfEBxFpweNGLvU3Q=
  private key: (hidden)
  listening port: 45741
  fwmark: 0xca6c

peer: EDECjzNvTRsuuxiPD8VTS7N8cmcJ1fUIaANUdrOnbXM=
  endpoint: 1.2.3.4:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 40 seconds ago
  transfer: 2.37 MiB received, 833.84 KiB sent
  persistent keepalive: every 20 seconds

Configuring your Android device

Tunnel configuration

Install the library for encoding data to a QR code:

emerge -a media-gfx/qrencode

You can now generate a QR code based on the client's configuration file.

qrencode -t ansiutf8 < wg0.conf
█████████████████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █ ▀▀    █▄█▄  ▀▀█▄▄ ▀▄▀ ▄ ▀█▀▀▄ █    ▀▄▀▀ █▀▄▄▄▀▄▀▄ ▀▀  █▄█ ▄▄▄▄▄ ████
████ █   █ █ █▄▀▄█  █ ▀█▀█▀▄█▀▄▀█ █▄▄█▀▀▄▄▄█ ▀▀ ▄▀▀█▄ ▀█ ▀▀▀ █ ▄█ ▀▀██ █   █ ████
████ █▄▄▄█ █▀▀▄▄▀▄█  ▀▄ █▀▄  ▄▄▄ █  ██▀█  █ ▄█ ▀ ▄▄▄  ▀▀ ▄█ █▀█▀ ▀▀▄▄█ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄█ ▀ ▀ █▄█▄▀▄▀ █ █▄█ █ █▄▀▄█ ▀▄█ █▄█ █▄█ █▄▀ █▄▀▄█▄▀ █ ▀ █▄▄▄▄▄▄▄████
████ ▄▀█▄▄▄█▀▀▄▄ █▀▀▀▄ ▄ █▄▄ ▄ ▄ █ ▀██▄▀██▀█▀ ▀▄ ▄▄▄ ▀▀▀█▀▀▀ ▀▄██▀  █▀█ ▀▄  ▄████
████▀▀▀█▀▄▄ ▀▄▀█▀▀▄█▀█▀▄▄ ▄ ▀▀██▀ ▄▄▄▀█▀█▄▀ ▀▀▀█▀█▄██▀▀█  █▀██▄ ▄▄▄▄ ▀▀▄██  ▀████
████▄▄ ▄ ▀▄█ ▀ █ █▀▀▄ ▄▄▀██ ▄▄ ▀▀█ █ █▄▀▀ ▀█ █▀ ▀█▀ █▀▀▄▀▄█ █▀▀▀█▄██▀▀▀ █▀ ██████
█████▄█ █▀▄ ▄▄▄▄███▀▄██  █  ▀▄█▄█▀▀█▀▀▄█▄ ███▀ ▄▀  ▄▄█▄▀ ▄█▄█▄▀ ▀ ▄█▄ ▀▀   ▀▀████
█████   ▄▀▄█████▀ ▄▄ ▀ ▀ ███   ▄██▀  █▄█▄▀▀▀ █▀█ █▀▀█ ▀█▀▀█▀█▀▀█▀█ ▄▄▀█▄██ ▄▀████
████ █▄▄▀█▄█  ▀▄▀█▀█▀█  █ ▀ █ ▄ ██ ▀▀█▄▄  ▀█ ▀██▀ ▀  ▀█▄ █▄▄█  ▀▀▀█ █ ██  █▀█████
████▄ ▄▀█▄▄▄█ ▀ ▀ ▀  ▄▄ ██▄▄▀ ▄▀█▀█ █▀ █▄█▄█▀  ▄██▀▀█ ▀▄▀ ▀▄█▀▀█▀▀ ▄█▄▄ ▄██▄▀████
█████▀▄ █▀▄ ▄▀▄██  ▀▀▀▀ █▀▀ ██ ▄▄▄▀▄▀  ▄▄█▀▄▀ ▀█▀ █▀▀ ███ ██ █▀ ▄▄▀█ ▄▄▀▄█▄█▀████
████▄▄ ▄ ▄▄▄ █  ██▀ ▄▄█▄ ▀▀▀ ▄▄▄ ██▄ ▀██▄ ▀███▀▄ ▄▄▄ ▀  ██   ▄ ▄▀ █  ▄▄▄ ▀ ▀█████
████▀██▀ █▄█ ▄ ▀  █▄▄██  ▀   █▄█  ▀▄▄█    █▀▄▀█▄ █▄█ ▀▀ ▄▀▀ ▀█▀ ▄  ▀ █▄█ ▄▀█▀████
████ ▀▀  ▄▄  ▄▀██▀▄▀▀▄▄ ▄▀█▄▄  ▄▄█▀ ▄█ █ █▀▄▀▀      ▄█▄▄ ▀█▀█▄█▀ ▀▄    ▄  ▄▄▄████
████▄▀▀ ▀▄▄▀ ▀██ █▄█▄ ██▀▄▄▄▀ ▀  ▀█ ▀█▀█▄▄ █▀███▄█▀ ▄▄█▄▄▄▄ █▀▀▀▀ █▄███▀██▄▄█████
████▄█▀▀▀█▄█   ▀ ▀▀▀██▄▄██▄▀▄▄█ ██  ▄█ █  ▀█▀▄█ ▄▀▄█▄▀▀▀▀ ▀  ▀  ▄ █▀  ▄██▀ █▀████
████▄▀▀█▄▀▄█ ▄█▄▀▀█▀▀ █▄▄█▄▄ ▀▀▄ ▀▄▀▄█▄██ ▀▄▀▀ ▄ █▀▀ ▀█▀ ▀▄▄▀▀▀████▄▀██▄▀█▄█▀████
█████ █▄▄ ▄ █▄█ █ ▄▄▀█▀ █▄▀▄ ▄▄▀█▄  ▄█▀█  ████▀  ▄██ ▄█▀██▀▀██▀ █▄ ▀██▄█▀▀▄▀▀████
████ ▄▀█▀▀▄█▀█▄▄▀▄▀█▀▄ ▀▄▀   ▀   █▀█▄ ██▀▀█▀▄▄██ █▄▄▀▄█▀▀ ███ ▀▄█▄ █▀▀▀▄▄  ██████
████▄██▄▄▄▄ █  █ ▄▄▀▄▀▄█ ▀▄█▀▄ █▀█▄▀▄█▄███▀▄▄ ▀  ▄██▀▀█▀██▄ █▄▀█ ▀▄ ▄██▄▄ █  ████
████▀▀▀█▄ ▄█ ▄█▀▀▄▀█▄▄▀▄▄▀ █ ▀▄ █▄▄▄▄▀▄▀█▄  ▄▀ ██ ▄▄██ █▄ ███▀ ▄▄     ▄▄ ▄  ▀████
████ ▀ ▀ ▄▄▄ ▀▀▄█ ▄▀ ▄▄▄▀▀▀█ ▄▄▄ █▀▀▄█▄█▄ ▀▀██▀▀ ▄▄▄  ▄▄▀▄█▄▄█▄ █▄   ▄▄▄ █ ██████
████  ▀▄ █▄█ ▄██▄▄ ▀  ▀   ▄▄ █▄█  ▀ ▀▀█▀▄ ▄█▀▀ ▀ █▄█ █▄▀ ▄█▄▀▄ ▄▀▀▄█ █▄█  ▄▀█████
████▀▄▄  ▄▄▄▄▀▀█▄▄▀▄▄█   ███▄ ▄  █▀ ██▄█▄▀▀▀██▀█    ▄▄█▀█▀▀ ▀▄█▀▄▄ █▄  ▄ █ ▄█████
████▄▄█   ▄ ▄█ █▀▄█▀▄█  █ ▀▀▄▀  ▀█▀ ██▀▀ █  ▄█▀█▄  ▀█▀▄█▄▀████ ▀█▀▄▄██▄▀▄▄▄▄█████
█████▀ █▄▀▄ ▀▄ ▄  ██ ▄▄███▄█▀▄   ▀█▀▄██▄▀█ ▀▀█▄▄▀▀▀  ▀▀▀▄ █▄█▀█ ▄▀ ▀▀█ ▀ █▀ ▀████
█████ ▀ ██▄█ █▄▄▀█▀▀█▀█▀▄▀▀ ▄▀█▄▄ ▀▄█▄ ▄██ █▄  ▀▄ ███▀█▀▀▀██▄▀ ▄██▀ ▀▀▀█  ▀ █████
████▀ █▄▀ ▄ ▄█ █ █ ▄   ▀▄▄▀█  ▀▀    ▄█▄█▄ ▀█▀█▀▄ ██▀▀▀ █▀█▄ ▄ ███▀▄█▄█▄ ▀ █▀ ████
████▀▀▄▄█▄▄▄ █ ▄ ▀▄▀▄▄▀ ▀▀ ▄█▄▄▀▀ ▄█▄    ▄█ █▀▄▄▄▄█▄ ▄▀▄▄ ▄▄█ █▀▄ █▄ ▄▄█ █   ████
████   ▀▄ ▄▄█▄▄█ █▀▀█▀  ▄ ▄▄▄▄▀█     ███▀█▄▄▀   █▀ ██ ▀ ▀█▄▀▄  ▀ █ ▄▀▄ ▄▀  ▄ ████
████▄▄█ ▀▄▄ ▄  █▄▄██████▀█ ▀█▄▀  ▄█ █▀ ▀  ████▄▄█ █ █▄▄█ ▄▄ ██ ██▀▄▄ █▀█▀▀▄▀ ████
████▄███▄█▄█▀▄▀ █▄▀▀ █ ████▄ ▄▄▄ ██ ▄██▀   █▀██▄ ▄▄▄ ▀▀█▄▀▀██▀▀▄ ▄█▄ ▄▄▄ ▀▀▄ ████
████ ▄▄▄▄▄ █▀▄█▀▄█  ▀ ▄▄▄██  █▄█ ▀▄▀▄█ █ ▀▀▄▀█ ▀ █▄█ ▀█▀▄ ████ ██▄▄█ █▄█ ▄▀  ████
████ █   █ █▄▀▀▀  ██▀█▀ ▄▄▀▄  ▄▄ ▄  ▄▄ █▄ ▄█▀▀▀▄ ▄ ▄▄▄██▄█▀ ▄▀ ▄ █▀▄    ▄▀██▀████
████ █▄▄▄█ █▀██▀▀██ ▀█ ▀█▀ ▀ █▄ ██▀█▄ ▀▄▄▀▄▄▀ █ ▀ ▄ ▄██▄▄ ██▄▄▀█▄▄▀ ▀▀▀▄▀██ █████
████▄▄▄▄▄▄▄█▄▄▄▄████▄▄▄█▄▄█▄████▄█▄█▄▄██▄██▄▄▄▄▄▄█▄█▄▄▄███████▄█▄▄▄▄███▄▄▄▄▄▄████
█████████████████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████████████████

Install the official WireGuard application for Android или iPhone.

Launch the app and select Create from QR code.

Screenshot

Check

You will need a terminal to check the connection once the tunnelling has started. Terminal Emulator may be a good choice.

Screenshot