Setup Wireguard VPN on Linux and Windows 10

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Hi fellow homelabbers. I've created a quick guide on setting up Wireguard VPN. I hope this helps someone.

👍︎︎ 6 👤︎︎ u/gigbithomelab 📅︎︎ Jan 04 2019 🗫︎ replies

If you prefer text, the Arch wiki has a nice page at https://wiki.archlinux.org/index.php/WireGuard which is essentially distro-agnostic. I really like their wiki as a resource, even for other distros.

👍︎︎ 3 👤︎︎ u/lf_1 📅︎︎ Jan 05 2019 🗫︎ replies

DO NOT USE TUNSAFE, It is banned by the Wireguard author

👍︎︎ 5 👤︎︎ u/hpapagaj 📅︎︎ Jan 04 2019 🗫︎ replies

Wireguare is seriously the best VPN I ever used. I can't wait for it to be mainlined in the kernel.

👍︎︎ 2 👤︎︎ u/banger_180 📅︎︎ Jan 04 2019 🗫︎ replies

Hi, I have used this guide. Thanks.

Im using ubuntu as a server. I can access my network, but I can't mount nfs share.

If I use Openvpn I can mount nfs.

Any suggestions what i m doing wrong?

Thanks

👍︎︎ 1 👤︎︎ u/helio58 📅︎︎ Apr 07 2019 🗫︎ replies

Captions

hi this is a step-by-step guide on how to install wire guard on Linux and Windows 10 I have two machines the read window is a server that's running in the public cloud it has a public IP address and this will be the server that we connect to the blue window is a client that's running inside my home network both of these are running Ubuntu 18 point 1 0 and there's nothing else installed they're brand new machines so we start by solving why I got on the server the commands I will be putting in the comma text below so you can look at it there but we add the apt repository for why guard and then we go ahead and do an apt update and we install why God so we do that here and of course these instructions are on the wire guard website which is linked in the text below so once that's installed we do the same thing on the client so I just clear the screen on the server there so now the client we do the same thing we add the apt repository so it's add app repository BPA : why God volt slash wire guard takes a few seconds to add it after that app update and app to install why God so now that why God is installed on both machines we have to set it up wipe out regard requires three things a private key a public key and a con file so we'll start by setting up these three things on the server and then we'll do it on the client so the first thing we do is we have to go to the directory CD / Etsy / why God let's do that now and let's set our UMass 207 7 make sure only root can read these files and this is just for security and now to setup the actual wire guard private and public key we can type one command to get them both done so it's WG gently pipe T private key pipe WG pub key to private public key so if you type this in it will generate both the private and public key and save them in these two files private key and public key so now let's just print out the private key because we'll need that when we set up the con file I just print it out of the screen and then copy it into the clipboard and now copied that to the clipboard and that's it now let's create the current file so I'm gonna use Nano that's my preferred editor so this is where you really start to see the simplicity of why God we add two sections as an interface section the address over here is the server's IP address that is when the VPN tunnel is connected the so we'll have the IP address of 1 & 2 1 6 8 & 9.1 we paste in the private key that were put into the clipboard and we have the listen port this is why gods default port it listens on UDP so if you have any firewalls or something you'll have to set that up but currently I don't next section is the peer that's the client section we add the clients public key which we don't have because we haven't set it up yet and for the allowed IPS we need to tell why the wire got server what IP will be sending traffic and I am going to set the client 29.2 and the 32 net mass means that only that IP will be allowed to send it so that's the server config done now the client we have to do the same thing we have a set of the private key the public key and the Khan file so let's go to Etsy slash wagon let's head are you mask and now let's set up the private and public keys with that same come on WG junkie by party private key pipe WG pub key and we change send that to ID called public key so now we have the private key in the public key so let's just copy this public key and paste it into the service config file so that the server is all done so we don't have to think about that so we take the public key out of the client copy it and open the file that we just created and paste it where it says public key and appear now of course I'm doing this on VM so I can easily copy and paste you could write it down you could email it to yourself however you want to change it but you just have to get that information across so on the server we can set up we can now get why I got up so the command for that is WG - quick up WG 0 where w0 is the interface that we just created and now it's up and running it's listening on that port Phi 1 8 to 0 it's waiting for a client to connect to it so let's go to our client and let's just create that so first we print out the private key and then we create a con file on this one as well so the interface on this on this machine this is the client and remember we set the IP address for the server as 9.1 and the pier as 9.2 so this one is 192.168.1.2 and the private key which we just pasted into the clipboard paste that in here and since this is the client and there's no nothing's we'll be connecting to it we don't need a listen port for the pier we need to connect to the server we need the server's public key so you can get that by typing WC on the server and copy that paste it in we also need the endpoint IP address and port so the public IP address for the server is - 7.1 48.8 dot 1 0 3 and 2 0 3 I'm sorry and we set the port 2 5 & 8 to 0 and finally we tell it aloud IPS that is the server's IP so any traffic coming from the server has to come from this IP and where God will allow it to go through since we're behind that on the client we also want to set a persistent keep alive to keep the tunnel alive every 25 seconds little thing otherwise if you leave it for a long time it will die so now it's setup we we can bring the interface up WG quick WG zero and believe it or not it's actually the tunnel is up right now I am connected to my public server if I do a ping from the client to the server to work or vice versa so let's just test that out so the configuration is literally six or seven lines of code and it takes about five minutes to set this up so the next thing we will do is let's use I pause and do some performance testing to see actually how fast my god is right now let's look at the performance testing using iperf so this is straightforward if you've never used type of before it's very easy to use first thing to do is install it on both the server and the client that's a simple apt install I'm not going to go too far down the rabbit hole of pipe of testing I'm just going to do some basic tests just to show the speed difference is between OpenVPN or any other VPN service you may have used so once i've installed it on both the server and the client i'm going to start up the server on the well the server on the server that makes sense and then let's connect to it from the client I'm going to set up about let's say 30 streams in parallel and let's run it for 30 seconds because that should be enough to show just a quick note I am on a gigabit fiber connection at my home that's gigabit upload and download and of course the silver in the data center is on a really fast connection so we should be able to get well 600 megabits per second easy and I think this is actually CPU limited at this point because I've seen much faster speeds but I'm using my desktop machine which is obviously this this VM client is not nowhere near as fast as that so clearly Varga you know once it's set up it is much much faster than OpenVPN I'm sure there are ways to queue openvpn but I have honestly never seen openvpn on my hardware my connection go over maybe 200 megabits per second so this is like three times faster already quick note that right now the connection is set up in a point-to-point fashion the client cannot talk to the Internet through the server's internet connection and the silver cannot talk anything behind the client the land anything like that so the public IP is you can see on the left and the right are completely different and so for the next thing we'll do is set it up so that the client can actually connect through the VPN send all its traffic through the VPN to the Internet and get traffic back that's how most people want to use it I assume so that's pretty easy to do if you've ever done IP masquerading on Linux you know what what to do but let's just go with that in the next section to enable it people make a few changes on the server the first thing to do is edit the Syst CTL file and enable ipv4 forwarding to do that edit Etsy slash sis CTL comm and search for net dot ipv4 dot IP underscore forward and uncomment that line so the so it's set to one and save and exit this now to enable it you could either reboot the machine but in this case we just said it directly here on the command prompt so the command to do that is CTL dash W and then net dot ipv4 dot forward equals underscore forward equals one see if you do that it sets it so and also when you reboot the Machine it will be set so you don't have to think about this again now we need to know the interface name to put some IP table settings to get the interface name and some machines it's eth0 on some it's ens on this particular machine the public IP is on en s3 that's the ethernet adapters identification so once you know that open up the double xerocon file that we've created before and we have to add two lines to it to tell the computer what to do when the interface comes up and what to do when the interface goes down you can copy and paste this information from the video description just make sure to use the correct interface name for your machine it might be ET @ 0 or e NS 1 or something else so type all that in or a copy and paste it save and exit and now we have to take the interface down and bring it back up in again so that changes our life so commands a simple GG - quick down gg0 and then just bring it up so ignore the error there because obviously the rules didn't exist for it to take those rules out of the iptables chain but now we bring it back up and they should now be working well it would if I type in the right command let's try that again ok so you can see that last line that says that the shows us the iptables commands were just acting now on the client there's one quick change we need to make why God will only allow traffic through from IPS that are explicitly allowed in the configuration file so right now the configuration file on the client only allows traffic from one nine to one six eight nine dot one so any traffic coming from any other IP will be dropped so we changed that from 9.1 to 0.0.0.0 slash zero so essentially any IP so that means any machine on the internet anything out there if it's sending traffic in through the tunnel accept it and obviously you need that to work for traffic from the internet if you're connecting to a private network you were put in your IP settings appropriately take the interface down on the client bring it back up and just like that it's that quick it's less than a second and now all traffic should be going through the tunnel let's test that out with their command to see our public IP address now the public IP of the server and the client should be the same and it is so all the traffic from the client is now being tunneled through the server and then to the Internet and then back through the server to the client now that everything is working in the server the final step is to set it so that on reboot the interface comes up and the server is ready and listening for and waiting for clients so a couple of things before that we just set the ownership in the wire grant directory to route and make sure no one else can access those files again these are security keys so you don't want them being accessed it's not a big deal in a home lab but it's just good practice so after those two commands we create a service and enable it and then once that is done we can just bring the interface down and then start it up through the service and that's it so it's running so now every time we reboot the server will be ready and now the final part of this video is setting up why God on Windows 10 so that we can connect to the server we just configured and tunnel all our traffic through now I'm aware at the time of this recording that there is no official wire guard client for Windows 10 so I will be using a client from ton safe you may want to look into that if you would rather not but it works for me so here's my public IP my ISP is Bell Canada and and this is without obviously without connecting through the VPN so let's go ahead and in download and install town safe I should say that this is a Windows 10 VM as well it's it's brand-new there's nothing ever really installed on it so you go to town safe calm and I find that the download that I get is usually the release client it works fine for me I've never really had any issues your mileage may vary I guess so if you really want to be safe like download the stable version but our CTO works fine for me and again by the time you see this video this might all have changed if there's an official wide outline use that it's really small install and small download and it installs quick so there's no changes just click through it installs a tap adaptor let it do that and once it's installed we have to do two things now we have to create a config file on the client on this window slide and we've got to create add it to the server so the first thing you'll need is a private key in a public key so town safe comes with a nice utility that generates a public and private key for you so just copy and paste that into notepad because we'll be using these when we create the config file and I'm I'll just save that on the desktop so that we have that file all right so the next step is to create the config file that we're going to install on the client it's almost exactly the same as the one we did on Linux the only difference will be in the IP address so this machine's IP I'm gonna set it to one nine two one six eight nine dot three if you recall our server was 9.1 and I set the Linux client as 9.2 so this Windows client is now 9.3 the private key is right there in the notepad file that we just saved so get that and paste it in and just like on Linux to use the only two lines we need for the interface and now we've got to tell the client which server to connect to so we need the service public key for that I'm just going to bring up the server's win command prompt window again and type in WG and just dump out the public key there's our public key and if you notice in the red window there's one pair connected right now so this is the second pair that we connect into this server so the end point IP address is the public IP of the server followed by the pork that why God is listening on again the IP was there just oh seven one four eight eight dot 203 and you may think that I'm showing you the public keys and private keys and the IP address but by the time you see this video all of these servers will have been taken down so I wanted you to be able to see the process step by step so don't worry about I'm not really exposing anything of my internal network so we set the endpoint and we set the allowed I piece I'm just going to start off straight by telling it allow anything coming from the server so we'll be able to connect with the internet directly you could set this to the server's IP or to some other network range that you have behind the server but in our case we're going to stick with everything and then I'll save this as a text file on the desktop and then I'm going to just go and change the extension of this txt file to dot-com so I have show extensions enabled but you could do this from the command prompt or any other way that you want so once it's saved as dot card file go to unsafe import this file it will import it in and now we should be able to connect but before we do that we won't be able to connect right now because we've got to first tell the server that we've added another client another peer and we have to tell the server what that PS public key is if we don't do that it won't let anything connect this is somewhat different from how Open VPN and other VPN services work where the server doesn't need to be explicitly set up for every peer and maybe why god there's a way to do that but I haven't found that out yet so I have to do manually every time it's no big deal for when you have you know two or three machines connecting personally I have two machines plus a couple of phones that connects I only have four peers but here so let's add the pair to the config file on the server we just leaving a couple of comments so that I know what's what so we paste the public key that we have from the Windows machine and the allowed IP is 9.3 and only then IP and then we save that the config file and then you take the interface down and bring the interface up again and when we bring it back up the silver will be ready to accept traffic from the Windows workstation as well as the Linux workstation all right so now we see there are two peers that have been added and lined up to 1/9 of three so now let's try connecting from our Windows machine so if we hit connect we should be able to just get through directly I'll just remove we don't need the server anymore so get that out of the way before we connect though let's just reiterate that this machine's public IP is the same as my internal networks public IP the one that's given by my ISP at 74 1293 106 so if we are able to do this correctly we should see that change right so let's hit connect yes make sure we got it right and there's a configuration error so this is something to do with how the tun safe adapter works on Windows I'm not sure what the precise details are but I do know that to fix it you gotta go to the interface address and add a slash 24 netmask to it then it works I'm sure someone who knows more about networking and figure that out and tell us why that's the case but it's connected it takes less than a second let's do that again you hit connect and before you can link it is connected and now if we open up Firefox and look at our public IP we should see it going through the server that I've got running and there you go so my so was running on vulture so it's in the US and now all my traffic is being forwarded through that so why God does take a bit of getting used to but once you got used to it setting it up and getting it running is easy and it is so fast so I hope this guide helps someone if you've got any questions leave it in the comments below and I'll try my best to answer thanks for watching

Info

Channel: Breadboard Videos

Views: 36,567

Rating: undefined out of 5

Keywords: wireguard vpn, vpn, wireguard on windows, wireguard windows 10, wireguard, tunsafe

Id: hR7KlUVA0zk

Channel Id: undefined

Length: 21min 28sec (1288 seconds)

Published: Fri Jan 04 2019