WireGuard installation and configuration - on Linux

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today I will walk you step-by-step through the installation and setup of a basic VPN connection with wire guard so keep watching hi everybody welcome to the digital life my name is Christian and I'm always teaching you how to become a real IT professional so if you are interested in learning Linux - networking cloud and all those stuff and don't forget her subscribe to my channel why a guard is a new and promising VPN protocol that was just recently added to the official Linux kernel from version 5.4 onwards it tends to be much more simple in much more performant than other established VPN protocols I also did recently a video where I compared wire guards to open VPN and IPSec if you haven't already watched it I've put you a link in the description below check it out although why a guard may not be Enterprise ready yet my personal opinion is that it will become much more important in the future and you can already use it in smaller projects or on private environments I think it's time to get started with wire guard let's try to install that on your Ubuntu 12.04 server in client and set up a basic VPN connection between those two systems you can also find a client for Windows for Mac OS for Linux and also for mobile devices with iOS or Android I've also put you a link to the official why agar documentation in the description below check it out if you want to know how to install that on different distributions or different operating systems okay so let me share my screen with you guys and we will now set up the basic VPN connection with wire guard so let's go to do a short demonstration I have installed a virtual test environment with the new boon to 2004 LTS server and also a client so let's start with the installation of wire guard on the server and on the client and this is very easily since wire guard has been integrated in the Linux kernel so you don't need to download and compile kernel modules any more on Ubuntu that is just done we are stalling it via the packet manager just enter sudo apt install wire guard and it will just install wire guard and the Wagga tools that are necessary to easily manage the tunnel interfaces just enter yes and it's just done right on the client we also need to do the same thing so let's go to the client just do a sudo apt install wire guard and enter yes and that's it we can just now create our tunnel interfaces and start configuring them and we will start with creating private and public keys in order to establish a secured network connection so when you are wondering what the hell is a private in a public key don't worry I will also make a video about how private and public Keys are working so once this video is finished I will put you the link in the description below check it out it will be very interesting so wire guard comes with some easy and simple tools to generate private and public keys you can basically just do this in one command to do that just enter WG gen key this will generate a private key and output it on the console so we will pipe it to write this to a file private key and pipe this output again to the second command WG pop key so this will generate a corresponding public key out of the private key and we will also write this to a file public key so we can now see we have two fights in our directory and we will now output the private key on the console to do that just enter catch private key and this is our randomly generated private key so be careful you must not share this private key with anyone else because with this private key the server is able to decrypt all network packets that are sent from the client so this is a very sensitive information be careful when storing that file ok we can now start configuring our to face to do that just create a new file with your favorite editor I'm just using them the most time because I really like it but you can just use any other editor you want to and create a file in this directory wire got with the name W g0 conf so this is the name of our tunnel interface let's enter it and now we will start to configure our interface just enter interface and we will start with the private key of the server just paste the private key we have copied from the console and we will enter an address here we're using the private IP address range 10.000 1/8 you can use any other private IP address range if you want to make sure it's unique so if you use the same private IP address range anywhere else you will get routing issues and also enter save config and set it true we no need to specify two commands one that is post up and post down I will just copy and paste them so these are IP tables rules that will accept every packet on the tunnel interface and also forward outgoing interface of the tunnel interface and masqueraded with the public IP address of our server so we also need to do the same on post down and just remove these entries you just change - a - - D - delete those two rules and now we also need to specify a listen port port I'm using five one eight do zero that is the standard part for wire cut but you can also choose any other part you want to so let's write this file and exit the editor and we will now start the network interface to do that just enter WG - quick up and in the name of the network interface just hit enter and you can also check if everything was successful with sudo dub Yuji and you can see it's just traded the interface WG zero you can also see it here in IP link that we now have created a tunnel interface now we can switch to the client and start configuring our client to connect with that server and we will also start by generating those private and public keys on the client to just end up the same command WG gen key and pipe this to the private key file also type this the WG pop key command to generate the corresponding public key and write this to a file so we now have our two files here we will again output the private key on the console and copy it now we start creating our WG zero interface on the client tool just enter sudo and your favorite editor and create a new file in wire guard WG zeroconf and now again we will start with an interface add the private key we have just copied from the console and enter an IP address we are using 10.000 - at the end with same subnet mask save the configuration and now we need to tell our client that it should connect to the server to do that just enter up here and we now need to add the public key of the service interface and copy the public key on that interface this is this one here switch back to the client enter public key equal and paste it here now we need to enter the IP address of the server to do that enter endpoint equal and then enter the public IP address of the server the client can connect to I need to find out that because it's dynamically generated so I will enter address and my server has this IP address here on pot eth0 so in your case when you're using a server that is available on the public internet that property is not a private IP address but instead a public IP address so I'm using a virtual test environment so therefore this is a private IP address switch back to the client and paste it here we also need to specify the pot five one eight to zero and now we need to specify the allowed IP address to do that just enter a large I piece equal and you now need to decide do you want to route all traffic from the client to the tunnel or just specific traffic and route everything else for your default gateway because what WG quick is doing it's changing your default gateway once you enter all allowed IP addresses here so in my case I want to do that I want to route all traffic from the client to the server and my server will actually forward that network traffic to do that just enter 0 dot 0 0 0 0 slash 0 so that will tell why I got please route all traffic from the client through the tunnel even if the destination is normal Internet traffic so when doing that your server will need to fall out that traffic and there's a specific setting in Linux that you need to enable in order to make this working but I will show this later let's just finish with this configuration write it to a file exit and then we will start the interface again WG quick up WG 0 and you can see the client has now changed a default gateway to route or traffic through the tunnel interface so let's check with sudo WG and you can see our interface is created but it's not connected to the server yet so that is because we first need to add the client on the server so we actually need to tell the server so this client is allowed to open a connection you and we do that by copying the public key of the clients interface here and switch back to the server so on the server there is an easy command to allow a client's connection just enter sudo WG set WG 0 peer now you need to paste the public key of the clients interface a large IPS and now enter only the IP address of the clients tunnel interface let's the two at the end / 32 enter and now we can switch back to the client but when we enter this command again you can see there's nothing change right and that is because why I got will only send traffic through the tunnel if it needs to so if we are not sending out any traffic nothing will happen and the tunnel will not be established so there's another thing you need to consider - when working with not devices or firewalls in between vehicles architecture will send our packets on the UDP protocol which is stateless so there's no keeper life by default and that can cause issues with not fire words or any other network device in between that needs to somehow track the connections because the client and the server are not consistently sending out network packets so any gateway in between might just close the connection and wire God will not re-establish it again so to overcome this issue you can also specify a specific keep a life that will be sent from the client to the server just do that so we first need to take down the interface because otherwise we can't change anything in the configuration file so WG quick down WG to zero and the words are now deleted so we can now sudo VM edit our file and we can now enter a keepalive packet at the end of this configuration file just enter persistent keep alive equal and I'll specify the seconds just enter something like 30 seconds that should be enough just write this exit I know we can establish the connection again W quick up WG zero so when we now enter our WG again you can see our connection is just established by the keepalive packets automatically and we will send out a persistent keepalive to the server every 30 seconds so that will remain the connection open when there are some gateways in between that could just close the connection because of timeout values or something else so with this method you can easily insure the connection is always open and just let's do a quick test if you can reach out to the server let's do a ping 10.000 1 and you can see that's now working so that's great the packet are routed through the tunnel we can now try to reach out through a public IP address on the Internet let's just do a ping to the DNS server of Google and we can see all the packets are really working - that's because I've just configured my server to forward any incoming packets on the tunnel interface so you can check if your server is able to forward any network packets by doing cut /proc sis / net ipv4 IP underscore forward so this should be one if this is zero you can simply change this to one you just need to do a sudo systemctl W and then net dot IP v4 dot IP underscore for what equal one so when you enter that and reboot the server the server will now start forwarding of the network packets that are coming from the client to any other destination you can also check if the client network packets are really going through the tunnel just enter the ping and we can now try to capture these network packets we can simply just do a TCP dump on the WG zero interface TCP dump - in VI WG 0 so we will trace our network packets from this interface and just do a filtering on host 8 or 8 or 8 so we would see only the traffic that the destination or source has this IP address and you can see these are the network packets coming from the client reaching the tunnel interface of the server and they are forwarded to the internet so dead is working so you can also configure this in different ways of course so when you want to specify on the client that not all traffic should be routed through the Internet you can basically just go back to the client and edit this configuration file and you need to change this entry here because when you just enter the IP address of the server or the IP address of that network this will not change your default gateway so you will send out traffic to the Internet to your private router but when you send traffic to these destinations specified here only this traffic will be routed through the tunnel so you can configure this in many different ways that depends on what your needs are and what your environment looks like I think that is not too complicated because you we are just using small and very easy configuration files and overall I think wire that is a very interesting and great technology so I'm really excited about this I'm excited to try it out in my private environments and do some more research on that as well so I hope you liked this video I hope you could learn something and I could show you some interesting stuff about wire got and VPN protocols and if you enjoyed this video then don't forget to hit the like button you can also leave me a comment if you want me to do some more specific videos on Linux or networking or basically any other topic you are interest so thanks everybody for watching enjoy the rest of your day take care of yourself and I see you soon [Music]

Info

Channel: The Digital Life

Views: 43,170

Rating: 4.904489 out of 5

Keywords: linux, wireguard, vpn, ubuntu

Id: bVKNSf1p1d0

Channel Id: undefined

Length: 17min 54sec (1074 seconds)

Published: Sun May 31 2020