WireGuard VPN is a very interesting alternative to OpenVPN or IPsec. Kernel version 5.6 has recently been released which already integrates WireGuard modules. If you are using an older Kernel you can also use WireGuard by activating the corresponding module. In our tests we have obtained much better performance with WireGuard than with OpenVPN or IPsec.
In Clouding you don't need to install it manually if you don't want to, you have the WireGuard Preinstalled Image available and ready to configure it with a Web interface.
You have more information in How to use the WireGuard Preinstalled Image.
WireGuard Installation
WireGuard has its own repository so the first thing we have to do is to add this repository:
# add-apt-repository ppa:wireguard/wireguard
We will be asked to confirm the installation of the repository. Now we can install WireGuard:
# apt install wireguard
We should get a result like this:
Loading new wireguard-1.0.20200413 DKMS files...
Building for 4.15.0-20-generic
Building initial module for 4.15.0-20-generic
Done.
wireguard:
Running module version sanity check.
- Original module
- No original module exists within this kernel
- Installation
- Installing to /lib/modules/4.15.0-20-generic/updates/dkms/
depmod....
DKMS: install completed.
Setting up wireguard (1.0.20200319-0ppa1~18.04) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
As we can see in the result WireGuard has been installed correctly and has installed the corresponding Kernel module. Now we will activate the module by running:
# modprobe wireguard
We can check that it is well activated with:
# lsmod | grep wireguard
It will return a result like this:
wireguard217088 0
ip6_udp_tunnel 163841 wireguard
udp_tunnel 163841 wireguard
WireGuard Configuration
Now we can proceed to configure WireGuard on our server, the first thing we will do is to generate our public and private key with:
# wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey
Now that we have our keys created, we can proceed to configure a network interface for WireGuard by creating a configuration file:
# vi /etc/wireguard/wg0.conf
We will add the following contents:
[Interface]
Address = 10.0.8.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
We will change SERVER_PRIVATE_KEY for our private key, in our example we use the private range 10.0.8.0/24, you can use any other. Remember that you have to open the port 51820 UDP in the firewall of the client panel.
Now we will proceed to protect the files that we have generated, the rest of the users must not have access:
# chmod 600 /etc/wireguard/{privatekey,wg0.conf}
Now that we have WireGuard configured we can activate our network interface by running:
# wg-quick up wg0
The result will look like this:
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.8.0/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
To make NAT work we will execute:
# /sbin/sysctl -w net.ipv4.ip_forward=1
Now we have WireGuard configured and working, we only have to make sure that it continues to do so when we restart our server, for this in the file /etc/rc.local we will add:
/sbin/sysctl -w net.ipv4.ip_forward=1
In addition we will activate that our network interface is created with:
# systemctl enable wg-quick@wg0
WireGuard Windows Client
The first thing to do is to download the client for Windows from the WireGuard website. Once installed, we will proceed to configure our tunnel by clicking on "Add Tunnel" -> "Add empty tunnel...":
A window will open with the public key of our Windows and the private key (do not delete private key):
Before completing the configuration, we will make a few clarifications about AllowedIPs, this variable is used to route traffic through the VPN and we can choose from several options:
- Routing only private traffic: AllowedIPs = 10.0.8.0/24, 10.20.10.0/24
- Route private traffic and any Clouding public IP: AllowedIPs = 10.0.8.0/24, 10.20.10.0/24, 27.0.172.0/22,46.183.112.0/21,80.240.126. 0/23,85.208.20.0/21,93.189.88.0/19,103.23.60.0/23,161.22.40.0/21,185.166.212.0/21,185.253.152.0/22,185.254.204.0/22,213.192.233.0/24,217.71.200.0/21
- Route all traffic: AllowedIPs = 0.0.0.0.0/0
We will now proceed to configure our VPN taking these variables into account:
- Interface > Private Key: leave the value that appeared when starting to create the tunnel.
- Interface > Addreess: we will indicate the IP we want the VPN to assign us.
- Peer > PublicKey: enter the public key of our server, the one generated in "WireGuard Configuration".
- Peer > AllowedIPs: indicate the traffic we want to route through the VPN.
- Peer > EndPoint: indicate the public IP of our WireGuard server and the port configured in "WireGuard Configuration".
The configuration file will look like this:
[Interface]
PrivateKey = KJf30VdqaaPR0jjUqk9pEm++Hg+sXyStPH8Ou2ggeHQ=
Address = 10.0.8.10/24
[Peer]
PublicKey = 78MlX8LqV/SNpfvOrrD3nhJmBo0cGtHD94PimCGXSCE=
AllowedIPs = 10.0.8.0/24, 10.20.10.0/24
Endpoint = 185.254.204.xxx:51820
We will save the changes and now we will proceed to register the client in our server indicating the public key of our Windows:
# wg set wg0 peer vgJeO8S9ZDF4PkrwQPfahfpXS+qatvV4V37Q+g4AWH0= allowed-ips 10.0.8.10
Now we can activate our VPN with the activate button:
WireGuard Linux or MacOS client
To configure our VPN on Linux or MacOS, the steps are quite similar, and we can also download the MacOS client from the APP Store. If we want to configure the VPN from the command line, the steps are very similar to the server configuration.
The first thing we will do is to generate our public and private key for our pc with:
# wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey
Now that we have our keys created, we can proceed to configure a network interface for WireGuard by creating a configuration file:
# vi /etc/wireguard/wg0.conf
We will add the following content:
[Interface]
PrivateKey = KJf30VdqaaPR0jjUqk9pEm++Hg+sXyStPH8Ou2ggeHQ=
Address = 10.0.8.10/24
[Peer]
PublicKey = 78MlX8LqV/SNpfvOrrD3nhJmBo0cGtHD94PimCGXSCE=
AllowedIPs = 10.0.8.0/24, 10.20.10.0/24
Endpoint = 185.254.204.xxx:51820
The configuration file is like the Windows one, we can choose which IP we want to use and which ranges we want to route. In Peer we have to indicate the public key of our WireGuard server and in Interface the private key of our PC.
We will save the changes and now we will proceed to register the client in our server indicating the public key of our PC:
# wg set wg0 peer vgJeO8S9ZDF4PkrwQPfahfpXS+qatvV4V37Q+g4AWH0= allowed-ips 10.0.8.10
Now we can enable or disable our VPN with:
# wg-quick up wg0
# wg-quick down wg0
Speed test
It's time for speed tests, we have performed this test with a 300 Mbps fiber with pfSense + OpenVPN and a server with Ubuntu + WireGuard, the results speak for themselves:
WireGuard:
OpenVPN:
As we can see in these iperf WireGuard tests it has been much faster than OpenVPN.
We hope we have helped you with this article. If you have any questions about this or any other issue related to your Clouding servers, please contact us at soporte@clouding.io.
We are here to help you!