WireGuard VPN: Installation and Configuration of VPN Server and Clients

January 15, 2020 Matt Mills How to 0

WireGuard VPN is a completely free software application that will allow us to establish VPN tunnels. This complete software incorporates all the necessary communication and cryptography protocols to build a virtual private network between several clients and a server. WireGuard provides better performance than the IPsec protocol and OpenVPN (both in speed and latency of connections), today we will explain its main features, how to install and configure it easily.

wireguard-14

WireGuard VPN features

WireGuard VPN is a software to create a virtual private network (VPN) extremely simple to configure , very fast (faster than IPsec and OpenVPN) and that uses the most modern cryptography by default , without the need to select between different symmetric encryption algorithms, asymmetric and hashing. The goal of WireGuard VPN is to become a standard, and for more home users and businesses to start using it, instead of using IPsec or the popular OpenVPN that are more difficult to configure and slower. This software is designed to be used by all audiences, both for home users and super computers.

With WireGuard VPN it is not necessary to manage the connections , worry about the state of the virtual private network itself, manage processes or know what is under the software to make it work, just like IPsec, where it is often necessary to look at logs and investigate what is happening. Another strength is that the configuration is extremely basic, but very powerful.

This software is an L3 VPN , that is, it uses tunneling only , it does not happen as OpenVPN where we have the possibility of working in transport mode or tunnel mode. In this case we will always use tunnel mode, in addition, it is compatible with both IPv4 networks and IPv6 networks , in addition, it can encapsulate IPv4 packets in IPv6 and vice versa. The transport layer protocol used by WireGuard is UDP , so we will have to open a certain port (to choose, it can be changed) in our router that does NAT.

Operating System Compatibility

This new VPN software was first released for the Linux Kernel, but it is cross-platform , since it is compatible with Windows, Linux, MacOS, FreeBSD, Android and also iOS operating systems . One of the strengths of this software is that the client and server configuration is exactly the same in different operating systems, using the same syntax, so you can configure the server and clients in Linux, and then “pass” the configuration to other devices with other operating systems inside.

Cryptography used

With the IPsec and OpenVPN protocols, it is necessary that both the clients and the server “agree” on the cryptographic protocols to be used, both in phase 1 and phase 2 (of IPsec), and in the control and data channel (of OpenVPN) , otherwise, the connection will not be established correctly. WireGuard provides an entire cryptographic “package” , ensuring connectivity without the need to select anything. If at one point one of the cryptographic protocols used by this VPN is considered insecure, it is as easy as launching a second version of WireGuard with a new protocol that does not have a security flaw, and between the clients and the server it will be indicated that use “version 2”, being completely transparent to us.

Another very important detail is that this VPN uses a very small source code . There are very few lines of code compared to StrongSwan or OpenVPN, so audits could be performed in a very short time, it will also be easier to find possible vulnerabilities or security flaws. With fewer lines of code, the surface of a possible attack on the VPN programming is also smaller.

WireGuard VPN currently uses ChaCha20 for symmetric encryption, authenticated with Poly1305 , using an AEAD construct. It also uses Curve25519 for ECDH, BLAKE2 for hashing, SipHash24 for hashtable keys, and HKDF for key derivation, which means that we are using the most modern cryptographic algorithms, with the aim of providing maximum security and performance.

Roaming and Kill Switch support

This software is designed to be able to roam easily and quickly , if our device changes networks, and logically changes public IP, such as when we pass from the Wi-Fi network and the 4G / LTE network of our operator, the VPN connection will remain lifted because they will quickly re-authenticate with the VPN server, so that we will always be connected to the VPN.

We can also enable the Kill-Switch on the device , in this way, if the VPN connection is interrupted, the software itself will also be in charge of interrupting all network traffic until the VPN connection is reestablished, in order that Let’s not navigate without the protection this VPN gives us.

WireGuard VPN installation

The installation of this software is really easy, we just have to go to the official website of WireGuard , and download the executable for Windows or MacOS operating systems. If you use a Linux-based operating system with its corresponding repositories, you will probably have to add the specific WireGuard repositories, since it is currently not in the “stable” branch by default.

For example, we have installed the VPN server in a Debian latest version, in order to install it we have followed the steps indicated on the official website. Superuser permissions are required to perform the installation correctly.

 sudo echo "deb http://deb.debian.org/debian/ unstable main"> /etc/apt/sources.list.d/unstable.list
sudo printf 'Package: * / nPin: release a = unstable / nPin-Priority: 90 / n'> /etc/apt/preferences.d/limit-unstable
sudo apt update
sudo apt install wireguard

We must not forget that this VPN is also compatible with operating systems such as FreeBSD, OpenBSD and even with OpenWRT for routers, since simply simply install it through “opkg” as all additional software is usually installed.

If you are going to install the VPN client on your smartphone with Android or iOS, we currently have the official applications, so you can install it without problems from Google Play and App Store respectively:

WireGuard configuration: public, private keys and configuration files

Once we have correctly installed WireGuard, both on the computer that acts as a server, as well as on all the clients that we want to connect, it is necessary to configure it. The first thing we must do is create the public-private key pair, both on the server and on all the clients that we want to connect. We have used a Debian operating system to generate the keys, and also to configure the server, however, we could also do it directly in the Windows software.

The route to run the WireGuard server on Debian is / etc / wireguard /, so we are going to go to this route with the following command:

cd /etc/wireguard/

Even-public-private key generation for the server

To generate the public and private key pair right in this location, we simply have to put:

wg genkey | tee claveprivadaservidor | wg pubkey > clavepublicaservidor

Now we will have two files, one with the public key and one with the private one:

  • Private key: 6JcquylvtJsHNCdWrYMj28XsLIFJUVjlr2y5o27rO2c =
  • Public key: xeTkJjjBUyp8paxTgajwDa + qWjrD2RpXlJRSHMwcGDQ =

These keys are the ones we will use for the WireGuard VPN «server».

Even-public-private key generation for a client

To generate another pair of public and private keys, which we will use in a client, we can create them in a new folder, or create them in the same location, but with another name.

wg genkey | tee claveprivadacliente1 | wg pubkey > clavepublicacliente1

Now we will have two files, one with the public key and one with the private one:

  • Private key: yPMpP2raY4FoCEJkmzQMlxzm / 6RBIW9HkjY6pVFIOnI =
  • Public key: 6c12jLkKzgU9len1kQ / 6Fc61xm + LL98TPPlLsri8klE =

These keys are the ones we will use for a WireGuard VPN client.

Server configuration file

The configuration of the WireGuard server is quite simple compared to IPsec or OpenVPN servers, however, we must take into account several things that we explain below.

In the server we will have to have an ” Interface ” section, in this section we can indicate the private IP address that identifies the server when the clients connect. We must remember that this VPN is L3, so we can put any private IP address that is not in use at any given time. For example, in OpenVPN the default subnet is 10.8.0.0/24, here we can also put the same or any other subnet 192.168.2.0/24 (and 192.168.2.1 is the server itself, and the other IPs that are the clients). With the syntax of « Address » we will put the VPN subnet that we want.

In « PrivateKey » we will have to enter the private key that we have previously generated for the server. In « ListenPort » we will put the UDP port that we want to use for the server, this port is the one that we will later have to «open» in NAT if we are behind a router with NAT.

Finally, in this section of «Interface» we can also define commands to be executed after lifting the virtual interface with «PostUp» and after throwing the virtual interface with «PostDown». As you can see, we have it currently commented, since we do not want to do NAT against this interface, but it could be done perfectly.

In the section ” Peer ” is where we will have to put the list of clients that we allow to connect. In this case, we will only connect a «peer», so we will define your public key with « PublicKey » that we have created previously (or that the client has provided us, since it is possible that it has been generated by him), and also We can indicate if we allow that client with a specific IP address to connect. With the « AllowedIPs » directive we can filter the source IP addresses, if we put 0.0.0.0/0 it means that we allow any IP address.

[Interface] Address = 192.168.2.1/24
PrivateKey = 6JcquylvtJsHNCdWrYMj28XsLIFJUVjlr2y5o27rO2c =
ListenPort = 51820

#PostUp = iptables -A FORWARD -i% i -j ACCEPT; iptables -A FORWARD -o% i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
#PostDown = iptables -D FORWARD -i% i -j ACCEPT; iptables -D FORWARD -o% i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens33 -j MASQUERADE

[Peer] PublicKey = 6c12jLkKzgU9len1kQ / 6Fc61xm + LL98TPPlLsri8klE =
AllowedIPs = 0.0.0.0/0

If we want to add more “peers”, simply define them individually in the configuration file as follows:

[Interface] Address = 192.168.2.1/24
PrivateKey = 6JcquylvtJsHNCdWrYMj28XsLIFJUVjlr2y5o27rO2c =
ListenPort = 51820

#PostUp = iptables -A FORWARD -i% i -j ACCEPT; iptables -A FORWARD -o% i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
#PostDown = iptables -D FORWARD -i% i -j ACCEPT; iptables -D FORWARD -o% i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens33 -j MASQUERADE

[Peer] PublicKey = 6c12jLkKzgU9len1kQ / 6Fc61xm + LL98TPPlLsri8klE =
AllowedIPs = 0.0.0.0/0

[Peer] PublicKey = client public key 2
AllowedIPs = 0.0.0.0/0

[Peer] PublicKey = customer public key 3
AllowedIPs = 0.0.0.0/0

[/ code]

The configuration file can be called «wg0.conf», since WireGuard creates virtual interfaces with this name, ideal to distinguish them perfectly. To run this configuration file, just run:

root@debian-vm:/etc/wireguard# wg-quick up wg0

When you start it, WireGuard will be in charge of creating the virtual interface, putting IP address, MTU, and even creating the corresponding routes in the routing table:

root@debian-vm:/etc/wireguard# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 192.168.2.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

Configuration file for clients

WireGuard client configuration is quite simple compared to IPsec or OpenVPN servers, however, we must take into account several things that we explain below.

In the client we will have to have an ” Interface ” section, in this section we can indicate the private IP address that identifies the client when we connect. We must remember that this VPN is L3, so we can put any private IP address that is not in use at any given time. For example, in OpenVPN the default subnet is 10.8.0.0/24, here we can also put the same or any other subnet 192.168.2.0/24 (and 192.168.2.1 is the server itself, and the address 192.168.2.2 from now on, be the clients, with the syntax of ” Address ” we will put the VPN subnet that we want.

In « PrivateKey » we will have to enter the private key that we have previously generated for the client.

In the section ” Peer ” is where we will have to put the public key with ” PublicKey ” of the WireGuard server to which we are going to connect, that is, this public key has had to be provided to us by the server. On this occasion, we can also use the ” AllowedIPs ” directive, but the operation is different, on this occasion we can define whether we only want to go through the VPN to a certain subnet (or several subnets), or we want to forward all Internet traffic by The virtual private network. If we put the subnets separated by commas, we can access several that we have on the server, if we want to forward all the traffic we simply put 0.0.0.0/0, as it happens with IPsec.

Finally, with the « Endpoint » directive we will define the public IP address of the server where we have WireGuard VPN running, followed by two points (:) of the UDP port used. We must remember that WireGuard uses UDP, so we should not filter it on firewalls.

The software and communication with WireGuard tries to pass as unnoticed as possible if it is not in use, that is, it does not continuously send data through the VPN to keep the tunnel active, ideal for saving battery and mobile data on smartphones. In most of the usual configurations this works perfectly, but if we are behind a NAT or firewall, it is possible that the communication is cut because no data is being transferred, so it is necessary to configure a “keep alive”. To configure the Keep Alive, simply indicate the “PersistentKeepAlive” directive and enter an integer that means the seconds of keeping alive. According to official documentation, setting 25 seconds is sufficient for most firewalls and NAT systems, if we set 0 it disables this function. If we are behind NAT or a firewall and want to receive incoming connections after a long time without traffic, this directive will be necessary, otherwise we may not put it.

[Interface] PrivateKey = yPMpP2raY4FoCEJkmzQMlxzm / 6RBIW9HkjY6pVFIOnI =
Address = 192.168.2.2/32

[Peer] PublicKey = xeTkJjjBUyp8paxTgajwDa + qWjrD2RpXlJRSHMwcGDQ =
AllowedIPs = 0.0.0.0/0
Endpoint = 10.10.2.86:51820

#PersistentKeepalive = 25

In Windows operating systems we can import this same configuration, and we will have it ready to connect, although we can connect from scratch a client, but we must “pass” the generated public key to the WireGuard server.

It is also very important to look at the WireGuard logs, to verify that the VPN connection has been established correctly. We cannot put in the “Interface / Address” section a private IP address that is already in use in Windows clients, since we will have an error in the connection.

As you have seen, the configuration of the WireGuard VPN is really easy and fast

WireGuard VPN performance compared to L2TP / IPsec and OpenVPN

In RedesZone we have checked the performance of WireGuard VPN compared to L2TP / IPsec and OpenVPN, the tests have been carried out in local network to avoid problems with the operator, so we can measure the real maximum performance that is able to provide us with a hardware specific.

The VPN server configuration we have used (for both L2TP / IPsec, OpenVPN and WireGuard) is as follows:

  • QNAP TS-1277: AMD Ryzen 7 2700 processor; RAM memory: 64GB RAM DDR4; Network connectivity: QNAP QXG-10G2T-107 at 10Gbps with Cat7 cabling, and a D-Link DXS-1210-10TS switch .
  • The VPN software for L2TP / IPsec and OpenVPN (using UDP) is QVPN 2 from QNAP
  • In a second test with OpenVPN (using UDP) and AES-256-GCM we used Virtualization Station with Debian.
  • iperf3 installed manually in QTS and also in virtualized Debian.

The VPN client configuration we have used (for both L2TP / IPsec, OpenVPN and WireGuard) is as follows:

  • PC with AMD Ryzen 7 3800x processor; RAM memory: 32GB RAM DDR4 3200MHz; Network connectivity: ASUS XG-C100C at 10Gbps with CAT7 cabling and a D-Link DXS-1210-10TS switch for the connection of both devices . Operating system used in the tests: Windows 10 1909.
  • Windows 10 L2TP / IPsec client
  • Latest version of OpenVPN (2.4.8)
  • iperf 3 in Windows 10.

The performance obtained in the tests is as follows:

As you can see, the real speed of WireGuard is twice that of L2TP / IPsec or OpenVPN, so we can say that this VPN is really fast.

We hope this setup tutorial will help you, and you can easily deploy WireGuard servers and clients to connect securely to our home, business, or the Internet from anywhere in a secure way.