wireguard lightweight and efficient VPN, detailed installation and use methods

Posted by !jazz on Sun, 30 Jan 2022 09:36:35 +0100

brief introduction

Lightweight and efficient vpn, official website address: https://www.wireguard.com

Compared with hundreds of thousands of lines of code in OpenVPN and IPSec, WireGuard has only 4000 lines

Security

  • Curve25519 is currently the highest level secret key exchange algorithm.
  • ChaCha20 symmetric encryption and decryption algorithm is faster and more efficient than AES.
  • Poly1305 is a MAC (Message Authentication Code) standard used to verify the integrity of data and the authenticity of messages.
  • BLAKE2 is a safer HASH algorithm (similar to SHA1, SHA256, MD5)
  • SipHash24 another HASH algorithm.
  • A secret key derivation algorithm for HKDF

Evaluation of the father of Linux

Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art

Environmental requirements

Server requirements: OpenVZ virtualized servers do not support the installation of this VPN, and other virtualized servers can.

install

$ yum update -y
$ reboot # unless there were no updates
$ sudo curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
$ sudo yum -y install epel-release
$ sudo yum -y install wireguard-dkms wireguard-tools

Verify that the installation was successful
[root@localhost ~]# modprobe wireguard && lsmod | grep wireguard
wireguard             204791  0 
ip6_udp_tunnel         12755  1 wireguard
udp_tunnel             14423  1 wireguard

Configuration description

The multi-user configuration of WireGuard is particularly simple. You only need to generate a pair of client keys (public key + private key), add a section [Peer] in the server configuration file, and write the new client public key and the intranet IP address of the client. (of course, we can use the command to quickly add or manually modify the server configuration file.)

The difference between each client account configuration file is only that the client private key in the [Interface] is different from the client intranet IP address.

In addition, we need to understand a principle of reciprocity:

  • The [Interface] in the server configuration file saves its own server private key, while the [Interface] in the client configuration file also saves its own client private key.
  • [Peer] in the server configuration file is the public key to save the client, while [Peer] in the client configuration file is the public key to save the server.
  • Both the server and the client keep their private keys in [Interface] and the other's public keys in [Peer].

to configure

# First enter the configuration file directory. If the directory does not exist, please create it manually: mkdir /etc/wireguard
cd /etc/wireguard

# Then start generating the key pair (public key + private key).
wg genkey | tee sprivatekey | wg pubkey > spublickey
wg genkey | tee cprivatekey | wg pubkey > cpublickey

# Turn on firewall forwarding function
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p


# Generate server configuration file

------------------------------------------

echo "[Interface]
# The private key of the server corresponds to the public key in the client configuration (automatically read the key content just generated above)
PrivateKey = $(cat sprivatekey)
# The intranet IP address of this machine is generally the default, unless it conflicts with the local network segment of your server or client device
Address = 10.0.0.1/24 
# iptables firewall rules to be executed when running WireGuard, which are used to open NAT forwarding and so on.
# If your server's primary network card name is not eth0, please modify the last eth0 in the following firewall rules to be your primary network card name.
PostUp   = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables firewall rules to be executed when WireGuard is stopped, which are used to turn off NAT forwarding and so on.
# If your server's primary network card name is not eth0, please modify the last eth0 in the following firewall rules to be your primary network card name.
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# The listening port of the server can be modified by itself
ListenPort = 443
# Server requests domain name resolution DNS
DNS = 8.8.8.8
# Keep default
MTU = 1420
# [Peer] represents the client configuration. Each additional paragraph of [Peer] is to add a client account. Specifically, I will write a multi-user tutorial later.
[Peer]
# The public key of the client account corresponds to the private key in the client configuration (automatically read the key content just generated above)
PublicKey = $(cat cpublickey)
# The intranet IP address of the client account
AllowedIPs = 10.0.0.2/32"|sed '/^#/d;/^\s*$/d' > wg0.conf


# Generate client profile

---------------------------------------------

echo "[Interface]
# The client's private key corresponds to the client's public key in the server configuration (automatically read the key content just generated above)
PrivateKey = $(cat cprivatekey)
# Intranet IP address of the client
Address = 10.0.0.2/24
# DNS for domain name resolution
DNS = 8.8.8.8
# Keep default
MTU = 1420
[Peer]
# The public key of the server corresponds to the private key of the server (automatically read the key content just generated above)
PublicKey = $(cat spublickey)
# Server address and port. Remember to replace the following X.X.X.X with your server public network IP. Please fill in the listening port when configuring the server
Endpoint = X.X.X.X:443
# Because it is a client, this can be set to all IP segments
AllowedIPs = 0.0.0.0/0, ::0/0
# Keep connected. If the client or server is a NAT network (for example, most home broadband in China has no public network IP, but is NAT), you need to add this parameter to regularly link the server (unit: Second). If neither your server nor your local network is a NAT network, it is recommended not to use this parameter (set it to 0, or delete this line from the client configuration file)
PersistentKeepalive = 25"|sed '/^#/d;/^\s*$/d' > client.conf

Multi user

Premise: you have configured WireGuard Configuration file and started.

You can also modify the configuration file manually [/etc/wireguard/wg0.conf],Remember to restart after modification. The following dynamic additions do not require restart.

# Regenerate a pair of client keys
# cprivatekey1 is the client private key and cppublickey1 is the client public key
wg genkey | tee cprivatekey1 | wg pubkey > cpublickey1

# Execute add client configuration code on the server (add a [peer]):
# $(cat cpublickey1) this is the client public key, and 10.0.0.3/32 this is the client intranet IP address, increasing the last bit (. 3) in order. Do not repeat
wg set wg0 peer $(cat cpublickey1) allowed-ips 10.0.0.3/32

# View wg status
wg
# After executing the command, the output content is as follows (for reference only, the following is not the command for you to execute):
interface: wg0
  public key: xxxxxxxxxxxxxxxxx #Server private key
  private key: (hidden)
  listening port: 443
 
peer: xxxxxxxxxxxxxxxxxxxx #Public key of old client account
  allowed ips: 10.0.0.2/32 #Intranet IP address of old client account
 
peer: xxxxxxxxxxxxxxxxxxxx #Public key of new client account
  allowed ips: 10.0.0.3/32 #Intranet IP address of the new client account
# The above contents are only output examples (for reference only)

# If the display is normal, we will save it to the configuration file:
wg-quick save wg0

Generate corresponding client configuration file
 The new client profile and the profile of other client accounts are only [Interface] Client private key and Intranet in IP Address parameters are different.

echo "[Interface]
# The client's private key corresponds to the client's public key in the server configuration (automatically read the key content just generated above)
PrivateKey = $(cat cprivatekey1)
# The intranet IP address of the client (if the intranet IP you added above is not. 3, please modify it by yourself)
Address = 10.0.0.3/24
# DNS for domain name resolution
DNS = 8.8.8.8
# Keep default
MTU = 1420
[Peer]
# The public key of the server corresponds to the private key of the server (automatically read the key content just generated above)
PublicKey = $(cat spublickey)
# Server address and port. Remember to replace the following X.X.X.X with your server public network IP. Please fill in the listening port when configuring the server
Endpoint = X.X.X.X:443
# Because it is a client, this can be set to all IP segments
AllowedIPs = 0.0.0.0/0, ::0/0
# Keep connected. If the client or server is a NAT network (for example, most home broadband in China has no public network IP, but is NAT), you need to add this parameter to regularly link the server (unit: Second). If neither your server nor your local network is a NAT network, it is recommended not to use this parameter (set it to 0, or delete this line from the client configuration file)
PersistentKeepalive = 25"|sed '/^#/d;/^\s*$/d' > client1.conf
 
# This large section in bold above is a code! Please copy all the following lines and paste them into SSH software for execution. Do not execute them line by line!

To delete it is also very simple. First, you need to know that you want to delete the user's client key (for example, the one just generated above) cpublickey1). 
Of course, you can also manually open the configuration file and delete it. Remember to restart after modification. The following dynamic deletion does not need to be restarted.

wg set wg0 peer $(cat cpublickey1) remove
# If the client public key file is still there, you can execute this command to delete it.
# Note: after the command is executed, you can skip the following command and save the configuration file directly.
 
-------
 
# If the client public key file has been deleted, you can see the client public key through the wg command:
wg
 
# After executing the command, the output content is as follows (for reference only, the following is not the command for you to execute):
interface: wg0
  public key: xxxxxxxxxxxxxxxxx #Server private key
  private key: (hidden)
  listening port: 443
 
peer: xxxxxxxxxxxxxxxxxxxx #Public key of client account
  allowed ips: 10.0.0.2/32 #Intranet IP address of client account
 
peer: xxxxxxxxxxxxxxxxxxxx #Public key of client account
  allowed ips: 10.0.0.3/32 #Intranet IP address of client account
# The above contents are only output examples (for reference only)
 
# Copy the public key of the client account you want to delete (the character after peer), replace XXXXXX in the following command and execute it
wg set wg0 peer xxxxxxx remove
# After execution, we are using the wg command to check whether the deletion is successful.

If the deletion is successful, we will save it to the configuration file:
wg-quick save wg0

Service management

# Start Wireguard
wg-quick up wg0
 
#Close WIreguard
wg-quick down wg0
 
# View Wireguard status
wg

# Set startup
systemctl enable wg-quick@wg0

# Cancel startup
systemctl disable wg-quick@wg0

Hot Topics

©2025 Programmer Think