VPNserver: Difference between revisions
Wikisailor (talk | contribs) No edit summary |
Wikisailor (talk | contribs) |
||
| Line 12: | Line 12: | ||
sudo apt update | sudo apt update | ||
sudo apt install wireguard wireguard-tools -y | sudo apt install wireguard wireguard-tools -y | ||
wireguard-tools is a package containing additional utilities for managing WireGuard, such as wg and wg-quick. more dtails can be found [https://documentation.ubuntu.com/server/explanation/intro-to/wireguard-vpn/index.html here] | wireguard-tools is a package containing additional utilities for managing WireGuard, such as wg and wg-quick. more dtails can be found [https://documentation.ubuntu.com/server/explanation/intro-to/wireguard-vpn/index.html on Ubuntu website here]. | ||
Once the two packages are installed we need to generate the public and private keys. First we do the private key with the command | |||
sudo wg genkey | sudo tee /etc/wireguard/server-privatekey | |||
What this does is to use wg with genkey to generate a new Wireguard private key that will be displayed on the screen. The pipe tee will copy it to the file /etc/wireguard/server-privatekey. We can use this private key to generate the public key to match using the command | |||
sudo cat /etc/wireguard/server-privatekey | wg pubkey | sudo tee /etc/wireguard/server-publickey | |||
This will pipe the private key from the file we just made to wg pubkey to be displayed on screen by the pipe tee and ten copies it to the file /etc/wireguard/server-publickey. It would probably be best to check that these two key files can be accessed before clearing the screen so do | |||
sudo nano /etc/wireguard/server-publickey | |||
and a | |||
sudo nano /etc/wireguard/server-privatekey | |||
Just to be sure that both can be accessed. The private key must be kept private so do a chmod to make it accessible to root only | |||
sudo chmod 600 /etc/wireguard/server-privatekey | |||
Now to view the file or even get a listing you have to do sudo. the public key will need to be exchanged with clients so no need to keep it private. | |||
Using our newly created keys we can create a wg0.conf file in the wireguard directory. | |||
sudo nano /etc/wireguard/wg0.conf | |||
In this file we will need the following information | |||
[Interface] | |||
PrivateKey = <your_server_private_key_just_generated > | |||
Address = 192.168.130.4/24 | |||
ListenPort = 51820 | |||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp6s18 -j MASQUERADE | |||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp6s18 -j MASQUERADE | |||
[Peer] | |||
PublicKey = <client_public_key_1_not yet created> | |||
AllowedIPs = 192.168.130.6/32 | |||
[Peer] | |||
PublicKey = <client_public_key_2 also not yet created> | |||
AllowedIPs = 192.168.130.7/32 | |||
In the interface section we will need to paste in the private key from /etc/wireguard/server-privatekey and we will need to sudo just to access it. the IP address for the interface needs to be different from the Vanilla interface so as vanilla is on 192.168.130.5 we add the wg0 interface as 192.168.130.4/24, if qemu-guest-agent is installed when Wireguard is up and running, it should be seen in the Proxmox GUI summary. If this was to be on a production environment we would possibly have this interface on a different IP domain with more hosts and with a DHCP server running but as we will only have a few clients we will use static IPs and use the same domain because we will never have enough clients to make static IPs unmanageable and we will probably never need to use scripts to configure clients. The listen port is the port that vanilla will be listening on for connections. The postup and postdown iptables are to allow forwarding and NAT, they are mostly boilerplate code. | |||
* IPtables is the command line tool for managing the Linux kernel firewall | |||
* -A FORWARD: Appends a rule to the FORWARD chain. The FORWARD chain handles traffic that is passing through the server, not traffic destined for the server itself. | |||
* -i %i: Specifies the input interface. %i is a placeholder that wg-quick replaces with the name of the WireGuard interface (in your case, wg0). So, this part of the rule says: "For any traffic coming into the server on the wg0 interface..." | |||
* -j ACCEPT: Specifies the action to take if a packet matches the rule. ACCEPT means to allow the packet to continue to its destination. | |||
* In essence, this part of the PostUp rule allows traffic originating from your WireGuard clients (coming in on the wg0 interface) to be forwarded to other interfaces on your server (like eth0 to reach your LAN or the internet). | |||
The two peer sections will need to have the public key from the clients to be added in when they have been done and the AllowedIPs will set the iP addresses of the clients (as in /32). | |||
Revision as of 02:00, 11 May 2025
Introduction
The only host on the VPNNet is Vanilla it has an IP Address of VPNnet.5. OpenVPN was tried but it had problems with routing so Wireguard has been tried and it now works. It is possible that the routing problems were the same as was on wireguard and maybe they could have been overcome but as there is now a working Wireguard solution on Vanilla there is only a limited reason to try OpenVPN again.
The Solution required
The general idea of the VPN was to allow RDP access to the desktop hosts on the terminals network from a remote location . There may be some gain in having a Samba share to Satsuma as well as the VPN will secure the connection. There does not need to be a Internet connection through the VPN at this time so we will not add the Ip as the default route for Internet at this time, If that changes it should be fairly straight forward to add it on to the client connection. There may be other requirements at a later date.
Installation of Wireguard
To install Wireguard on Vanilla do
sudo apt update sudo apt install wireguard wireguard-tools -y
wireguard-tools is a package containing additional utilities for managing WireGuard, such as wg and wg-quick. more dtails can be found on Ubuntu website here. Once the two packages are installed we need to generate the public and private keys. First we do the private key with the command
sudo wg genkey | sudo tee /etc/wireguard/server-privatekey
What this does is to use wg with genkey to generate a new Wireguard private key that will be displayed on the screen. The pipe tee will copy it to the file /etc/wireguard/server-privatekey. We can use this private key to generate the public key to match using the command
sudo cat /etc/wireguard/server-privatekey | wg pubkey | sudo tee /etc/wireguard/server-publickey
This will pipe the private key from the file we just made to wg pubkey to be displayed on screen by the pipe tee and ten copies it to the file /etc/wireguard/server-publickey. It would probably be best to check that these two key files can be accessed before clearing the screen so do
sudo nano /etc/wireguard/server-publickey
and a
sudo nano /etc/wireguard/server-privatekey
Just to be sure that both can be accessed. The private key must be kept private so do a chmod to make it accessible to root only
sudo chmod 600 /etc/wireguard/server-privatekey
Now to view the file or even get a listing you have to do sudo. the public key will need to be exchanged with clients so no need to keep it private. Using our newly created keys we can create a wg0.conf file in the wireguard directory.
sudo nano /etc/wireguard/wg0.conf
In this file we will need the following information
[Interface] PrivateKey = <your_server_private_key_just_generated > Address = 192.168.130.4/24 ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp6s18 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp6s18 -j MASQUERADE
[Peer] PublicKey = <client_public_key_1_not yet created> AllowedIPs = 192.168.130.6/32
[Peer] PublicKey = <client_public_key_2 also not yet created> AllowedIPs = 192.168.130.7/32
In the interface section we will need to paste in the private key from /etc/wireguard/server-privatekey and we will need to sudo just to access it. the IP address for the interface needs to be different from the Vanilla interface so as vanilla is on 192.168.130.5 we add the wg0 interface as 192.168.130.4/24, if qemu-guest-agent is installed when Wireguard is up and running, it should be seen in the Proxmox GUI summary. If this was to be on a production environment we would possibly have this interface on a different IP domain with more hosts and with a DHCP server running but as we will only have a few clients we will use static IPs and use the same domain because we will never have enough clients to make static IPs unmanageable and we will probably never need to use scripts to configure clients. The listen port is the port that vanilla will be listening on for connections. The postup and postdown iptables are to allow forwarding and NAT, they are mostly boilerplate code.
- IPtables is the command line tool for managing the Linux kernel firewall
- -A FORWARD: Appends a rule to the FORWARD chain. The FORWARD chain handles traffic that is passing through the server, not traffic destined for the server itself.
- -i %i: Specifies the input interface. %i is a placeholder that wg-quick replaces with the name of the WireGuard interface (in your case, wg0). So, this part of the rule says: "For any traffic coming into the server on the wg0 interface..."
- -j ACCEPT: Specifies the action to take if a packet matches the rule. ACCEPT means to allow the packet to continue to its destination.
- In essence, this part of the PostUp rule allows traffic originating from your WireGuard clients (coming in on the wg0 interface) to be forwarded to other interfaces on your server (like eth0 to reach your LAN or the internet).
The two peer sections will need to have the public key from the clients to be added in when they have been done and the AllowedIPs will set the iP addresses of the clients (as in /32).
