wireguard

What is it

A next-gen, simple, kernel-based, state-of-the-art VPN that

also happens to be ridiculously fast and uses modern
cryptographic principles that all other highspeed VPN
solutions lack.
Why? - simplicity

•
Aims to be as easy to configure and deploy as SSH.
•
A VPN connection is made simply by exchanging very
simple public keys exactly like exchanging SSH keys
•
It is even capable of roaming between IP addresses (no
dropped connections)
Why? - sound crypto

Uses state-of-the-art cryptography, like the Noise protocol

framework, Curve25519, ChaCha20, Poly1305, BLAKE2,
SipHash24, HKDF, and secure trusted constructions.
Why? - low attack surface

It is meant to be easily implemented in very few lines of

code, and easily auditable for security vulnerabilities.

Meant to be comprehensively reviewable by single

individuals.
Why? - high performance

A combination of extremely high speed cryptographic

primitives and the fact that WireGuard lives inside the Linux
kernel means that secure networking can be very high-
speed.
Set up steps

•
Install WireGuard on VPN server.
•
Generate server and client keys.
•
Generate server and client configs.
•
Enable WireGuard interface.
•
Enable IP forwarding.
•
Configure firewall rules.
•
Configure DNS.
•
Set up Wireguard on clients.
 Our DNS of choice - unbound
Unbound is a validating, recursive, and caching DNS
resolver.

It is:
•
Lightweight and fast
•
Easy to install and configure
•
Security oriented
•
Supports DNSSEC

We’ll set it up in a way to counter DNS leakage, more

sophisticated attacks like fake proxy configuration, rogue
routers and all sorts of MITM attacks on HTTPS and other
protocols.
1. Installation – ubuntu

add-apt-repository ppa:wireguard/wireguard
apt-get update
apt-get install wireguard-dkms wireguard-tools linux-
headers-$(uname -r)
2. Key generation

Umask 077

wg genkey | tee server_private_key | wg pubkey >

server_public_key

wg genkey | tee client_private_key | wg pubkey >

client_public_key
 3.1 Server config

/etc/wireguard/wg0.conf
=======================
[Interface]
Address = 10.200.200.1/24
SaveConfig = true
PrivateKey = <server_private_key>
ListenPort = 51820

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.200.200.2/32
 3.2 Client config

/etc/wireguard/wg0-client.conf
=======================
[Interface]
Address = 10.200.200.5/32
PrivateKey = <client_private_key>
DNS = 10.200.200.1

[Peer]
PublicKey = <server_public_key>
Endpoint = <vpn_server_address>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21
4. Enable server interface

chown -v root:root /etc/wireguard/wg0.conf

chmod -v 600 /etc/wireguard/wg0.conf
wg-quick up wg0
systemctl enable wg-quick@wg0.service
 5. IP forwarding

/etc/sysctl.conf
==============
net.ipv4.ip_forward=1

sysctl -p
echo 1 > /proc/sys/net/ipv4/ip_forward
 6. Firewall rules

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j

ACCEPT

iptables -A INPUT -s 10.200.200.0/24 -p tcp -m tcp --dport 53 -m conntrack

--ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.200.200.0/24 -p udp -m udp --dport 53 -m conntrack
--ctstate NEW -j ACCEPT

iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE

6.1 IP forwarding

apt-get install iptables-persistent

systemctl enable netfilter-persistent
netfilter-persistent save
 7.1 Unbound dns setup
apt-get install unbound unbound-host
curl -o /var/lib/unbound/root.hints
https://www.internic.net/domain/named.cache

/etc/unbound/unbound.conf
=========================================
server:
num-threads: 4

#Enable logs
verbosity: 1

#list of Root DNS Server

root-hints: "/var/lib/unbound/root.hints"

#Use the root servers key for DNSSEC

auto-trust-anchor-file: "/var/lib/unbound/root.key"

#Respond to DNS requests on all interfaces

interface: 0.0.0.0
max-udp-size: 3072
 7.2 Unbound dns setup
/etc/unbound/unbound.conf
=========================================
server:
#Authorized IPs to access the DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.1 allow
access-control: 10.200.200.0/24 allow

#not allowed to be returned for public internet names

private-address: 10.200.200.0/24

# Hide DNS Server info

hide-identity: yes
hide-version: yes

#Limit DNS Fraud and use DNSSEC

harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes

#Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
unwanted-reply-threshold: 10000000
8.1 Client set up

#Install WireGuard

sudo chown -v root:root /etc/wireguard/wg0-client.conf

sudo chmod -v 600 /etc/wireguard/wg0-client.conf
sudo systemctl enable wg-quick@wg0-client.service
8.2 Client set up

#Adding new clients on server

wg genkey | tee new_client_private_key | wg pubkey >
new_client_public_key

wg set wg0 peer <new_client_public_key> allowed-ips

<new_client_vpn_IP>/32

#Generate client config as described in part 3.2

8.3 Client set up

#To bring down WireGuard interface

wg-quick down <interface_name>

#To bring up WireGuard interface

wg-quick up <interface_name>

#To show WireGuard interface status

wg show
References

https://www.wireguard.com/
https://danrl.com/blog/2016/travel-wifi/
http://info.menandmice.com/blog/bid/37244/10-Reason
s-to-use-Unbound-DNS
https://wiki.archlinux.org/index.php/unbound
https://freedif.org/unbound-your-own-dns-server/
https://www.unbound.net/documentation/unbound.conf.ht
ml
Coming soon

Creating your own portable

WireGuard VPN router using a
raspberry pi
Live automated demo using
ansible