Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
What is it
•
Aims to be as easy to configure and deploy as SSH.
•
A VPN connection is made simply by exchanging very
simple public keys exactly like exchanging SSH keys
•
It is even capable of roaming between IP addresses (no
dropped connections)
Why? - sound crypto
•
Install WireGuard on VPN server.
•
Generate server and client keys.
•
Generate server and client configs.
•
Enable WireGuard interface.
•
Enable IP forwarding.
•
Configure firewall rules.
•
Configure DNS.
•
Set up Wireguard on clients.
Our DNS of choice - unbound
Unbound is a validating, recursive, and caching DNS
resolver.
It is:
•
Lightweight and fast
•
Easy to install and configure
•
Security oriented
•
Supports DNSSEC
add-apt-repository ppa:wireguard/wireguard
apt-get update
apt-get install wireguard-dkms wireguard-tools linux-
headers-$(uname -r)
2. Key generation
Umask 077
/etc/wireguard/wg0.conf
=======================
[Interface]
Address = 10.200.200.1/24
SaveConfig = true
PrivateKey = <server_private_key>
ListenPort = 51820
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.200.200.2/32
3.2 Client config
/etc/wireguard/wg0-client.conf
=======================
[Interface]
Address = 10.200.200.5/32
PrivateKey = <client_private_key>
DNS = 10.200.200.1
[Peer]
PublicKey = <server_public_key>
Endpoint = <vpn_server_address>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21
4. Enable server interface
/etc/sysctl.conf
==============
net.ipv4.ip_forward=1
sysctl -p
echo 1 > /proc/sys/net/ipv4/ip_forward
6. Firewall rules
/etc/unbound/unbound.conf
=========================================
server:
num-threads: 4
#Enable logs
verbosity: 1
#Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
unwanted-reply-threshold: 10000000
8.1 Client set up
#Install WireGuard
https://www.wireguard.com/
https://danrl.com/blog/2016/travel-wifi/
http://info.menandmice.com/blog/bid/37244/10-Reason
s-to-use-Unbound-DNS
https://wiki.archlinux.org/index.php/unbound
https://freedif.org/unbound-your-own-dns-server/
https://www.unbound.net/documentation/unbound.conf.ht
ml
Coming soon