How to install and configure WireGuard – a new version of the implementation of VPN?

 

WireGuard — is a new implementation of VPN, combining the simplicity of implementation (about 4 thousand lines) with the full functionality of proven cryptographic algorithms. According to author Jason A. Donenfeld, the head of Edge Security and its security specialist, his implementation is devoid of the complications inherent in projects such as XFRM and OpenVPN. The WireGuard project has been developing for several years and has already passed the cryptography reviewing stage, which makes it possible to speak about its implementation in the core and public testing. After passing the test in the Linux kernel, it is supposed to port the developments into other OS. The code is distributed under the GNU GPLv2 license.

Tests have shown that WireGuard has 4 times better bandwidth and 3.8 times more responsive than OpenVPN (256-bit AES with HMAC-SHA2-256). WireGuard also outperforms IPsec in performance (256-bit ChaCha20 + Poly1305 and AES-256-GCM-128), but significant gains for IPsec are noticeable mainly in the area of reducing latency.

Below you will find a short guide to installing and configuring this VPN client (it is assumed that the server is already configured and has a public key, the only thing to it will be to add the peer section to the configuration file for the new client):

Consider with an example how to use a WireGuard-based  P2P VPN tunnel between two boxes in different networks and hidden behind routers / firewalls that are connected to the Internet to access each other. For example, with the goal of using each other’s tuners.

For this example, the following network configuration:

Network A will have an address of 10.10.0.0/24 and will contain Box A.

Network B will have an address of 10.10.1.0/24 and will contain Box B.

Box A – will act as a server and a router behind which it is hidden – Router A – must have a static white IP-address, in our example it is 82.19.23.1. The internal IP-address of the router is 10.10.0.1, respectively, and the internal address of the Box A built-in local interface is 10.10.0.2 with a network mask of 255.255.255.0.

Box B – will act as a client and a router behind which it is hidden – Router B – may have a dynamic IP-address, in our example it is x.x.x.x. The IP-address address of the router is 10.10.1.1, respectively, and the internal address of the Box B embedded local interface is 10.10.1.2 with a network mask of 255.255.255.0.

The diagram also shows the VPN tunnel that we will create with different IP-addresses indicated at its ends on network A and network B (note that the address of the virtual network interface (wg0) of the tunnel does not have to match the address of the physical local network interface (eth0)).

NOTE!

Despite the client-server building scheme, there will be access from both the client to the server and the server to the client, but one-way access can be configured.

1. On each box (Box A and Box B) we must install the required packages for WireGuard, for which we use telnet and execute the commands in the console:

opkg update && opkg install wireguard-tools

2. Next, create for each box  (Box A и Box B) a private key and public key  with the following command:

umask 077 && printf "" | tee /etc/wireguard/privatekey > /dev/null
wg genkey | tee -a /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey

3. Configure the Box A (server):

  • Create a configuration file /etc/wireguard/wg0.conf on Box A (server) with the following content:

 

[Interface]
PrivateKey = "here we indicate the private key of the server /etc/wireguard/privatekey without quotes"
ListenPort = 21820

[Peer]
PublicKey = "here we indicate the client public key from /etc/wireguard/publickey without quotes"
AllowedIPs = 10.100.0.0/24
  • Add the following section to the end of the /etc/network/interfaces on the Box A (server):

 

  • auto wg0
    iface wg0 inet static
        address 10.100.0.1
        netmask 255.255.255.0
        pre-up ip link add $IFACE type wireguard
        pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
        post-down ip link del $IFACE

4. Configure the Box B (client):

  • Create a configuration file /etc/wireguard/wg0.conf on Box B (client) with the following content:
[Interface]
PrivateKey = "here we indicate the private key of the client /etc/wireguard/privatekey without quotes "

[Peer]
PublicKey = "here we indicate the server public key from /etc/wireguard/publickey without quotes"
Endpoint = 82.19.23.1:21820
AllowedIPs = 10.100.0.0/24
PersistentKeepalive = 25

Notes:

Endpoint – the external IP address and port of Router A in which you need to forward the port to your server Box A. If you use DynDNS or a similar service, you can use the name of your server my_domein.dyndns.org, etc., instead of the IP address.

The PersistentKeepalive parameter is specified in seconds and is responsible for regularly sending a keepalive packet, since client is behind NAT, and the wireguard feature in its laconicism, it does not send any packets, and if you do not specify this parameter, then if there is no traffic in the tunnel, the port mapping in NAT will disappear on timeout and the server will not be able to reach the client if you need that to pass on.

  • Add the following section to the end of the /etc/network/interfaces on the Box B (client):
auto wg0
iface wg0 inet static
    address 10.100.0.2
    netmask 255.255.255.0
    pre-up ip link add $IFACE type wireguard
    pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
    post-up ip route add 10.10.0.0/24 via 10.100.0.1
    pre-down ip route delete 10.10.0.0/24 via 10.100.0.1
    post-down ip link del $IFACE

5. Reboot the box and enjoy the new high-speed VPN.

NOTICE!

After adding sections to the end of the /etc/network/interfaces file, when changing network settings using the enigma2 OSD interface, these sections will be erased and you will need to add them in a new way, later we will try to add a patch to the enigma2 code so that these sections are not erased.