Ask a Question

Build a VPN tunnel to the local network using "WireGuard"

0 votes
asked Jul 20, 2022 in 3D Segmentation by vpnheroes (120 points)
edited Aug 9, 2022 by vpnheroes

Secure remote access to services on the local network.

VPN (Virtual Private Network) is a generic name for technologies that allow you to provide one or more network connections (a logical network) on top of another network (for example, the Internet).

Wikipedia

The most popular open source solutions for building virtual private networks are "OpenVPN" and "IPSec". The release of the Linux kernel 5.6, which took place on March 30, 2020, included another implementation of VPN technology - "WireGuard". This is a young project that is gaining popularity.

The main advantages of "WireGuard":

·         High performance

·         Easy setup

·         Modern cryptography

·         Quality code

In this tutorial, we will configure a VPN tunnel to the local network using WireGuard and provide access from the Internet to the LAN nodes from various devices.

Addressing in the LAN - 192.168.100.0/24, VPN-networks will assign a range of 10.0.0.0/24.

Configuring the Server

A VPS will be required to host the server. When choosing, you need to pay attention to the virtualization technology: preferably KVM, you can XEN, but OpenVZ should be avoided. The fact is that in WireGuard it is implemented as a kernel module, and in OpenVZ the kernel is very old. I will use the cheapest virtual server with the operating system Ubuntu 20.04 (KVM 512 MB RAM 20 GB SSD 1 CPU - this configuration is quite suitable).

Log in to the server with root privileges and run the following commands:

 

# install Wireguard

 

apt update && apt upgrade

apt install wireguard

# allow packet forwarding

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

sysctl -p

 

# generate keys for the server:

wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey

 

Let's create a configuration file /etc/wireguard/wg0.conf with the following content:

 

 

[Interface]

 

Address = 10.0. 0. 1/24

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

ListenPort = 51820

PrivateKey = <SERVER_PRIVATE_KEY>

 

PostUp/PostDown parameters contain iptables rules that will be applied when the service starts/stops. Note the name of the network interface - it must match the public network adapter, in my case it is eth0. You can display a list of adapters by:

 

 

ip a

 

 

Select the external IP address from the list. <SERVER_PRIVATE_KEY> - replace with the contents of the /etc/wireguard/privatekey file.

 

Let's launch the VPN service and add it to the startup:

 

wg-quick up wg0

 

systemctl enable wg-quick@wg0

 

Let's make sure that the service started correctly:

 

 

root@wg-server:/etc/wireguard# wg show wg0

 

interface: wg0

  public key: <SERVER_PUBLIC_KEY>

  private key: (hidden)

listening port: 51820

 

Configuring the Client on the LAN

 

If your router supports WireGuard (Zyxel KeeneticOS >=3.3, Mikrotik RouterOS >=7.1beta2, OpenWRT) – you can configure the VPN client directly on it. I will use the Ubuntu 20.04 server (local address 192.168.100.7) for this purpose.

The first stage of configuration is similar to the configuration of the backend. Run with root-user rights:

 

# install WireGuard

 

apt update && apt upgrade

apt install wireguard

# allow packet forwarding

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

sysctl -p

 

# generate keys for the client

wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey

 

Edit /etc/wireguard/wg0.conf:

[Interface]

 

PrivateKey = <PEER_LAN_PRIVATE_KEY>

Address = 10.0.0.2/32

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlp2s0 -j MASQUERADE

PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlp2s0 -j MASQUERADE

 

[Peer]

PublicKey = <SERVER_PUBLIC_KEY>

Endpoint = <SERVER_IP>:51820

AllowedIPs = 10.0.0.0/24

PersistentKeepalive = 20

 

<PEER_LAN_PRIVATE_KEY> — replace with content /etc/wireguard/privatekey, <SERVER_PUBLIC_KEY> — /etc/wireguard/publickey from the server, <SERVER_IP> — external IP address of the server. Iptables rules in PostUp/PostDown are necessary for our client to act as a gateway in the LAN. Specify in the rules the network interface to which the local address is assigned (192.168.100.7, in my case it is wlp2s0). Specify it by executing the command:

ip a

The AllowedIPs parameter specifies the addresses to which the VPN interface will be routed. In the PersistentKeepalive field, the frequency of checking the availability of the connection in seconds. Start the service and add to the startup:

Source: https://vpnheroe.com

1 Answer

0 votes
answered Jan 27, 2023 by mohtasham (140 points)

"Freebestvpn.com offers top-notch virtual private network services to protect your online privacy and enhance your internet security. Our VPN encrypts your data and hides your IP address, allowing you to browse the web anonymously and access blocked content. With Freebestvpn.com, you can enjoy fast and stable connections on all your devices. Try our VPN today and experience a safer and more secure online experience. Visit freebestvpn.com to learn more and sign up."

Welcome to Bioimagingcore Q&A, where you can ask questions and receive answers from other members of the community.
Snow Theme by Q2A Market
Powered by Question2Answer
...