Quick and Easy Wireguard VPN Explained
So, You’ve heard about wireguard and want to abandon your OpenVPN instance or maybe create your first VPN and find it all confusing? You’re not alone. Even the veritable Arch wiki doesn’t seem to really explain things all that well. They claim there are tools to make it easier, but then you have to hunt for commands to use the tools and don’t really know what they can accomplish in the first place.
You just want to be able to connect to your home network from whatever device you use when you’re not at home. If that’s you, then keep reading. I don’t know if this is the best or most efficient way, but I do know that if you follow these directions that you’ll end up with a functioning VPN.
First, let me give a brief explanation of what we’re doing. When you create a VPN connection, you’re not really taking control of a computer on your home network and interacting with other machines on the network as that computer. What you’re really doing is creating a secondary network with that computer at home as the server and your device you’re using as a peer on that secondary network. That computer can still connect and function as normal on the primary network, but it’s also going to forward the traffic to and from your device along that network as well. So, it’s kind of like both computers are using the same IP address on the local network at the same time. This will make more sense as we go along.
The first thing we’re going to do is give that computer on your local network the ability to forward your packets along the local network and to forward traffic addressed to the device in your hand back to you. We’re going to do this by typing sudo sysctl -w net.ipv4.ip_forward=1 Now, while you’re setting your server up and testing it out, you might want to leave it like that. If you somehow mess up and forward traffic you intend for that machine or make some other mistake, that line will not survive a reboot. You can reboot and gain control of your machine then try again. However, once you’ve tested it out you want to add net.ipv4.ip_forward = 1 to /etc/sysctl.d/99-sysctl.conf. It’s ok if the file doesn’t exist already. It probably doesn’t. Just create it and put that one line in it. Then, your computer will have the ability to forward traffic even after a reboot.
The next thing you want to do is to set up port forwarding on your router. A port is like a channel on a TV: each TV channel handles different traffic and you can switch channels to receive different broadcasts. Every router is going to be different, but essentially you want all traffic that comes in on one port to be sent to that one machine you want to connect to on your local network. We’re going to set up wireguard to listen for traffic on that port and that is how we’re going to make our VPN connection. You want to use a high number for the port(65535 or below I think) so you don’t inadvertently use a port reserved for something else, so we’re going to use 58999. Do a quick google search to figure out how to set that up on your router, do so, then come back here and continue.
Next, we’re going to generate key pairs. Key pairs are more secure than passwords and much harder to hack, but they serve the same purpose. You have a public key and a private key. If they match, you’re allowed access to the machine. You’re going to generate two keypairs: one for the server (the computer on your home network “serving” your traffic to the home network) and the peer (the client device you’re using while you’re away from home). You’re going to type these two commands and they’re going to leave 2 private keys and 2 public keys in the directory you’re in, so make sure you type it in the place you want to store them.
wg genkey | (umask 0077 && tee server.key) | wg pubkey > server.pub
wg genkey | (umask 0077 && tee client.key) | wg pubkey > client.pubThose keys are just text files. you can cat server.key and see the key itself. The ones with .key on the end are the private keys and the ones with .pub on the end are the public keys. Now that we have those, we’re going to write a configuration file to set up our VPN. This will allow us to connect to our server from the internet on the port we forwarded and connect to the home network through it. We’re going to call our VPN network wg0 and we’re going to type the following to create it:
sudo nano /etc/wireguard/wg0.conf Once we do that, we’ll have a blank text editor page and we’ll type out the following:
[Interface]
Address = 10.200.0.1/24
ListenPort = 58999
PrivateKey = [PASTE CONTENTS OF server.key HERE][Peer]
PublicKey = [PASTE CONTENTS OF client.pub HERE]
AllowedIPs = 10.200.0.3/32
type crtl+x to exit, select yes to save it and click enter so it’s saved as /etc/wireguard/wg0.conf. Now that you have that, you can just type wg-quick up wg0 to bring the VPN up. You may want to automate that by copying wg-quick@.service to wg-quick@wg0.service (I found it in /usr/lib/systemd/system on my computer) and replacing every instance of %i with wg0 . Then you can type systemctl enable wg-quick@wg0.service and it will automatically start up at boot. Essentially, you’ve created a secondary network, given your server the ip address 10.200.0.1 and your device you’re connecting with the address 10.200.0.3
Now, onto the device you’re connecting with. For brevity’s sake, we’re just using android but it should work similarly across systems. You download the wireguard app, add a new network (wg0), add the contents of client.pub as the public key, the address is 10.200.0.3/32 and adding a peer with server.pub as the public key, 0.0.0.0/0 as the allowed IPs, and the endpoint is the internet IP address of your home network along with :58999 right on the end to let it know what port to connect to. That’s all you have to do. Once you enable it, you should be connected to your home network and be able to connect to any computer on it with your local ip address of that machine on the primary network.
I hope this helps.
