Protect Your Network
Why Wireguard?
I was completely unaware that this even existed out there. A friend of mine over at Digital Metaverse shared this with me and I was all about it. I use for it for the traditional sense that most people do, but took it a step further by combining it with a HA Proxy and forward my website traffic from cloudflare to my wireguard server so I can restrict traffic from the outside world. The original source of the information can be found here on Lawrence System’s Forum
Digital Ocean or another Cloud Provider
The first step is to create an account with a VPS (I used Digital Ocean) and configure the Virtual Machine for traffic ingress. There are many tutorials on this (Link below), so I won’t go over this.
How to Create a Droplet from the DigitalOcean Control Panel :: DigitalOcean Product Documentation
You do have the option to use any cloud provider and accomplish the same thing with either AWS or Google, although, tread carefully.
Installing Wireguard on your cloud droplet / instance
This tutorial was created and tested using Ubuntu 20.10 on Digital Ocean. It will likely work fine with other distributions but some modifications may be needed.
Server Side Setup
Create new droplet using Ubuntu 20.10 and choose the region you prefer.
Log into server and make sure system is up to date
apt-get update && apt-get upgrade
Reboot if there are update that require it
Next we need to enable IP Forwarding. IP forwarding is the ability for an operating system to accept incoming network packets on one interface, recognize that it is not meant for the system itself, but that it should be passed on to another network. Edit the file /etc/sysctl.conf and change and uncomment to the line that says net.ipv4.ip_forward=1
Now reboot or run sysctl -p to activate the changes.
Install wireguardapt-get install wireguard
You can navigate to the Wireguard config cd /etc/wiregaurd and then run the following command below to generate the public and private keys for the server, or you can do it in the opt directory, which is what I am going to do. So mkdir /opt/wireguard and then cd /opt/wireguard. Then run the command below
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
The run cat privatekey and copy it so we can put it in to the server config file.
Create the /etc/wireguard/wg0.confnano /etc/wireguard/wg0.conf
Here is an example of a basic configuration to get up and Running.
[Interface] PrivateKey = <Your Private Key Goes Here>
Address = 192.168.69.1/24 # Can be private IP you choose
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Note: We will be adding peers later.
To test that the server works run wg-quick up wg0 to bring up the interface. Running wg-quick down will bring the interface down.
If you want the wg0 interface to be active on boot you need to runsystemctl enable wg-quick@wg0
Then you can use to systemctl start wg-quick@wg0 start the server, systemctl stop wg-quick@wg0 stop the server and systemctl status wg-quick@wg0 to check the status.
Client side Side Setup (Debian Based Linux client)
Install wireguardapt-get install wireguard
Just like on the server, you can navigate to the Wireguard config cd /etc/wiregaurd and then run the following command below to generate the public and private keys for the server, or you can do it in the opt directory, which is what I am going to do. So mkdir /opt/wireguard and then cd /opt/wireguard. Then run the command below
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
The run cat privatekey and copy it so we can put it in to the server config file.
Create the /etc/wireguard/vpn.conf (Name it whatever you want within reason)vim /etc/wireguard/vpn.conf
[Interface] PrivateKey = <Your Private Key Goes Here> Address=192.168.69.2/24
Run wg-quick up vpn to make sure the system comes up and run wg-quick down vpn to take down the interface.
Getting the Wireguard Systems Talking
On the Ubuntu Digital Ocean server / Cloud Hosted Server edit /etc/wireguard/wg0.confand add the peer information.
[Interface] Address = 192.168.69.1/24 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 51820 PrivateKey = <This Ubuntu Servers Private Key>
[Peer] # Test Debian Client PublicKey=<The Public Key of the Debian Client> AllowedIPs=192.168.69.2 PersistentKeepalive=25
On the Debian linux client edit /etc/wireguard/vpn.conf and add the peer information
[Interface] PrivateKey = <This Debian Client Private Key Goes Here> Address=192.168.69.2/24
[Peer] # Ubuntu Digital Ocean Server / Cloud Hosted Server editPublicKey=<Public Key From Ubuntu Digital Ocean Server> Endpoint=<Public IP of Ubuntu Digital Ocean Server>:51820
AllowedIPs = 0.0.0.0/0 # Forward all traffic to server
Once both sides have been complete and Wireguard restarted on both side the system should be able to communicate. You can first test from the Debian Client by running ping 192.168.69.1 to make sure the tunnels are working and then try getting out the internet by running ping 1.1.1.1 on the Debian and confirm response.
Turning on the UFW firewall on the server
It is easy to enable the UFW firewall there are a few ports we need to open first, port 22 TCP for ssh management and 51820 UDP for Wireguard. To do this simply:
ufw allow 22/tcpufw allow 51820/udpufw allow http/tcp <– Not Required (for proxy to internal server)ufw allow https/tcp <– Not Required (for proxy to internal server)ufw enable
Add other or change ports if needed for your configuration.
This completes the installation from this point. I took it a step further and integrated this with pfsense so I could tunnel traffic that is proxied from Cloudflare -> to Wireguard Server running HA Proxy -> to my pfSense running HA Proxy -> to my backend servers. I have a lot of protection running my internal servers. This allows me to really lock my firewall down by restricting https traffic to only be allowed in from my VPS server that is hosted in Digital Ocean.
You can follow Adding HA Proxy to Wireguard to proxy Network Traffic from my own personal VPS
Below is a good video and the source of the information.