Skip to content

Instantly share code, notes, and snippets.

@qdm12

qdm12/readme.md

Last active April 8, 2024 08:45
Show Gist options
  • Save qdm12/35ab96d6be470ce7a4314722a55a1859 to your computer and use it in GitHub Desktop.
Save qdm12/35ab96d6be470ce7a4314722a55a1859 to your computer and use it in GitHub Desktop.
Download ZIP
Wireguard setup for Ubuntu server with LAN access
Raw
readme.md

Wireguard setup for LAN access

Assumptions

  • The network 192.168.1.0/24 is your LAN
  • Your Ubuntu server is on your LAN at 192.168.1.10, through the network interface eth0
  • The network 192.168.5.0/24 is non existent
  • Your LAN DNS is at 192.168.1.1

Server installation

  1. Ensure IPv4 forwarding is enabled

    sysctl -w net.ipv4.ip_forward=1

  2. You might need to allow the VPN server port UDP 51820:

    sudo ufw allow 51820/udp
sudo ufw enable

  3. Install Wireguard Kernel modules and CLI tools

    sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install -y wireguard

  4. Create the VPN interface configuration file

    sudo nano /etc/wireguard/wg0.conf

    with the following content

    [Interface]
Address = 192.168.5.1
ListenPort = 51820
PrivateKey = <server private key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Your first client
PublicKey = <client 1 public key>
AllowedIPs = 192.168.5.2/32

# [Peer]
# Your second client
# PublicKey = <client 2 public key>
# AllowedIPs = 192.168.5.3/32

  5. Generate a keypair on the server

    privateKey=`wg genkey`
publicKey=`echo "$privateKey" | wg pubkey`
echo "Private Key: $privateKey"
echo "Public Key: $publicKey"
unset -v privateKey

  6. Copy the private key into /etc/wireguard/wg0.conf in the [Interface] section, replacing <server privatekey>

  7. On your client, generate a key pair (see comment below to know how), and copy the client public key to the server's /etc/wireguard/wg0.conf in the [Peer] section and replace <client 1 public key>.

  8. Finally, launch the interface on the server

    wg-quick up wg0

    If it complains about Wireguard not being a type of interface, you can try modprobe wireguard or you will have to reboot your server to load the new Kernel module.

    You can remove the VPN interface with wg-quick down wg0.

  9. On your client, use this configuration

    [Interface]
Address = 192.168.5.2
PrivateKey = <client 1 auto generated private key>
DNS = 192.168.1.1

[Peer]
PublicKey = <server public key>
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.1.10:51820
PersistentKeepalive = 25

    And replace <server public key> with the public key you generated.

  10. You can try now to connect, it should take 3-5 seconds to connect.

  11. To access from outside, port forward for example port UDP 443 to 192.168.1.10:51820 and change the client endpoint to :443

@jonchancode
Copy link

Ah interesting, yeah, looks like it works the same for me too (can access externally, but not internally). I'll post back here if I find an answer. Thanks for the response!

Copy link

ghost commented Oct 1, 2021

If Wireguard is running on the server change your CLIENT CONFIG from AllowedIPs = 0.0.0.0/0 to AllowedIPs=192.168.0.0/24.
If Wireguard is running in Docker do the same but be aware that: If your Wireguard server is a container on your server, when your clients connect and try to traverse the LAN their traffic will be routed through the Docker network subnet where that container lives... Makes sense now but took digging through UFW logs to find out why I couldn't SSH to my server.

@Mladia
Copy link

Mladia commented Jan 11, 2023

That's right. UFW block network traffic from the docker container, since it comes from a different subnet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment