[VPN] How to use wireguard VPN to connect back home

(8 comments)

Scenario

Be able to connect to a home device behind nat router internet box.

In this case the target device is an IP camera.

A raspberry is used to serve as a VPN endpoint and a reverse proxy to the camera.

A VPS is used to serve a publicly reachable connection point, remember to open the correct ports on the VPS. Firewall and security groups must allow traffic. Test connectivity prior to configuring the VPN can avoid long headaches.

Server endpoint

By convention the IP x.x.x.1 is used for the server.

wg genkey > priv.key
wg pubkey < priv.key > pub.key
ip link add dev wg0 type wireguard
ip address add 10.0.0.1/24 dev wg0
wg set wg0 private-key priv.key listen-port 51820
ip link set wg0 up
wg set wg0 peer PUBLIC_KEY_PEER= allowed-ips 10.0.0.1/32 endpoint HOST_IP:PORT

Client endpoint

For ease of understanding, the interface is named wg1 on this device, note the main change is the IP.

wg genkey > priv.key
wg pubkey < priv.key > pub.key
ip link add dev wg1 type wireguard
ip address add 10.0.0.2/24 dev wg1
wg set wg1 private-key priv.key listen-port 51820
ip link set wg1 up
wg set wg1 peer PUBLIC_KEY_PEER= allowed-ips 10.0.0.2/32 endpoint SERVER_IP:51820

Troubleshooting

# delete settings
ip link del dev wg0
# bring down the link
ip link set wg0 down
# status
wg show
# test connectivity
ping 10.0.0.1

Plan B

Often I mess things up configuring VPNs and I like being able to quickly bring up and down interfaces. For this purpose, I find it most convenient to use configuration files.

For instance the following files produce a nice solution. Configuration files should end with .conf suffix and be placed in the folder /etc/wireguard.

#/etc/wireguard/server.conf
[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.0.0.1/32
ListenPort = 51820
# Only required in some circumstances
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = PEER_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = PEER_PUBLIC_KEY
AllowedIPs = 10.0.0.3/32

Using the above file you are now capable of using

wg-quick up server

For the client a simple configuration like this can be used:

# Display laptop.conf
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/32
#DNS = 1.1.1.1 # Optional 8.8.8.8 also works


[Peer]
PublicKey = SERVER_PUBLIC_KEY
# Forward all traffic, alternatively 10.0.0.0/8 could be used to forward only VPN related IPs
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = SERVER_IP:51820
# This setting allows the VPN to stay up behind NAT with low traffic
PersistentKeepalive=60

Using the above you can use

wg-quick up laptop

Bonuses

When playing around with VPNs I often find those settings useful.

# Enable network forwarding, especially on the server
sysctl net.ipv4.conf.all.forwarding=1 # | tee -a /etc/sysctl.d/forwarding.conf # make it persistent
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # fix traffic*


# Make another IP reachable through a port forwarding configuration
DST="192.168.1.38"
PORT="80"

sudo iptables -A PREROUTING -t nat -p tcp --dport 8888 -j DNAT --to-destination $DST:$PORT
sudo iptables -A POSTROUTING -t nat -p tcp --dport 8888 -j SNAT --to-source $DST

Currently unrated

Comments

hotshot bald cop 5 months, 1 week ago

Right on my man!

Link | Reply
Currently unrated

Eula 5 months ago

Howdy! This is my first comment here so I just wanted
to give a quick shout out and tell you I genuinely enjoy reading through your articles.
Can you recommend any other blogs/websites/forums that cover
the same topics? Appreciate it!

Link | Reply
Currently unrated

Tommie 5 months ago

Howdy, i read your blog occasionally and i own a similar one and
i was just curious if you get a lot of spam comments?
If so how do you stop it, any plugin or anything you can recommend?
I get so much lately it's driving me mad so any help
is very much appreciated.

Link | Reply
Currently unrated

hotshot bald cop 5 months ago

That's an awesome point

Link | Reply
Currently unrated

Shauna 4 months, 4 weeks ago

That's a great point

Link | Reply
Currently unrated

Thelma 4 months, 3 weeks ago

Thelma
Marc
balance of nature
Marc
тульскоеземлячество.xn--p1ai

Link | Reply
Currently unrated

ryanageyer.com 4 months, 3 weeks ago

ryanageyer.com
successfulsinglemama.com
wiki.tomography.inflpr.ro
balance of nature
canadavoisin.com

Link | Reply
Currently unrated

Chandra 4 months, 3 weeks ago

Chandra
balance of nature
balance of nature
balance of nature
Elinor

Link | Reply
Currently unrated

New Comment

required

required (not published)

optional

required