Ubuntu Desktop as WireGuard VPN client configuration

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

VPNs (Virtual Private Networks) allow encrypted access from one computer via the Internet to another computer or network. In this article we show how to connect via WireGuard to a central OPNsense-based firewall using the example of a Ubuntu 20.04 and 18.04 LTS desktop client computer. The installation and configuration of an OPNsense firewall is explained in the Wiki article OPNsense WireGuard VPN for Road Warrior configuration.

Installation

With Ubuntu 20.04 WireGuard is already included in the Universe package sources, you can install WireGuard directly:[1] For the installation under Ubuntu execute the following commands:[2]

$ sudo apt install wireguard

To install on Ubuntu (until 18.04), run the following commands:[3]

$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt update
$ sudo apt install wireguard

This will install the wireguard, wireguard-dkms and wireguard-tools packages.

Configuration

The following section shows the configuration of a WireGuard client under Ubuntu 20.04 and 18.04.2 LTS.

Create a WireGuard private and public key for the Ubuntu client

For a successful connection, each participant in a WireGuard VPN needs their own private and public keys. You can create these conveniently with the following command. The umask is set to 077 to deny access to all other users except root.

$ sudo -i
# cd /etc/wireguard
# umask 077
# sudo wg genkey > private-key
# sudo wg pubkey > public-key < private-key

Create permanent configuration

This section describes how to create a permanent configuration that survives a restart.

For example, use the editor vim to create the new file wg0.conf:

$ sudo vi /etc/wireguard/wg0.conf

Now add the following lines to this file. You can then save and exit the vim using :x. For a better understanding, the individual lines are described by inline comments.

[Interface]
Address = <Configured client IP>/<Netmask> // For exaple the IP "10.11.0.20/32"
PrivateKey = <Private Key of the client>

[Peer]
PublicKey = <Public Key of the OPNsense Wireguard instance>
AllowedIPs = <Networks to which this client should have access>/<Netmask>
             // For example "10.11.0.0/24, 192.168.1.0/24"
             //               |             |
             //               +--> The network area of the OPNsense WireGuard VPNs
             //                             |
             //                             +--> Network behind the firewall
Endpoint = <Public IP of the OPNsense firewall>:<WireGuard Port>

Create Systemd service

The WireGuard VPN can be controlled via a Systemd service so that the VPN is set up automatically when Ubuntu is started.

$ sudo systemctl enable wg-quick@wg0.service 

Commands for controlling the Systemd service:

$ sudo systemctl start wg-quick@wg0.service
$ sudo systemctl status wg-quick@wg0.service
$ sudo systemctl stop wg-quick@wg0.service

Pre-Shared Key as additional security

The connection can optionally also be further secured by using an additional pre-shared key.[4]

You can easily create a pre-shared key with the tool wg:

$ sudo wg genpsk > presharedkey

Then add the following line to the [Peers] section of the WireGuard configuration, in this example wg0.conf.

Presharedkey = <Pre-Shared Key>

Check connection

The connection can be checked after the Systemd service is started. With systemctl status wg-quick@wg0.service the status of the service can be checked as described above.

In addition, the command wg can be used to display the status of the WireGuard connection (without pre-shared key). If the connection is not established or the system service is terminated, wg does not provide any output:

$ sudo wg
interface: wg0
  public key: <Public-Key of the WireGuard client>
  private key: (hidden)
  listening port: 45062

peer: <Public-Key of the OPNsense WireGuard instance>
  endpoint: <Public IP of the OPNsense firewall>:<WireGuard Port>
  allowed ips: 10.11.0.0/24, 192.168.1.0/24
  latest handshake: 17 seconds ago
  transfer: 6.98 KiB received, 10.82 KiB sent

References


Foto Thomas Niedermeier.jpg

Author: Thomas Niedermeier

Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.


Related articles

Adaptec RAID Monitoring Plugin for Windows Server 2012 set-up
Manual Installation of Oracle Java JRE 6 or SE 7 in Ubuntu
Setup FTP Server under Debian