Wireguard

Links

https://www.wireguard.com/netns/#the-new-namespace-solution

https://www.opennet.ru/tips/2683_linux_namespace_gateway_virtual_route_iproute.shtml

https://www.stableit.ru/2015/06/bird-bgp.html

https://vincent.bernat.ch/en/blog/2018-route-based-vpn-wireguard

Kilo is a multi-cloud network overlay built on WireGuard and designed for Kubernetes - https://github.com/squat/kilo

Unofficial documentation

• https://github.com/pirate/wireguard-docs
• https://monadical.com/posts/wireguard.html (very detailed doc)

Notes

VPN channel should have same MTU from both sides

Route

ip -4 route add 172.16.0.0/16 dev wg3

Custom routing for tunnels

For custom routing, built-in wireguard routing should be switched off via Table = off and AllowedIPs should be configured as AllowedIPs = 0.0.0.0/1, 128.0.0.0/1

[Interface]
Address =  172.16.101.10/30
PrivateKey = *****=
ListenPort = 1234
Table = off

[Peer]
PublicKey = ****=
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = 11.22.33.44:1234
PersistentKeepalive = 25

Autostart tunnel

systemctl enable wg-quick@wg1.service

Hot tunnel reload

wg syncconf wg1 <(wg-quick strip wg1)

Wireguard on windows as a service

• https://r-pufky.github.io/docs/services/wireguard/windows-setup.html

Hooks for wireguard

PreUp = iptables -A INPUT -p udp --dport 5502 -j ACCEPT -m comment --comment "WG 5502 UDP"
PostUp = iptables -A INPUT -i wg5502 -j ACCEPT -m comment --comment "WG 5502 Tunnel"
PostDown = iptables -D INPUT -i wg5502 -j ACCEPT -m comment --comment "WG 5502 Tunnel"; iptables -D INPUT -p udp --dport 5502 -j ACCEPT -m comment --comment "WG 5502 UDP"

Wireguard can be configured via netplan

• https://netplan.io/reference/
• https://forum.turris.cz/t/wireguard-setup/6991/41

tunnels:
  wg0:
    mode: wireguard
    addresses: [...]
    peers:
      - keys:
          public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc=
          shared: /path/to/shared.key
        ...
    key: mNb7OIIXTdgW4khM7OFlzJ+UPs7lmcWHV7xjPgakMkQ=

Simple VPN server installation

1) Deploy VPS with Ubuntu 22.04. Minimum 1 core and 0.5Gb RAM is required.

2) Login into VPS via ssh and run sudo su - command

3) Copy and paste below commands, enter "Y" or "Enter" on all requests

# Update system

apt -y update
apt -y install nano
apt -y dist-upgrade
apt -y autoremove

# Install fail2ban to prevent ssh password brute-force
apt -y install fail2ban

# Install docker

curl -sSL https://get.docker.com | sudo sh

# Install wg-easy
mkdir -p /opt/wgeasy
cd /opt/wgeasy

4) run nano /opt/wgeasy/docker-compose.yml

services:
  wg-easy:
    environment:
    #  Optional:
    #  - PORT=51821
    #  - HOST=0.0.0.0
      - INSECURE=true

    image: ghcr.io/wg-easy/wg-easy:15
    container_name: wg-easy
    networks:
      wg:
        ipv4_address: 10.42.42.42
        ipv6_address: fdcc:ad94:bacf:61a3::2a
    volumes:
      - ./etc_wireguard:/etc/wireguard
      - /lib/modules:/lib/modules:ro
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
      # - NET_RAW # ⚠️ Uncomment if using Podman
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.default.forwarding=1

networks:
  wg:
    driver: bridge
    enable_ipv6: true
    ipam:
      driver: default
      config:
        - subnet: 10.42.42.0/24
        - subnet: fdcc:ad94:bacf:61a3::/64

5) Press Ctrl-X, Y and Enter to save a file

6) Run docker compose up -d

7) Open http://your-vps-ip:51821 in browser to configure VPN server. On first start, it will ask you to set admin user and password, and enter VPS IP address.