fz0x1/WireGuard-Guide-On_Arch_Linux
1
0
Fork 0
mirror of https://github.com/omgcast/WireGuard-Guide-On_Arch_Linux.git synced 2025-05-09 16:28:31 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
A step-by-step guide for setting up WireGuard VPN on Arch Linux.
10 commits 1 branch 0 tags 48 KiB
Find a file
Exact
n3kit91 82c4f24a40
Update README-ru.md
2024-12-07 06:25:05 +03:00
README-ru.md Update README-ru.md 2024-12-07 06:25:05 +03:00
README.md Update README.md 2024-11-28 18:02:57 +03:00

README.md

WireGuard Setup Guide for Arch Linux

This guide provides a streamlined, step-by-step process to set up a secure WireGuard VPN on Arch Linux. It ensures proper configuration of public and private keys to avoid common issues related to authentication and traffic routing. The client setup covers various platforms, including Linux, Windows, and mobile devices (iOS/Android).

Русская версия

Table of Contents

  1. Prerequisites
  2. Installation
  3. Key Generation
  4. Server Configuration
  5. Client Configuration
  6. Firewall and Routing
  7. Starting WireGuard
  8. Verification
  9. Troubleshooting

Prerequisites

  • Arch Linux installed on the server.
  • Root or sudo privileges on the server.
  • Public IP address for the server.
  • WireGuard application installed on the client device (Linux, Windows, iOS, Android).

Installation

On Server

  1. Update the system:

    sudo pacman -Syu

  2. Install WireGuard and Nano Editor:

    Nano is a user-friendly text editor that simplifies editing configuration files.

    sudo pacman -S wireguard-tools nano

On Client

  • Linux:

    sudo pacman -S wireguard-tools nano

  • Windows, iOS, Android:

    Install the WireGuard application from the official website or your device's app store.

Key Generation

On Server

  1. Navigate to WireGuard directory:

    sudo mkdir -p /etc/wireguard
cd /etc/wireguard

  2. Generate server keys:

    umask 077
wg genkey | tee server_privatekey | wg pubkey > server_publickey
    • server_privatekey: Server's private key.
    • server_publickey: Server's public key.

On Client

Linux

  1. Navigate to WireGuard directory:

    mkdir -p ~/wireguard
cd ~/wireguard

  2. Generate client keys:

    wg genkey | tee client_privatekey | wg pubkey > client_publickey
    • client_privatekey: Client's private key.
    • client_publickey: Client's public key.

Windows, iOS, Android

  1. Use the WireGuard application to generate keys:

    • Open the WireGuard app.
    • Click on "Add Tunnel" > "Add empty tunnel..."
    • The app will generate a private and public key pair.
    • Save the private key securely and copy the public key for server configuration.

Server Configuration

  1. Create/Edit WireGuard configuration:

    sudo nano /etc/wireguard/wg0.conf

  2. Add the following configuration:

    [Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_privatekey>

# Enable IP forwarding and NAT
PostUp = sysctl -w net.ipv4.ip_forward=1
PostUp = iptables -t nat -A POSTROUTING -o <external_interface> -j MASQUERADE
PostUp = iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
PostDown = sysctl -w net.ipv4.ip_forward=0
PostDown = iptables -t nat -D POSTROUTING -o <external_interface> -j MASQUERADE
PostDown = iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
PostDown = iptables -D FORWARD -s 10.0.0.0/24 -j ACCEPT

[Peer]
PublicKey = <client_publickey>
AllowedIPs = 10.0.0.2/32
    • Replace <server_privatekey> with the contents of server_privatekey.
    • Replace <external_interface> with your server's external network interface (e.g., ens1, eth0).
    • Replace <client_publickey> with the client's public key.

  3. Save and exit (Ctrl + O, Enter, Ctrl + X).

Client Configuration

Linux

  1. Create/Edit WireGuard configuration:

    sudo nano /etc/wireguard/wg0.conf

  2. Add the following configuration:

    [Interface]
PrivateKey = <client_privatekey>
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = <server_publickey>
Endpoint = <server_public_ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
    • Replace <client_privatekey> with the contents of client_privatekey.
    • Replace <server_publickey> with the server's public key.
    • Replace <server_public_ip> with your server's public IP address.

  3. Save and exit (Ctrl + O, Enter, Ctrl + X).

Windows

  1. Open WireGuard application.

  2. Add a new tunnel:

    • Click on "Add Tunnel" > "Add empty tunnel..."

  3. Paste the client configuration:

    [Interface]
PrivateKey = <client_privatekey>
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = <server_publickey>
Endpoint = <server_public_ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
    • Replace <client_privatekey> with the client's private key.
    • Replace <server_publickey> with the server's public key.
    • Replace <server_public_ip> with your server's public IP address.

  4. Save and activate the tunnel.

iOS/Android

  1. Open WireGuard application.

  2. Add a new tunnel:

    • Tap on "+" > "Create from scratch" or "Import from file/device."

  3. Enter the client configuration:

    [Interface]
PrivateKey = <client_privatekey>
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = <server_publickey>
Endpoint = <server_public_ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
    • Replace <client_privatekey> with the client's private key.
    • Replace <server_publickey> with the server's public key.
    • Replace <server_public_ip> with your server's public IP address.

  4. Save and activate the tunnel.

Firewall and Routing

On Server

  1. Configure iptables rules:

    sudo iptables -t nat -A POSTROUTING -o <external_interface> -j MASQUERADE
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT

  2. Save iptables rules for persistence:

    sudo iptables-save | sudo tee /etc/iptables/iptables.rules
sudo systemctl enable iptables
sudo systemctl start iptables

  3. Enable IP forwarding:

    echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf
sudo sysctl -p /etc/sysctl.d/99-sysctl.conf

Starting WireGuard

On Server and Linux Client

  1. Start and enable WireGuard:

    sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0

On Windows, iOS, Android

  1. Activate the tunnel:

    • Open the WireGuard application.
    • Toggle the switch next to your configured tunnel to "On."

Verification

  1. Check WireGuard status:

    sudo wg show
    • Ensure wg0 is active with peers listed.

  2. Test Connectivity:

    • Ping Server from Client:

      ping 10.0.0.1

    • Ping External IP from Client:

      ping 8.8.8.8

    • Test DNS Resolution:

      nslookup google.com

    • Access Websites:

      Open a web browser and navigate to any website (e.g., https://www.google.com).

Troubleshooting

  • Incorrect Key Pairing:

    • Ensure the server's [Peer] has the client's public key.
    • Ensure the client's [Peer] has the server's public key.

  • Firewall Rules:

    • Verify iptables rules:

      sudo iptables -L -v
sudo iptables -t nat -L -v

  • IP Forwarding:

    • Confirm IP forwarding is enabled:

      sysctl net.ipv4.ip_forward

      Should return net.ipv4.ip_forward = 1.

  • Logs Review:

    • Check WireGuard logs on the server:

      sudo journalctl -u wg-quick@wg0

  • Port Accessibility:

    • Ensure UDP port 51820 is open and listening:

      sudo ss -ulnp | grep 51820

  • DNS Issues:

    • If DNS resolution fails, try different DNS servers (e.g., 1.1.1.1, 8.8.4.4).

Common Issues and Solutions

Cause: Misconfigured Public Keys

Issue: Client was using the server's private key as the peer's public key, preventing proper authentication.

Solution:

  • Ensure the client's [Peer] PublicKey is set to the server's public key.
  • Ensure the server's [Peer] PublicKey is set to the client's public key.

Cause: Duplicate iptables Rules

Issue: Multiple identical MASQUERADE rules caused routing conflicts.

Solution:

  • Remove duplicate iptables rules and retain only one MASQUERADE rule.

    sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o <external_interface> -j MASQUERADE

Cause: Disabled IP Forwarding

Issue: IP forwarding was not enabled, blocking traffic routing through VPN.

Solution:

  • Enable IP forwarding permanently.

    echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf
sudo sysctl -p /etc/sysctl.d/99-sysctl.conf

Conclusion

Proper configuration of public and private keys, along with correct firewall and routing settings, is crucial for a functional WireGuard VPN on Arch Linux. By following this guide, you can set up WireGuard securely and efficiently, minimizing potential issues related to authentication and traffic routing.

For further assistance, refer to the WireGuard Documentation or seek help from the Arch Linux community.