From 2a5fc21b03a3126c8970c4d2556b7c109769d380 Mon Sep 17 00:00:00 2001 From: n3kit91 Date: Thu, 28 Nov 2024 17:49:46 +0300 Subject: [PATCH] Update README.md --- README.md | 298 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 297 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 19fe4a8..cd0ce73 100644 --- a/README.md +++ b/README.md @@ -1 +1,297 @@ -# WireGuard-Guide \ No newline at end of file +# WireGuard Setup Guide for Arch Linux + +## Overview + +This guide provides a streamlined, step-by-step process to set up a secure WireGuard VPN on Arch Linux. It also explains the common pitfalls to avoid, ensuring a smooth and functional VPN configuration. + +## Table of Contents + +1. [Prerequisites](#prerequisites) +2. [Installation](#installation) +3. [Key Generation](#key-generation) +4. [Server Configuration](#server-configuration) +5. [Client Configuration](#client-configuration) +6. [Firewall and Routing](#firewall-and-routing) +7. [Starting WireGuard](#starting-wireguard) +8. [Verification](#verification) +9. [Troubleshooting](#troubleshooting) + +## Prerequisites + +- **Arch Linux** installed on both server and client machines. +- **Root** or **sudo** privileges on both machines. +- **Public IP** address for the server. + +## Installation + +### On Server and Client + +1. **Update the system:** + + ```bash + sudo pacman -Syu + ``` + +2. **Install WireGuard:** + + ```bash + sudo pacman -S wireguard-tools + ``` + +## Key Generation + +### On Server + +1. **Navigate to WireGuard directory:** + + ```bash + sudo mkdir -p /etc/wireguard + cd /etc/wireguard + ``` + +2. **Generate server keys:** + + ```bash + umask 077 + wg genkey | tee server_privatekey | wg pubkey > server_publickey + ``` + + - `server_privatekey`: Server's private key. + - `server_publickey`: Server's public key. + +### On Client + +1. **Generate client keys:** + + ```bash + wg genkey | tee client_privatekey | wg pubkey > client_publickey + ``` + + - `client_privatekey`: Client's private key. + - `client_publickey`: Client's public key. + +## Server Configuration + +1. **Create/Edit WireGuard configuration:** + + ```bash + sudo nano /etc/wireguard/wg0.conf + ``` + +2. **Add the following configuration:** + + ```ini + [Interface] + Address = 10.0.0.1/24 + ListenPort = 51820 + PrivateKey = + + # Enable IP forwarding and NAT + PostUp = sysctl -w net.ipv4.ip_forward=1 + PostUp = iptables -t nat -A POSTROUTING -o -j MASQUERADE + PostUp = iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + PostUp = iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT + PostDown = sysctl -w net.ipv4.ip_forward=0 + PostDown = iptables -t nat -D POSTROUTING -o -j MASQUERADE + PostDown = iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + PostDown = iptables -D FORWARD -s 10.0.0.0/24 -j ACCEPT + + [Peer] + PublicKey = + AllowedIPs = 10.0.0.2/32 + ``` + + - Replace `` with the contents of `server_privatekey`. + - Replace `` with your server's external network interface (e.g., `ens1`, `eth0`). + - Replace `` with the client's public key. + +3. **Save and exit** (`Ctrl + O`, `Enter`, `Ctrl + X`). + +## Client Configuration + +1. **Create/Edit WireGuard configuration:** + + ```bash + sudo nano /etc/wireguard/wg0.conf + ``` + + *On Windows, use the WireGuard application to add a new tunnel and input the configuration.* + +2. **Add the following configuration:** + + ```ini + [Interface] + PrivateKey = + Address = 10.0.0.2/24 + DNS = 8.8.8.8 + + [Peer] + PublicKey = + Endpoint = :51820 + AllowedIPs = 0.0.0.0/0, ::/0 + PersistentKeepalive = 25 + ``` + + - Replace `` with the contents of `client_privatekey`. + - Replace `` with the server's public key. + - Replace `` with your server's public IP address. + +3. **Save and exit** (`Ctrl + O`, `Enter`, `Ctrl + X`). + +## Firewall and Routing + +### On Server + +1. **Configure iptables rules:** + + ```bash + sudo iptables -t nat -A POSTROUTING -o -j MASQUERADE + sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + sudo iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT + ``` + +2. **Save iptables rules for persistence:** + + ```bash + sudo iptables-save | sudo tee /etc/iptables/iptables.rules + sudo systemctl enable iptables + sudo systemctl start iptables + ``` + +3. **Enable IP forwarding:** + + ```bash + echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf + sudo sysctl -p /etc/sysctl.d/99-sysctl.conf + ``` + +## Starting WireGuard + +### On Server and Client + +1. **Start and enable WireGuard:** + + ```bash + sudo systemctl start wg-quick@wg0 + sudo systemctl enable wg-quick@wg0 + ``` + +## Verification + +1. **Check WireGuard status:** + + ```bash + sudo wg show + ``` + + - Ensure `wg0` is active with peers listed. + +2. **Test Connectivity:** + + - **Ping Server from Client:** + + ```bash + ping 10.0.0.1 + ``` + + - **Ping External IP from Client:** + + ```bash + ping 8.8.8.8 + ``` + + - **Test DNS Resolution:** + + ```bash + nslookup google.com + ``` + + - **Access Websites:** + + Open a web browser and navigate to any website (e.g., [https://www.google.com](https://www.google.com)). + +## Troubleshooting + +- **Incorrect Key Pairing:** + + - Ensure the server's `[Peer]` has the **client's public key**. + - Ensure the client's `[Peer]` has the **server's public key**. + +- **Firewall Rules:** + + - Verify iptables rules: + + ```bash + sudo iptables -L -v + sudo iptables -t nat -L -v + ``` + +- **IP Forwarding:** + + - Confirm IP forwarding is enabled: + + ```bash + sysctl net.ipv4.ip_forward + ``` + + Should return `net.ipv4.ip_forward = 1`. + +- **Logs Review:** + + - Check WireGuard logs on the server: + + ```bash + sudo journalctl -u wg-quick@wg0 + ``` + +- **Port Accessibility:** + + - Ensure UDP port `51820` is open and listening: + + ```bash + sudo ss -ulnp | grep 51820 + ``` + +- **DNS Issues:** + + - If DNS resolution fails, try different DNS servers (e.g., `1.1.1.1`, `8.8.4.4`). + +## Common Issues and Solutions + +### Cause: Misconfigured Public Keys + +**Issue:** Client was using the server's private key as the peer's public key, preventing proper authentication. + +**Solution:** +- Ensure the client's `[Peer] PublicKey` is set to the **server's public key**. +- Ensure the server's `[Peer] PublicKey` is set to the **client's public key**. + +### Cause: Duplicate iptables Rules + +**Issue:** Multiple identical `MASQUERADE` rules caused routing conflicts. + +**Solution:** +- Remove duplicate iptables rules and retain only one `MASQUERADE` rule. + + ```bash + sudo iptables -t nat -F POSTROUTING + sudo iptables -t nat -A POSTROUTING -o -j MASQUERADE + ``` + +### Cause: Disabled IP Forwarding + +**Issue:** IP forwarding was not enabled, blocking traffic routing through VPN. + +**Solution:** +- Enable IP forwarding permanently. + + ```bash + echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf + sudo sysctl -p /etc/sysctl.d/99-sysctl.conf + ``` + +## Conclusion + +Proper configuration of public and private keys, along with correct firewall and routing settings, is crucial for a functional WireGuard VPN on Arch Linux. By following this guide, you can set up WireGuard securely and efficiently, minimizing potential issues related to authentication and traffic routing. + +For further assistance, refer to the [WireGuard Documentation](https://www.wireguard.com/#documentation) or seek help from the Arch Linux community.