Update README.md

README.md

@@ -1 +1,297 @@
-# WireGuard-Guide
+# WireGuard Setup Guide for Arch Linux
+
+## Overview
+
+This guide provides a streamlined, step-by-step process to set up a secure WireGuard VPN on Arch Linux. It also explains the common pitfalls to avoid, ensuring a smooth and functional VPN configuration.
+
+## Table of Contents
+
+1. [Prerequisites](#prerequisites)
+2. [Installation](#installation)
+3. [Key Generation](#key-generation)
+4. [Server Configuration](#server-configuration)
+5. [Client Configuration](#client-configuration)
+6. [Firewall and Routing](#firewall-and-routing)
+7. [Starting WireGuard](#starting-wireguard)
+8. [Verification](#verification)
+9. [Troubleshooting](#troubleshooting)
+
+## Prerequisites
+
+- **Arch Linux** installed on both server and client machines.
+- **Root** or **sudo** privileges on both machines.
+- **Public IP** address for the server.
+
+## Installation
+
+### On Server and Client
+
+1. **Update the system:**
+
+    ```bash
+    sudo pacman -Syu
+    ```
+
+2. **Install WireGuard:**
+
+    ```bash
+    sudo pacman -S wireguard-tools
+    ```
+
+## Key Generation
+
+### On Server
+
+1. **Navigate to WireGuard directory:**
+
+    ```bash
+    sudo mkdir -p /etc/wireguard
+    cd /etc/wireguard
+    ```
+
+2. **Generate server keys:**
+
+    ```bash
+    umask 077
+    wg genkey | tee server_privatekey | wg pubkey > server_publickey
+    ```
+
+    - `server_privatekey`: Server's private key.
+    - `server_publickey`: Server's public key.
+
+### On Client
+
+1. **Generate client keys:**
+
+    ```bash
+    wg genkey | tee client_privatekey | wg pubkey > client_publickey
+    ```
+
+    - `client_privatekey`: Client's private key.
+    - `client_publickey`: Client's public key.
+
+## Server Configuration
+
+1. **Create/Edit WireGuard configuration:**
+
+    ```bash
+    sudo nano /etc/wireguard/wg0.conf
+    ```
+
+2. **Add the following configuration:**
+
+    ```ini
+    [Interface]
+    Address = 10.0.0.1/24
+    ListenPort = 51820
+    PrivateKey = <server_privatekey>
+
+    # Enable IP forwarding and NAT
+    PostUp = sysctl -w net.ipv4.ip_forward=1
+    PostUp = iptables -t nat -A POSTROUTING -o <external_interface> -j MASQUERADE
+    PostUp = iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    PostUp = iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
+    PostDown = sysctl -w net.ipv4.ip_forward=0
+    PostDown = iptables -t nat -D POSTROUTING -o <external_interface> -j MASQUERADE
+    PostDown = iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    PostDown = iptables -D FORWARD -s 10.0.0.0/24 -j ACCEPT
+
+    [Peer]
+    PublicKey = <client_publickey>
+    AllowedIPs = 10.0.0.2/32
+    ```
+
+    - Replace `<server_privatekey>` with the contents of `server_privatekey`.
+    - Replace `<external_interface>` with your server's external network interface (e.g., `ens1`, `eth0`).
+    - Replace `<client_publickey>` with the client's public key.
+
+3. **Save and exit** (`Ctrl + O`, `Enter`, `Ctrl + X`).
+
+## Client Configuration
+
+1. **Create/Edit WireGuard configuration:**
+
+    ```bash
+    sudo nano /etc/wireguard/wg0.conf
+    ```
+
+    *On Windows, use the WireGuard application to add a new tunnel and input the configuration.*
+
+2. **Add the following configuration:**
+
+    ```ini
+    [Interface]
+    PrivateKey = <client_privatekey>
+    Address = 10.0.0.2/24
+    DNS = 8.8.8.8
+
+    [Peer]
+    PublicKey = <server_publickey>
+    Endpoint = <server_public_ip>:51820
+    AllowedIPs = 0.0.0.0/0, ::/0
+    PersistentKeepalive = 25
+    ```
+
+    - Replace `<client_privatekey>` with the contents of `client_privatekey`.
+    - Replace `<server_publickey>` with the server's public key.
+    - Replace `<server_public_ip>` with your server's public IP address.
+
+3. **Save and exit** (`Ctrl + O`, `Enter`, `Ctrl + X`).
+
+## Firewall and Routing
+
+### On Server
+
+1. **Configure iptables rules:**
+
+    ```bash
+    sudo iptables -t nat -A POSTROUTING -o <external_interface> -j MASQUERADE
+    sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    sudo iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
+    ```
+
+2. **Save iptables rules for persistence:**
+
+    ```bash
+    sudo iptables-save | sudo tee /etc/iptables/iptables.rules
+    sudo systemctl enable iptables
+    sudo systemctl start iptables
+    ```
+
+3. **Enable IP forwarding:**
+
+    ```bash
+    echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf
+    sudo sysctl -p /etc/sysctl.d/99-sysctl.conf
+    ```
+
+## Starting WireGuard
+
+### On Server and Client
+
+1. **Start and enable WireGuard:**
+
+    ```bash
+    sudo systemctl start wg-quick@wg0
+    sudo systemctl enable wg-quick@wg0
+    ```
+
+## Verification
+
+1. **Check WireGuard status:**
+
+    ```bash
+    sudo wg show
+    ```
+
+    - Ensure `wg0` is active with peers listed.
+
+2. **Test Connectivity:**
+
+    - **Ping Server from Client:**
+
+        ```bash
+        ping 10.0.0.1
+        ```
+
+    - **Ping External IP from Client:**
+
+        ```bash
+        ping 8.8.8.8
+        ```
+
+    - **Test DNS Resolution:**
+
+        ```bash
+        nslookup google.com
+        ```
+
+    - **Access Websites:**
+      
+      Open a web browser and navigate to any website (e.g., [https://www.google.com](https://www.google.com)).
+
+## Troubleshooting
+
+- **Incorrect Key Pairing:**
+  
+  - Ensure the server's `[Peer]` has the **client's public key**.
+  - Ensure the client's `[Peer]` has the **server's public key**.
+
+- **Firewall Rules:**
+  
+  - Verify iptables rules:
+
+    ```bash
+    sudo iptables -L -v
+    sudo iptables -t nat -L -v
+    ```
+
+- **IP Forwarding:**
+  
+  - Confirm IP forwarding is enabled:
+
+    ```bash
+    sysctl net.ipv4.ip_forward
+    ```
+
+    Should return `net.ipv4.ip_forward = 1`.
+
+- **Logs Review:**
+  
+  - Check WireGuard logs on the server:
+
+    ```bash
+    sudo journalctl -u wg-quick@wg0
+    ```
+
+- **Port Accessibility:**
+  
+  - Ensure UDP port `51820` is open and listening:
+
+    ```bash
+    sudo ss -ulnp | grep 51820
+    ```
+
+- **DNS Issues:**
+  
+  - If DNS resolution fails, try different DNS servers (e.g., `1.1.1.1`, `8.8.4.4`).
+
+## Common Issues and Solutions
+
+### Cause: Misconfigured Public Keys
+
+**Issue:** Client was using the server's private key as the peer's public key, preventing proper authentication.
+
+**Solution:**
+- Ensure the client's `[Peer] PublicKey` is set to the **server's public key**.
+- Ensure the server's `[Peer] PublicKey` is set to the **client's public key**.
+
+### Cause: Duplicate iptables Rules
+
+**Issue:** Multiple identical `MASQUERADE` rules caused routing conflicts.
+
+**Solution:**
+- Remove duplicate iptables rules and retain only one `MASQUERADE` rule.
+  
+    ```bash
+    sudo iptables -t nat -F POSTROUTING
+    sudo iptables -t nat -A POSTROUTING -o <external_interface> -j MASQUERADE
+    ```
+
+### Cause: Disabled IP Forwarding
+
+**Issue:** IP forwarding was not enabled, blocking traffic routing through VPN.
+
+**Solution:**
+- Enable IP forwarding permanently.
+
+    ```bash
+    echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf
+    sudo sysctl -p /etc/sysctl.d/99-sysctl.conf
+    ```
+
+## Conclusion
+
+Proper configuration of public and private keys, along with correct firewall and routing settings, is crucial for a functional WireGuard VPN on Arch Linux. By following this guide, you can set up WireGuard securely and efficiently, minimizing potential issues related to authentication and traffic routing.
+
+For further assistance, refer to the [WireGuard Documentation](https://www.wireguard.com/#documentation) or seek help from the Arch Linux community.