# WireGuard VPN Setup Guide for Arch Linux This concise guide helps you set up a WireGuard VPN server on Arch Linux with two client types: - **VIP**: Up to 100 Mbps - **Free**: Up to 10 Mbps You can easily switch a client between VIP and Free by modifying their configuration. Additionally, we'll address security concerns related to exposing your server's IP address. ## Table of Contents 1. [Prerequisites](#prerequisites) 2. [Installation](#installation) 3. [Server Configuration](#server-configuration) 4. [Client Management](#client-management) - [Add a Client](#add-a-client) - [Switch Client Type](#switch-client-type) 5. [Speed Limiting](#speed-limiting) 6. [Security Considerations](#security-considerations) 7. [Starting WireGuard](#starting-wireguard) 8. [Verification](#verification) ## Prerequisites - **Arch Linux** installed on the server. - **Root** or **sudo** privileges. - **WireGuard** installed on client devices (Linux, Windows, iOS, Android). ## Installation 1. **Update System & Install Packages** ```bash sudo pacman -Syu sudo pacman -S wireguard-tools iproute2 nano ``` ## Server Configuration 1. **Generate Server Keys** ```bash sudo mkdir -p /etc/wireguard cd /etc/wireguard umask 077 wg genkey | tee server_privatekey | wg pubkey > server_publickey ``` 2. **Create `wg0.conf`** ```bash sudo nano /etc/wireguard/wg0.conf ``` ```ini [Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = # Enable IP forwarding and NAT PostUp = sysctl -w net.ipv4.ip_forward=1 PostUp = iptables -t nat -A POSTROUTING -o -j MASQUERADE PostUp = iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT PostUp = iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT PostDown = sysctl -w net.ipv4.ip_forward=0 PostDown = iptables -t nat -D POSTROUTING -o -j MASQUERADE PostDown = iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT PostDown = iptables -D FORWARD -s 10.0.0.0/24 -j ACCEPT ``` - Replace `` with the content of `server_privatekey`. - Replace `` with your network interface (e.g., `eth0`, `ens1`). ## Client Management ### Add a Client Create a script to add clients with type (VIP or Free). 1. **Create `add_client.sh`** ```bash sudo nano /etc/wireguard/add_client.sh ``` ```bash #!/bin/bash if [ "$#" -ne 2 ]; then echo "Usage: $0 " exit 1 fi TYPE=$1 NAME=$2 if [ "$TYPE" == "VIP" ]; then IP_START=2 RATE="100mbit" elif [ "$TYPE" == "Free" ]; then IP_START=12 RATE="10mbit" else echo "Type must be VIP or Free" exit 1 fi CLIENT_IP="10.0.0.$IP_START" # Generate keys mkdir -p ~/wireguard_clients cd ~/wireguard_clients wg genkey | tee ${NAME}_privatekey | wg pubkey > ${NAME}_publickey PRIVATE_KEY=$(cat ${NAME}_privatekey) PUBLIC_KEY=$(cat ${NAME}_publickey) # Add to server config echo "### Client $NAME" | sudo tee -a /etc/wireguard/wg0.conf echo "[Peer]" | sudo tee -a /etc/wireguard/wg0.conf echo "PublicKey = $PUBLIC_KEY" | sudo tee -a /etc/wireguard/wg0.conf echo "AllowedIPs = $CLIENT_IP/32" | sudo tee -a /etc/wireguard/wg0.conf echo "" | sudo tee -a /etc/wireguard/wg0.conf # Create client config cat < ${NAME}.conf [Interface] PrivateKey = $PRIVATE_KEY Address = $CLIENT_IP/24 DNS = 8.8.8.8 [Peer] PublicKey = $(cat /etc/wireguard/server_publickey) Endpoint = $(curl -s ifconfig.me):51820 AllowedIPs = 0.0.0.0/0, ::/0 PersistentKeepalive = 25 EOF echo "Client $NAME added with IP $CLIENT_IP." echo "Config file: ~/wireguard_clients/${NAME}.conf" ``` 2. **Make Script Executable** ```bash sudo chmod +x /etc/wireguard/add_client.sh ``` 3. **Add Clients** - **Free Clients (Ваня и Вася)** ```bash sudo /etc/wireguard/add_client.sh Free vanya sudo /etc/wireguard/add_client.sh Free vasya ``` - **VIP Client (Петя)** ```bash sudo /etc/wireguard/add_client.sh VIP petya ``` ### Switch Client Type To switch a client from Free to VIP or vice versa: 1. **Edit Server Configuration** ```bash sudo nano /etc/wireguard/wg0.conf ``` 2. **Locate the Client's `[Peer]` Section** ```ini ### Client vanya [Peer] PublicKey = AllowedIPs = 10.0.0.12/32 ``` 3. **Change the `AllowedIPs` to Assign New IP Based on Type** - **VIP**: `10.0.0.2/32` to `10.0.0.11/32` - **Free**: `10.0.0.12/32` to `10.0.0.21/32` 4. **Update Speed Limiting Rules (see [Speed Limiting](#speed-limiting))** 5. **Restart WireGuard and Traffic Control** ```bash sudo systemctl restart wg-quick@wg0 sudo systemctl restart wg-tc.service ``` ## Speed Limiting Use `tc` (Traffic Control) to limit bandwidth based on client IP. 1. **Create `set_tc.sh` Script** ```bash sudo nano /etc/wireguard/set_tc.sh ``` ```bash #!/bin/bash INTERFACE="ens1" # Replace with your external interface # Clear existing rules tc qdisc del dev $INTERFACE root 2>/dev/null tc qdisc del dev $INTERFACE ingress 2>/dev/null # Root qdisc tc qdisc add dev $INTERFACE root handle 1: htb default 30 # Main class tc class add dev $INTERFACE parent 1: classid 1:1 htb rate 1000mbit # VIP class tc class add dev $INTERFACE parent 1:1 classid 1:10 htb rate 100mbit # Free class tc class add dev $INTERFACE parent 1:1 classid 1:20 htb rate 10mbit # Apply filters for VIP clients for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[2-11]$"); do tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip src $ip flowid 1:10 done # Apply filters for Free clients for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[12-21]$"); do tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip src $ip flowid 1:20 done # Ingress qdisc tc qdisc add dev $INTERFACE ingress # Apply policing for VIP for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[2-11]$"); do tc filter add dev $INTERFACE parent ffff: protocol ip prio 1 u32 match ip dst $ip flowid 1:10 police rate 100mbit burst 10k drop flowid :1 done # Apply policing for Free for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[12-21]$"); do tc filter add dev $INTERFACE parent ffff: protocol ip prio 1 u32 match ip dst $ip flowid 1:20 police rate 10mbit burst 10k drop flowid :1 done ``` 2. **Make Script Executable** ```bash sudo chmod +x /etc/wireguard/set_tc.sh ``` 3. **Create `systemd` Service** ```bash sudo nano /etc/systemd/system/wg-tc.service ``` ```ini [Unit] Description=WireGuard Traffic Control After=network.target wg-quick@wg0.service Requires=wg-quick@wg0.service [Service] Type=oneshot ExecStart=/etc/wireguard/set_tc.sh RemainAfterExit=yes [Install] WantedBy=multi-user.target ``` 4. **Enable and Start Service** ```bash sudo systemctl daemon-reload sudo systemctl enable wg-tc.service sudo systemctl start wg-tc.service ``` ## Security Considerations Distributing `.conf` files exposes your server's IP address, which can be targeted for DDoS attacks. To mitigate risks: 1. **Use a Firewall**: Ensure only necessary ports are open. ```bash sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -j DROP ``` 2. **Rate Limiting**: Further protect with fail2ban or similar tools. 3. **Monitor Traffic**: Use monitoring tools to detect unusual activity. 4. **Use a Dedicated IP**: If possible, host VPN on a separate IP to isolate traffic. ## Starting WireGuard 1. **Start and Enable WireGuard** ```bash sudo systemctl start wg-quick@wg0 sudo systemctl enable wg-quick@wg0 ``` ## Verification 1. **Check WireGuard Status** ```bash sudo wg show ``` 2. **Verify Speed Limits** - Connect clients and use [speedtest.net](https://www.speedtest.net) to ensure VIP clients have up to 100 Mbps and Free clients up to 10 Mbps. ## Conclusion You have successfully set up a WireGuard VPN server on Arch Linux with VIP and Free clients, each having distinct bandwidth limitations. Ensure to follow security best practices to protect your server from potential threats. For further assistance, refer to the [WireGuard Documentation](https://www.wireguard.com/#documentation) or the Arch Linux community.