fz0x1/WireGuard-Guide-On_Arch_Linux
1
0
Fork 0
mirror of https://github.com/omgcast/WireGuard-Guide-On_Arch_Linux.git synced 2025-05-12 09:28:31 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
WireGuard-Guide-On_Arch_Linux/README.md
n3kit91 1b37beb68d
Update README.md
2024-11-28 17:55:43 +03:00

7.5 KiB
Raw Blame History

WireGuard Setup Guide for Arch Linux

This guide provides a streamlined, step-by-step process to set up a secure WireGuard VPN on Arch Linux. It ensures proper configuration of public and private keys to avoid common issues related to authentication and traffic routing.

Table of Contents

  1. Prerequisites
  2. Installation
  3. Key Generation
  4. Server Configuration
  5. Client Configuration
  6. Firewall and Routing
  7. Starting WireGuard
  8. Verification
  9. Troubleshooting

Prerequisites

  • Arch Linux installed on both server and client machines.
  • Root or sudo privileges on both machines.
  • Public IP address for the server.

Installation

On Server and Client

  1. Update the system:

    sudo pacman -Syu

  2. Install WireGuard:

    sudo pacman -S wireguard-tools

  3. Install Nano Editor (Optional but Recommended):

    Nano is a user-friendly text editor that simplifies editing configuration files.

    sudo pacman -S nano

Key Generation

On Server

  1. Navigate to WireGuard directory:

    sudo mkdir -p /etc/wireguard
cd /etc/wireguard

  2. Generate server keys:

    umask 077
wg genkey | tee server_privatekey | wg pubkey > server_publickey
    • server_privatekey: Server's private key.
    • server_publickey: Server's public key.

On Client

  1. Generate client keys:

    wg genkey | tee client_privatekey | wg pubkey > client_publickey
    • client_privatekey: Client's private key.
    • client_publickey: Client's public key.

Server Configuration

  1. Create/Edit WireGuard configuration:

    sudo nano /etc/wireguard/wg0.conf

  2. Add the following configuration:

    [Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_privatekey>

# Enable IP forwarding and NAT
PostUp = sysctl -w net.ipv4.ip_forward=1
PostUp = iptables -t nat -A POSTROUTING -o <external_interface> -j MASQUERADE
PostUp = iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
PostDown = sysctl -w net.ipv4.ip_forward=0
PostDown = iptables -t nat -D POSTROUTING -o <external_interface> -j MASQUERADE
PostDown = iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
PostDown = iptables -D FORWARD -s 10.0.0.0/24 -j ACCEPT

[Peer]
PublicKey = <client_publickey>
AllowedIPs = 10.0.0.2/32
    • Replace <server_privatekey> with the contents of server_privatekey.
    • Replace <external_interface> with your server's external network interface (e.g., ens1, eth0).
    • Replace <client_publickey> with the client's public key.

  3. Save and exit (Ctrl + O, Enter, Ctrl + X).

Client Configuration

  1. Create/Edit WireGuard configuration:

    sudo nano /etc/wireguard/wg0.conf

    On Windows, use the WireGuard application to add a new tunnel and input the configuration.

  2. Add the following configuration:

    [Interface]
PrivateKey = <client_privatekey>
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = <server_publickey>
Endpoint = <server_public_ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
    • Replace <client_privatekey> with the contents of client_privatekey.
    • Replace <server_publickey> with the server's public key.
    • Replace <server_public_ip> with your server's public IP address.

  3. Save and exit (Ctrl + O, Enter, Ctrl + X).

Firewall and Routing

On Server

  1. Configure iptables rules:

    sudo iptables -t nat -A POSTROUTING -o <external_interface> -j MASQUERADE
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT

  2. Save iptables rules for persistence:

    sudo iptables-save | sudo tee /etc/iptables/iptables.rules
sudo systemctl enable iptables
sudo systemctl start iptables

  3. Enable IP forwarding:

    echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf
sudo sysctl -p /etc/sysctl.d/99-sysctl.conf

Starting WireGuard

On Server and Client

  1. Start and enable WireGuard:

    sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0

Verification

  1. Check WireGuard status:

    sudo wg show
    • Ensure wg0 is active with peers listed.

  2. Test Connectivity:

    • Ping Server from Client:

      ping 10.0.0.1

    • Ping External IP from Client:

      ping 8.8.8.8

    • Test DNS Resolution:

      nslookup google.com

    • Access Websites:

      Open a web browser and navigate to any website (e.g., https://www.google.com).

Troubleshooting

  • Incorrect Key Pairing:

    • Ensure the server's [Peer] has the client's public key.
    • Ensure the client's [Peer] has the server's public key.

  • Firewall Rules:

    • Verify iptables rules:

      sudo iptables -L -v
sudo iptables -t nat -L -v

  • IP Forwarding:

    • Confirm IP forwarding is enabled:

      sysctl net.ipv4.ip_forward

      Should return net.ipv4.ip_forward = 1.

  • Logs Review:

    • Check WireGuard logs on the server:

      sudo journalctl -u wg-quick@wg0

  • Port Accessibility:

    • Ensure UDP port 51820 is open and listening:

      sudo ss -ulnp | grep 51820

  • DNS Issues:

    • If DNS resolution fails, try different DNS servers (e.g., 1.1.1.1, 8.8.4.4).

Common Issues and Solutions

Cause: Misconfigured Public Keys

Issue: Client was using the server's private key as the peer's public key, preventing proper authentication.

Solution:

  • Ensure the client's [Peer] PublicKey is set to the server's public key.
  • Ensure the server's [Peer] PublicKey is set to the client's public key.

Cause: Duplicate iptables Rules

Issue: Multiple identical MASQUERADE rules caused routing conflicts.

Solution:

  • Remove duplicate iptables rules and retain only one MASQUERADE rule.

    sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o <external_interface> -j MASQUERADE

Cause: Disabled IP Forwarding

Issue: IP forwarding was not enabled, blocking traffic routing through VPN.

Solution:

  • Enable IP forwarding permanently.

    echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf
sudo sysctl -p /etc/sysctl.d/99-sysctl.conf

Conclusion

Proper configuration of public and private keys, along with correct firewall and routing settings, is crucial for a functional WireGuard VPN on Arch Linux. By following this guide, you can set up WireGuard securely and efficiently, minimizing potential issues related to authentication and traffic routing.

For further assistance, refer to the WireGuard Documentation or seek help from the Arch Linux community.