Portal:VPN/Installation and configuration of WireGuard
Introduction
A VPN (Virtual Private Network) is a means to extend your local private network (in your home or office) with another private network. The traffic between the systems in both networks, although it travels on the internet, is encrypted, so eavesdropping on it is impossible.
In its most simple form it gives your desktop, laptop, tablet or smart phone (a one node network) access from anywhere to the network at home or your office. In this case WireGuard gives you a virtual network interface to the remote network. It looks as if your device is present in that remote network as a local device.
Configuration of WireGuard and Firewalld on both ends determines which systems locally and elsewhere are accessible.
- Example 1: All your traffic to that remote network and, if so configured, the Internet, goes through the tunnel to the WireGuard server in the remote network. The only traffic on your local network connection is the encrypted traffic through the tunnel. Even request for IP addresses of server names are not visible on the local network.
- Example 2: Only traffic to the remote network goes through the encrypted tunnel to the WireGuard server in that network. Traffic to the Internet goes through the local network. In this case you trust the local network.
Extensive information on WireGuard can be found on the website of WireGuard.
WireGuard is closely dependent on either iptables or nftables to work properly. Firewalld has been designed to ease the use of either of these. Most likely to protect your systems you already use Firewalld. In this wiki page we only use Firewalld in combination with WireGuard. The website of WireGuard has a page dedicated to this combination. It is more general, while here we want to focus on use in openSUSE.
This article needs to be expanded. You are welcome to help in line with the Style Guidelines.
Installation
On openSUSE yor can use YaST to install WireGuard and Firewalld, but configuration has to be done in a terminal, so why not do the installation on the terminal as well. You need to do almost all configuration as root, so work as root on a terminal.
zypper install wireguard-tools firewalld
Configuration
On the server
You need to generate a public and private key using:
wg genkey | tee serverprivatekey | wg pubkey > serverpublickey
Copy the clientpublickey, generated on the client, to your system. Use the following bash script to generate the file /etc/wireguard/wg0.conf:
#!/usr/bash cat <<EOF > /etc/wireguard/wg0.conf [Interface] Address = 10.0.0.1/32 ListenPort = 51820 PrivateKey = $(cat serverprivatekey) [Peer] PublicKey = $(cat clientpublickey) AllowedIPs = 10.0.0.0/24 EOF
On the client
You need to generate a public and private key using:
wg genkey | tee clientprivatekey | wg pubkey > clientpublickey
Copy the file serverpublickey to the client.
Generate the file /etc/wireguard/wg0.conf using the bash script:
#!/usr/bash serverip=<IP_address_of_server> cat <<EOF > /etc/wireguard/wg0.conf [Interface] Address = 10.0.0.2/32 ListenPort = 51820 PrivateKey = $(cat clientprivatekey)
[Peer]
PublicKey = $(cat serverpublickey)
Endpoint = ${serverip}:51820
AllowedIPs = 0.0.0.0/0
EOF
The line AllowedIPs indicates that any IP packet generated in the client, except packets with addresses associated with other network devices, will be send to the server. This covers the situation in Example 1.
Assuming that the IP address range at the server side is 192.168.10.0/24 and replacing 0.0.0.0/0 with this value, means that any packet generated on the client with an IP address in this range will be send to the server. This restricts access from the client only to the systems in the remote network. Any other IP packet which is not 127.0.0.1 or the IP address of your network device will leave your system through your network connection. This covers Example 2.