[How to] Configure Wireguard VPN Server on the Host

1st Official Post
    • Official Post

    Introduction:


    The goal of this guide is to set up a Wireguard server on the host to allow remote access to the network that the server lives on. Point-to-site connection.


    There are many ways to set up remote encrypted VPN access to the server. The easiest is to use the openmediavault-wireguard plugin. The plugin does exactly the same as this howto. You can also do it via docker stack, you can see how to do it here. [How-To] Install Wireguard (VPN) in docker, server mode If you are a beginner user maybe you should not continue reading, it is easier to follow the other routes. Everything in this guide is done from the command line and the explanations are not extensive.


    But if for some reason you prefer to do it directly on the host, for example avoiding container updates, or you need to customize your wireguard configuration, you can follow this guide.



    Update (June 2023): The openmediavault-wireguard plugin now allows custom configurations. So installing wireguard on the host would only make sense if there is a problem installing this plugin.



    Initial parameters:


    This guide will use the following parameters, you can change them at your convenience:

    • Network interface: wg0
    • Access port: 51280 (remember to open this port on the router and direct it to the server)
    • Network generated: 10.15.15.0/24
    • Domain: mydomain.com (you need a domain pointing to your server, you can set one up for free at duckdns.org)
    • Existing network interface: enp2s0 (check which one is yours in WebUI and change this value)



    Initial setup:


    • Install Wireguard and qrencode (to generate configuration QR on the client)

    apt install wireguard

    apt install qrencode

    • Create key tree and generate server keys.

    mkdir -p /etc/wireguard/keys

    cd /etc/wireguard/keys

    wg genkey | tee server.key | wg pubkey > server.pub

    • To see the keys and copy them somewhere

    cat server.key

    cat server.pub



    Configuring clients on the server:


    • Create client folder and generate keys.

    mkdir /etc/wireguard/key/client1

    cd /etc/wireguard/keys/client1

    wg genkey | tee client1.key | wg pubkey > client1.pub | wg genpsk > client1.psk

    • View the keys and copy them somewhere

    cat client1.key

    cat client1.pub

    cat client1.psk

    • Create client1 configuration file

    nano client1.conf

    • Copy in the following:
    Code
    [Interface]
PrivateKey = XXXXXXXXXX_VALUE_OF_client1.key_XXXXXXXXXX
ListenPort = 51280
Address = 10.15.15.2/32

[Peer]
PublicKey = XXXXXXXXXX_VALUE_OF_server.pub_XXXXXXXXXX
PresharedKey = XXXXXXXXXX_VALUE_OF_client1.psk_XXXXXXXXXX
AllowedIPs = 0.0.0.0/0
Endpoint = mydomain.com:51280

    Save and exit.

    • Generate file with client configuration QR code.

    qrencode -t png -o client1-qr.png -r client1.conf

    • If you want to see the code on screen

    qrencode -t ansiutf8 < client1.conf


    At this point you have generated the configuration files for a client. If you need another client, repeat the process in the client2 folder, in the configuration file add a position to the client's IP address, address = 10.15.15.3/32, the rest is all the same, with the corresponding keys. For client 2 it would be:

    Code
    [Interface]
PrivateKey = XXXXXXXXXX_VALUE_OF_client2.key_XXXXXXXXXX
ListenPort = 51280
Address = 10.15.15.3/32

[Peer]
PublicKey = XXXXXXXXXX_VALUE_OF_server.pub_XXXXXXXXXX
PresharedKey = XXXXXXXXXX_VALUE_OF_client2.psk_XXXXXXXXXX
AllowedIPs = 0.0.0.0/0
Endpoint = mydomain.com:51280

    You can create as many clients as you need.



    Server configuration:


    • Create server configuration file

    cd /etc/wireguard

    nano wg0.conf

    • Copy in the following, remember to adjust the values of enp2s0 and subnet to the real ones:

    Save and exit

    • Change permissions of all wireguard keys and configuration files

    chmod -R 600 /etc/wireguard

    • Configure the service

    systemctl enable wg-quick@wg0.service

    systemctl start wg-quick@wg0.service


    At this moment you already have the service configured and working, you only have to configure a client to access the network.



    Configuring a client on a smartphone (Android/iOS) or PC (Ubuntu/Mac/Windows):


    • Connection with a Smartphone (Android/iOS)

    Install the Wireguard app from your smartphone, open it and set up a connection from a QR code. Copy the /etc/wireguard/keys/client1/client1-qr.png file that you generated earlier to your desktop and open it. Scan the image with your smartphone. You already have the connection configured.


    • Connection with a PC (Ubuntu 22.10)

    Ubuntu does not yet have Wireguard integrated into its GUI. If you've gotten this far it's easy to set up the client. You just have to repeat some of the steps above:

    - Install wireguard

    sudo apt update

    sudo apt install wireguard

    - Copy the file you generated for the client to /etc/wireguard

    - Edit the client file and enable routing in the kernel by adding another line in the interface section

    Preup = sysctl -w net.ipv.ip_forward=1

    - Enable the service

    sudo systemctl enable wg-quick@wg0.service

    - You will have to start and stop it manually.

    systemctl start wg-quick@wg0.service

    systemctl stop wg-quick@wg0.service


    • Connection with a PC (Mac/Windows)

    Copy the /etc/wireguard/keys/client1/client1.conf file that you generated previously to your PC's desktop. Install the Wireguard application on your PC. Click on add tunnel and import tunnel from file and select the file from your desktop client1.conf (or client2.conf if you already used 1 on your smartphone). You already have the connection configured.



    Add a client if the service is already running:


    If you need to add a client later to the operation of the service, do the following:

    • Generate keys and configuration of the new client as explained above.
    • Stop the service and edit the server configuration file

    systemctl stop wg-quick@wg0.service

    nano /etc/wireguard/wg0.conf

    • Add the configuration of the new client at the end, do not forget to upload the IP one position. Save and exit.
    • Upload the service.

    systemctl start wg-quick@wg0.service


    You can now configure the connection in your new client.




    I hope it is useful !!

  • chente

    Approved the thread.

  • chente

    Set the Label from OMV 6.x to OMV 7.x

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!

Register Yourself Login