Wireguard tunnel VPN through Linux Armbian / Raspberry, Android, Windows – Klipper around the world
With this VPN tunnel you can also use Klipper (Mainsail, Fluidd ecc)
from your Smartphone in 3G/4G around the world,
without exposing on internet the web-page without login function.
Please, before expose a Wireguard Peer on internet, install a firewall.sudo apt install ufw
sudo ufw allow ssh
sudo ufw allow 51820/udpsudo ufw allow
5000 # for WG UIsudo ufw allow
8123 # For Home Assistantsudo ufw allow
3000 # For eWelink addonsudo ufw allow
80 # For HTTPsudo ufw allow
443 # For HTTPS
sudo ufw route allow in on wg0 out on eth0
sudo ufw route allow in on wg0 out on wlan0
sudo ufw enable
sudo ufw status
If you use UFW + Docker:
sudo wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker
sudo chmod +x /usr/local/bin/ufw-docker
sudo ufw-docker install
sudo systemctl restart ufw
Read this too:
https://gist.github.com/kireal/28d6ae53d6c1aab8c00b6f9f127fd7c1
Wireguard requirements and installation
sudo -i
mkdir -m 0700 /etc/wireguard/
If your user is named “pi”
chown -R pi: /etc/wireguard/
sudo apt install wireguard resolvconf
sudo nano /etc/wireguard/wg0.conf
save empty (Ctrl+O Enter Ctrl+X)sudo nano /etc/sysctl.conf
delete #
beforenet.ipv4.ip_forward = 1
save and exitsudo iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
sudo sysctl -p /etc/sysctl.conf
Wireguard configuration
For newbie go below to “Fast Configuration”
Wireguard has not a Server or Clients, it has Peers, but to let this guide easier for you,
I will call PeerA -> Server and PeerB -> Client.
You can ignore “# On Client side
” below and configure it later with a GUI.sudo -i
# On SERVER sidewg genkey > private
# On Client sidewg genkey > private
cat private
wg pubkey < private
# On SERVER side (10.0.0.1 will be the IP of your PeerA)ip link add wg0 type wireguard
ip addr add 10.0.0.1/24 dev wg0
wg set wg0 private-key ./privateip link set wg0 up
ip addr
# On Client side (10.0.0.2 will be the IP of your Peer B)ip link add wg0 type wireguard
ip addr add 10.0.0.2/24 dev wg0
wg set wg0 private-key ./private
ip link set wg0 up
ip addr
# On SERVER side wg
(you can ignore this, you can configure later with GUI)wg set wg0 peer allowed-ips 10.0.0.1/24 endpoint 192.168.0.107:51820
# On Client sidewg set wg0 peer allowed-ips 10.0.0.1/24 endpoint 192.168.0.110:51821
Wireguard tips – Fast Configuration
To edit the config file with your user (example: pi).sudo chown -R pi: /etc/wireguard/
wg genkey >
/private/etc/wireguard
cat
/private/etc/wireguard
copy YOUR_GENERATED_PRIVATEKEY to put in wg0.conf
copy inside wg0.conf a template like belowsudo nano /etc/wireguard/wg0.conf
Add:
[Interface]
Address = 10.0.0.1/24
ListenPort = 47000
PrivateKey = YOUR_GENERATED_PRIVATEKEY
MTU = 1450
save and closewg-quick up /etc/wireguard/wg0.conf
wg show
copy public key to put after in Peer conf
iguration file
Stop & Start WG Quickwg-quick down wg0
wg-quick up wg0
sudo systemctl status wg-quick@wg0
Enable Servicesudo systemctl enable [email protected]
sudo systemctl daemon-reload
wg-quick down wg0
sudo systemctl restart wg-quick@wg0
sudo systemctl status wg-quick@wg0wg
wg show
Why use wg-quick
WG (instead wg-quick) doesn’t support config file with Address and MTU specified
giving you: Configuration parsing error# sudo ip link set wg0 down
# sudo ip link set wg0 up
Wireguard example wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 47000
PrivateKey = YOUR_GENERATED_PRIVATEKEY
MTU = 1450
[Peer]
PublicKey = YOUR_PEER_PUBLICKEY
PresharedKey = YOUR_PEER_PRESHAREDKEY
AllowedIPs = 10.0.0.0/24
Note:
AllowedIPs = 10.0.0.0/24 allow a Peer with that Pulbic Key in a range of IP from 10.0.0.1 to 10.0.0.254
AllowedIPs = 10.0.0.2/32 allow only the IP 10.0.0.2
Wireguard GUI
wget the last release from here https://github.com/ngoduykhanh/wireguard-ui/releases/
example:wget https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.4.0/wireguard-ui-v0.4.0-linux-arm64.tar.gz
gzip -d wireguard-ui-v0.4.0-linux-arm64.tar.gz
tar -xvf wireguard-ui-v0.4.0-linux-arm64.tar
sudo ./wireguard-ui
Open a browser and go on
http://127.0.0.1:5000
Edit the parameters in the panel and at the end “Apply config”.sudo systemctl restart wg-quick@wg0
Autostart Wireguard UI
sudo cp wireguard-ui /etc/wireguard/wireguard-ui
sudo nano /etc/systemd/system/wireguard-ui.service
ADD:
[Unit]
Description=wireguard-ui
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
StartLimitIntervalSec=5
StartLimitBurst=5
[Service]
ExecStart=/etc/wireguard/wireguard-ui
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable wireguard-ui
sudo systemctl start wireguard-ui
sudo systemctl status wireguard-ui
Examples:
# On SERVER side
# Peer A
[Interface]
PrivateKey = <contents-of-PeerA-privatekey>
Address = 10.0.0.1/24
ListenPort = 51820
MTU = 1450
# Not necessary
# PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
#PeerB
[Peer]
PublicKey = <contents-of-PeerB-publickey>
AllowedIPs = 10.0.0.2/32
#PeerC
[Peer]
PublicKey = <contents-of-PeerC-publickey>
AllowedIPs = 10.0.0.3/32
# On Client side
# PeerB
[Interface]
Address = 10.0.0.2/32
PrivateKey = contents-of-PeerB-privatekey
DNS = 192.168.0.1,1.1.1.1,8.8.8.8
# PeerA
[Peer]
PublicKey = contents-of-PeerA-publickey
Endpoint = server-public-ip:51820
AllowedIPs = 10.0.1.0/24
PersistentKeepalive = 15
Guide:
# Endpoint = mySiteIPorName.ddns.net:51820 # In your router you have to
# port-forward the port 51820 to your PeerA local IP, example 192.168.0.2
# If the endpoint is in your local network and not reachable from internet…
# Endpoint = 192.168.0.2:51820
# AllowedIPs = 10.0.1.0/24 (all the connection of your device from 10.0.1.0 to 10.0.1.254 go through Wireguard)
# if you set 0.0.0.0/0, Wireguard routes all traffic through the the VPN, so you cannot navigate in your network or internet outside Wireguard network.
How connect to all entire local network
using local IP from external device
Example:
Smartphone in 4G Wireguard IP 10.0.0.2 want to connect all 192.168.1.x IP of your local network
Server Wireguard: eth0 192.168.1.2 and Interface wg0 10.0.0.1 Port 47000
Router Gateway 192.168.1.1
A device on 192.168.1.110
Server wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 47000
PrivateKey = YouPrivKey
MTU = 1450
PostUp = /etc/wireguard/add-nat-routing.sh
PostDown = /etc/wireguard/remove-nat-routing.sh
# Smartphone
[Peer]
PublicKey = YoutPubKey
AllowedIPs = 10.0.0.2/32
sudo nano /etc/wireguard/add-nat-routing.sh
iptables -t nat -I POSTROUTING 1 -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -I INPUT 1 -i wg0 -j ACCEPT
iptables -I INPUT 1 -i eth0 -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o wg0 -j ACCEPT
iptables -I FORWARD 1 -i wg0 -o eth0 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 47000 -j ACCEPT
sudo nano /etc/wireguard/remove-nat-routing.sh
iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -D INPUT -i wg0 -j ACCEPT
iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT
iptables -D INPUT -i eth0 -p udp --dport 47000 -j ACCEPT
Wireguard on Smartphone
Interface: 10.0.0.97/32
Server DNS: 8.8.8.8, 10.0.0.1, 192.168.1.1
Peer: PublicKey
IP allowe: 10.0.0.0/24, 192.168.1.0/24
Endpoint: YourPublicIP.ddns.net:4700