Monday, April 29, 2024
Ultimo:
Software

Wireguard tunnel VPN through Linux Armbian / Raspberry, Android, Windows – Klipper around the world

travis90x , , , , , , ,

With this VPN tunnel you can also use Klipper (Mainsail, Fluidd ecc)
from your Smartphone in 3G/4G around the world,
without exposing on internet the web-page without login function.

Please, before expose a Wireguard Peer on internet, install a firewall.
sudo apt install ufw
sudo ufw allow ssh
sudo ufw allow 51820/udp
sudo ufw allow 5000 # for WG UI
sudo ufw allow 8123 # For Home Assistant
sudo ufw allow 3000 # For eWelink addon
sudo ufw allow 80 # For HTTP
sudo ufw allow 443 # For HTTPS
sudo ufw route allow in on wg0 out on eth0
sudo ufw route allow in on wg0 out on wlan0
sudo ufw enable
sudo ufw status


If you use UFW + Docker:
sudo wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker
sudo chmod +x /usr/local/bin/ufw-docker
sudo ufw-docker install
sudo systemctl restart ufw
Read this too:
https://gist.github.com/kireal/28d6ae53d6c1aab8c00b6f9f127fd7c1

Wireguard requirements and installation

sudo -i
mkdir -m 0700 /etc/wireguard/
If your user is named “pi”
chown -R pi: /etc/wireguard/
sudo apt install wireguard resolvconf
sudo nano /etc/wireguard/wg0.conf
save empty (Ctrl+O Enter Ctrl+X)
sudo nano /etc/sysctl.conf
delete # before
net.ipv4.ip_forward = 1
save and exit
sudo iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
sudo sysctl -p /etc/sysctl.conf

Wireguard configuration

For newbie go below to “Fast Configuration”
Wireguard has not a Server or Clients, it has Peers, but to let this guide easier for you,
I will call PeerA -> Server and PeerB -> Client.
You can ignore# On Client side” below and configure it later with a GUI.

sudo -i
# On SERVER side
wg genkey > private

# On Client side
wg genkey > private
cat private
wg pubkey < private

# On SERVER side (10.0.0.1 will be the IP of your PeerA)
ip link add wg0 type wireguard
ip addr add 10.0.0.1/24 dev wg0
wg set wg0 private-key ./private
ip link set wg0 up
ip addr

# On Client side (10.0.0.2 will be the IP of your Peer B)
ip link add wg0 type wireguard
ip addr add 10.0.0.2/24 dev wg0
wg set wg0 private-key ./private
ip link set wg0 up
ip addr

# On SERVER side
wg

(you can ignore this, you can configure later with GUI)
wg set wg0 peer allowed-ips 10.0.0.1/24 endpoint 192.168.0.107:51820

# On Client side
wg set wg0 peer allowed-ips 10.0.0.1/24 endpoint 192.168.0.110:51821

Wireguard tips – Fast Configuration

To edit the config file with your user (example: pi).
sudo chown -R pi: /etc/wireguard/
wg genkey > /etc/wireguard/private
cat /etc/wireguard/private
copy YOUR_GENERATED_PRIVATEKEY to put in wg0.conf

copy inside wg0.conf a template like below
sudo nano /etc/wireguard/wg0.conf
Add:
[Interface]
Address = 10.0.0.1/24
ListenPort = 47000
PrivateKey = YOUR_GENERATED_PRIVATEKEY
MTU = 1450

save and close

wg-quick up /etc/wireguard/wg0.conf
wg show
copy public key to put after in Peer configuration file

Stop & Start WG Quick
wg-quick down wg0
wg-quick up wg0
sudo systemctl status wg-quick@wg0

Enable Service
sudo systemctl enable [email protected]
sudo systemctl daemon-reload
wg-quick down wg0
sudo systemctl restart wg-quick@wg0
sudo systemctl status wg-quick@wg0
wg
wg show

Why use wg-quick
WG (instead wg-quick) doesn’t support config file with Address and MTU specified
giving you: Configuration parsing error
# sudo ip link set wg0 down
# sudo ip link set wg0 up

Wireguard example wg0.conf

[Interface]
Address = 10.0.0.1/24
ListenPort = 47000
PrivateKey = YOUR_GENERATED_PRIVATEKEY
MTU = 1450

[Peer]
PublicKey = YOUR_PEER_PUBLICKEY
PresharedKey = YOUR_PEER_PRESHAREDKEY
AllowedIPs = 10.0.0.0/24

Note:
AllowedIPs = 10.0.0.0/24 allow a Peer with that Pulbic Key in a range of IP from 10.0.0.1 to 10.0.0.254
AllowedIPs = 10.0.0.2/32 allow only the IP 10.0.0.2

Wireguard GUI

wget the last release from here https://github.com/ngoduykhanh/wireguard-ui/releases/
example:
wget https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.4.0/wireguard-ui-v0.4.0-linux-arm64.tar.gz
gzip -d wireguard-ui-v0.4.0-linux-arm64.tar.gz
tar -xvf wireguard-ui-v0.4.0-linux-arm64.tar
sudo ./wireguard-ui
Open a browser and go on
http://127.0.0.1:5000
Edit the parameters in the panel and at the end “Apply config”.
sudo systemctl restart wg-quick@wg0

Autostart Wireguard UI

sudo cp wireguard-ui /etc/wireguard/wireguard-ui
sudo nano /etc/systemd/system/wireguard-ui.service
ADD:

[Unit]
Description=wireguard-ui
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
StartLimitIntervalSec=5
StartLimitBurst=5

[Service]
ExecStart=/etc/wireguard/wireguard-ui
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl enable wireguard-ui
sudo systemctl start wireguard-ui
sudo systemctl status wireguard-ui

Examples:

# On SERVER side
# Peer A
[Interface]
PrivateKey = <contents-of-PeerA-privatekey>
Address = 10.0.0.1/24
ListenPort = 51820
MTU = 1450
# Not necessary
# PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

#PeerB
[Peer]
PublicKey = <contents-of-PeerB-publickey>
AllowedIPs = 10.0.0.2/32

#PeerC
[Peer]
PublicKey = <contents-of-PeerC-publickey>
AllowedIPs = 10.0.0.3/32


# On Client side
# PeerB
[Interface]
Address = 10.0.0.2/32
PrivateKey = contents-of-PeerB-privatekey
DNS = 192.168.0.1,1.1.1.1,8.8.8.8

# PeerA
[Peer]
PublicKey = contents-of-PeerA-publickey
Endpoint = server-public-ip:51820
AllowedIPs = 10.0.1.0/24
PersistentKeepalive = 15

Guide:
# Endpoint = mySiteIPorName.ddns.net:51820 # In your router you have to
# port-forward the port 51820 to your PeerA local IP, example 192.168.0.2
# If the endpoint is in your local network and not reachable from internet…
# Endpoint = 192.168.0.2:51820
# AllowedIPs = 10.0.1.0/24 (all the connection of your device from 10.0.1.0 to 10.0.1.254 go through Wireguard)
# if you set 0.0.0.0/0, Wireguard routes all traffic through the the VPN, so you cannot navigate in your network or internet outside Wireguard network.

How connect to all entire local network
using local IP from external device

Example:
Smartphone in 4G Wireguard IP 10.0.0.2 want to connect all 192.168.1.x IP of your local network
Server Wireguard: eth0 192.168.1.2 and Interface wg0 10.0.0.1 Port 47000
Router Gateway 192.168.1.1
A device on 192.168.1.110

Server wg0.conf

[Interface]
Address = 10.0.0.1/24
ListenPort = 47000
PrivateKey = YouPrivKey
MTU = 1450
PostUp = /etc/wireguard/add-nat-routing.sh
PostDown = /etc/wireguard/remove-nat-routing.sh

# Smartphone
[Peer]
PublicKey = YoutPubKey
AllowedIPs = 10.0.0.2/32

sudo nano /etc/wireguard/add-nat-routing.sh

iptables -t nat -I POSTROUTING 1 -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -I INPUT 1 -i wg0 -j ACCEPT
iptables -I INPUT 1 -i eth0 -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o wg0 -j ACCEPT
iptables -I FORWARD 1 -i wg0 -o eth0 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 47000 -j ACCEPT

sudo nano /etc/wireguard/remove-nat-routing.sh

iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -D INPUT -i wg0 -j ACCEPT
iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT
iptables -D INPUT -i eth0 -p udp --dport 47000 -j ACCEPT


Wireguard on Smartphone

Interface: 10.0.0.97/32
Server DNS: 8.8.8.8, 10.0.0.1, 192.168.1.1
Peer: PublicKey
IP allowe: 10.0.0.0/24, 192.168.1.0/24
Endpoint: YourPublicIP.ddns.net:4700


Post Views: 4,161

Ti potrebbe interessare

Arbian Allwinner

ARMBIAN for Android TV box – T95 Max – SoC Allwinner H6

travis90x

Solar Power Oled display ESP32 with EspHome & Home Assistant

travis90x

Armbian on T95 Max+ Amlogic S905X3 for Klipper & Home Assistant

travis90x
en_GBEnglish (UK)
en_GBEnglish (UK) it_ITItaliano

Apri un sito e guadagna con Altervista - Disclaimer - Segnala abuso - Privacy Policy - Personalizza tracciamento pubblicitario