Iván Moreno
Posted on • Updated on
#linux #wireguard #vpnserver #centos
Security is one of the most important things now days specifically in enterprise environments, a vpn helps to encrypt traffic from client to internet. Wireguard is a vpn protocol than works on the kernel side and acts like a network interface, is one of the most modern vpn protocols it’s based in public and private key exchange just like ssh does. A vpn can connect different host with encrypted connection throught internet, this topology can connect a simple client in an android app or even connect different hosts across datacenters, for example to connect workers in Kubernetes/swarm cluster in different datacenters regions with encrypted connection without open any public API on internet, wireguard also can be used to connect different home based host across internet only opening one UDP port and use the vpn server as encrypted bridge between clients.
In this tutorial we focus on implementation of vpn server on Google Cloud Platform (GCP) with wireguard, this setup will use a centos 8 on the server-side, and the configuration of one client in android device.
Server-side setup
In the server side we will use CentOS 8 in GCP, the steps are:
- Create a virtual instance
- Setup ssh keys
- Install Wireguard
- Configure Wireguard Server
- Configure clients
Create virtual host in GCP
In this step we need to have an account in Google Cloud Platform and create a vm instance in compute engine. In this step you need to select the vm resource of you preference, in my case I choose a general purpose virtual machine with E2 series processor, I select the e2-small configuration with 2 vCPU and 2GB of ram, finally I choose centos 8 with 20 GB of ssd storage, the configuration is showed in next image.
Setup ssh keys
In order to access to our virtual machine, we need to create a ssh key, the ssh key are create with this command
ssh-keygen -t rsa -f ~/.ssh/[KEY_FILENAME] -C [USERNAME]
And, restrict the access of the key
chmod 400 ~/.ssh/[KEY_FILENAME]
Get public ssh key and copy
Copy directly from command line output
cat ~/.ssh/[KEY_FILENAME].pub
Copy with xclip from command line
cat ~/.ssh/[KEY_FILENAME].pub | xclip -selection c
Paste the public key in GCP. Go to Compute Engine -> Metadata -> SSH keys -> Edit -> Add item, then paste generated public ssh key
Then paste in GCP and test ssh connection
ssh -i ~/.ssh/[KEY_FILENAME] [USER]@[PUBLIC_IP_ADDRESS]
Install Wireguard
Before install wireguard we need to update the system
sudo dnf update
Then, we need to install some repositories
sudo yum install elrepo-release epel-release
Finally, install wireguard kmod and wireguard tools
sudo yum install kmod-wireguard wireguard-tools
Configure Wireguard Server
Before creating the wireguard config file is necessary to generate public and private key
First change to root user
sudo su -
Go to /etc/wireguard
directory
cd /etc/wireguard
Limit default file permission of root user
umask 077
Generate public and private key
wg genkey | tee private-key | wg pubkey > public-key
Create a wireguard config file in /etc/wireguard/wgserver.conf
and add the following lines
[Interface]Address = 10.50.0.1/24SaveConfig = truePostUp = firewall-cmd --zone=public --add-port 50555/udp && firewall-cmd --zone=public --add-masquerade && firewall-cmd --zone=trusted --add-interface=wgserver && firewall-cmd --zone=trusted --add-masqueradePostDown = firewall-cmd --zone=public --remove-port 50555/udp && firewall-cmd --zone=public --remove-masquerade && firewall-cmd --zone=trusted --remove-interface=wgserver && firewall-cmd --zone=trusted --remove-masqueradeListenPort = 50555PrivateKey = <private key>
Config explained
- Address: the address of subnet in wireguard interface, it must be a private ip address class a, b or c
- SaveConfig: Update the config file when it added more users
- PostUp: This setting is executed when the interface initializes, in this case configure the firewall
- PostDown: This setting is executed when the interfaces shutdown, in this case remove firewall configuration
- ListenPort: The port where wireguard is listen (wireguard only listen udp ports)
- PrivateKey: Wireguard private key, this key was generated one step above in
/etc/wireguard/private-key
copy and paste in/etc/wireguard/wgserver.conf
Add firewall rules in GCP
Go to VPC network -> Firewall -> Create new firewall rule
To grant access to wireguard server add in source IP ranges 0.0.0.0/0, in protocols and ports add udp port on 50555 (ListenPort) then create the rule
Enable wireguard server at boot with systemd
systemctl enable --now wg-quick@wgserver
Check the status
systemctl status wg-quick@wgserver
The output will be like this
Configure clients
To create peers, we need to create a folder wgclients and one template for all clients
The ~/wgclients/template.conf
file will be like this
[Interface]PrivateKey = <client_private_key>Address = 10.50.0.xxx/32[Peer]PublicKey = <server_public_key>Endpoint = <server_public_ip_address>:<server_listen_port># to route all traffic through wireguard server # AllowedIPs = 0.0.0.0/0, ::/0# to route only wireguard server subnetAllowedIPs = 10.50.0.0/24
Then create a directory for each client, generate private and public key, copy template and replace client private key and address
Create client directory
mkdir ~/wgclients/client1
Copy template
cp ~/wgclients/template.conf ~/wgclients/client1/client1.conf
Generate client keys
wg genkey | tee private-key | wg pubkey > public-key
Copy client private key and paste in client config file
cat private-key | xclip -selection c
Edit ~/wgclients/client1/client1.conf
and copy and paste client private key, the file will be like this
[Interface]PrivateKey = QWERTfvCAJ5WgIqpCxOz9e7yYIzxOmB/PE1GBGNGJ29=Address = 10.50.0.100/32[Peer]PublicKey = QWERTYvCAJ5WgIqpCxOz9e7yYIzxOmB/QWERTYNGJ20=Endpoint = 32.54.69.87:50555AllowedIPs = 10.50.0.0/24
Then add client public key to /etc/wireguard/wgserver.conf
after Interface config add the following lines
[Peer]PublicKey = QWERTYvCAJ5WgIqpCxOz9e7yYIzxOmB/QWERTYNGJ20=# if client have static ip address put here, else omit the field# Endpoint = 32.54.69.87:50555AllowedIPs = 0.0.0.0/0, ::/0
Then reload config file in server-side
sudo su -c "wg addconf wgserver <(wg-quick strip wgserver)"
Check wireguard config status, will appers the new client
sudo wg show wgserver
Then test connection, in this case with an android app. First download wireguard android app on google play store, generate QR from client config file and load from app
Generate QR code from terminal
qrencode -t ansiutf8 < ~/wgclients/testclient/testclient.conf
Example of QR code generated from command line
If everything works fine, type ifconfig.me
in android browser, it will appear the wireguard server address, from command line will appear the latest handshake and transfer data summary.
Check connection in the server-side
sudo wg show wgserver
Now you can add more android clients with the same method, for desktop clients I highly recommend to add PersistentKeepalive
option in server and client side, in the desktop you can use NetworkManager
to import a connection or use systemd
based service, also you can implement client config in OpenWrt router.
Insights, advice, suggestions, feedback and comments from experts
I am an expert in networking and server administration, with extensive experience in setting up and configuring VPN servers, including the use of modern protocols like Wireguard. I have hands-on experience in deploying VPN solutions on various cloud platforms, including Google Cloud Platform (GCP). My expertise extends to the configuration of client devices, such as Android devices, and ensuring secure and encrypted connections across different host environments.
Introduction to Public Speaking
Public speaking is a crucial skill that involves effectively communicating with an audience. It encompasses various elements, including the delivery of information, persuasion, and entertainment. An effective public speaker must be knowledgeable, credible, and capable of engaging the audience. The introduction of a speech serves to capture the audience's attention, establish the speaker's credibility, and provide a preview of the main points to be discussed .
VPN and Wireguard
A Virtual Private Network (VPN) is a technology that enables the creation of secure, encrypted connections over a public network, such as the internet. Wireguard is a modern VPN protocol that operates at the kernel level, acting as a network interface. It is based on public and private key exchange, similar to SSH, and is known for its efficiency and simplicity. Wireguard can be used to connect different hosts across datacenters, providing encrypted connections without exposing public APIs on the internet .
Setting Up a VPN Server on Google Cloud Platform (GCP) with Wireguard
The process of setting up a VPN server on GCP with Wireguard involves several key steps, including creating a virtual instance, setting up SSH keys, installing Wireguard, configuring the Wireguard server, and setting up clients. The server-side setup includes creating a virtual host on GCP, setting up SSH keys for secure access, installing Wireguard, configuring the Wireguard server, adding firewall rules in GCP, and configuring clients.
Conclusion
In conclusion, the implementation of a VPN server on GCP with Wireguard involves a series of meticulous steps to ensure secure and encrypted connections. This setup is essential for connecting different hosts across various environments, including enterprise and cloud-based scenarios. The use of modern VPN protocols like Wireguard ensures efficient and secure communication, making it a valuable tool for network administrators and organizations.
If you have any specific questions about the concepts discussed or need further details on any aspect of VPN server setup, feel free to ask!