WireGuard installation and configuration - on Linux
Vložit
- čas přidán 4. 07. 2024
- Let me show you, how to install and configure a basic VPN connection with WireGuard on a Linux server and client. We will also have a look at some advanced configuration settings like keep-alive and traffic routing.
DOCS: github.com/xcad2k/videos/tree...
Follow me:
TWITTER: / christianlempa
INSTAGRAM: / christianlempa
DISCORD: / discord
GITHUB: github.com/christianlempa
PATREON: / christianlempa
MY EQUIPMENT: kit.co/christianlempa
Timestamps:
00:00 Introduction
01:50 Installation on server & client
02:50 Create private and public server keys
04:24 Configure server interface
07:00 Create private and public client keys
07:34 Configure client interface
10:55 Add Client peer to the server configuration
12:03 Configure persistent keep-alive
13:58 Test the connection via ping
14:30 Configure the server to forward network packets
16:05 How to change clients traffic routing
17:10 Summary
----
All links with "*" are affiliate links.
I know this is old, but I've been stuck on setting up wireguard forever and this is the only video that worked for me. Never delete this!!
Can I just even a little under 3ish years this is is the best wireguard setup video. Simple, short, straight to the point and still works.
thank you so much :)
Thank you very much. The narration is technical and simple, the details are well explained, the practical demonstration is extremely useful.
Thank you! 😉
Important to also "sudo ufw allow 51820/udp" on server machine otherwise no connection. Awesome tutorial thanks saved me a lot of time
This video deserves more views.
Excellent walkthrough.
Thank you so much! And yes, I agree with you :D
Thank you so much, I was so lost configuring the client and it was so easy following your tutorial. Definitely suscribed!
Glad it helped!
Thank you, for your help. My mini-project at my university is done thanks to you :)
WOW! The video was great. I understood completely the structure of how to configure. Thank you for that. What I didn't see in your video that would apply to my case is: a) If one peer connected to the server can ping or connect to another peer connected to the same server, and b) If the server can ping the client and connect for example through VNC to the client. Thanks!
Thank you so much! :)
2 years later and you still saving lifes! 🥰
Loved this very much! A network pro!
This video has clearly explained what I have researched for a long time. I have made some dollars as well from a client. Thank you, Christian.
Thanks! Glad it helped you 👍
Another great video from you ! Well explained, thank you for this !
Thank you mate! :)
Your guide helped me to finally configure WireGuard without an issue, except I needed to upgrade my Kernel from 5.4.* to 5.7.*, which was not obvious from the beginning. Now I need to teach WG to mimic http/s traffic, because my mobile carrier doesn't like any traffic except http/s. Keep filming more videos, dude.
Thank you! That's pretty interesting, I suppose you needed to change the WG port to 443 or did you need to make any additional changes?
@@christianlempa At the very basic, yes. Unfortunately, unlike OpenVPN, WireGuard is not deigned to obfuscate traffic and fool DPI, it's a known limitation www.wireguard.com/known-limitations/. I need some workaround to achieve it, most likely with some third party tool.
It'll be grade if you make a video about this topic sometime in the future
@@user-yt9he6ud5r thanks for sharing this. I'll have a look into that because that's a topic I'm also interested in a lot!
Thank you! The best installation guide on WG ever..
Christian! Thank you very much for your video! I could set up wireguard between routerOS and Ubuntu only after watching that :)
Thank you!! That ipv4 forward thing was exactly what I needed. Finally I can use WG instead of OpenVPN! :)
Very clear and complete tutorial, thanks.
Glad it was helpful!
I really like your voice, so germanish
Haha thanks man 🇩🇪😎
Even better than the official wireguard tutorial. Viel'n Dank, Kumpel!
Thank you soo much.
This helped me a lot.
Keep this good work up!
Thank you! :)
Great explanation, thank you
Be aware that Wireguard is UDP only. This can be a pretty big limitation if you are planning to use this over public networks like hotels, or public hotspots, since UDP can be simply blocked there and you will not be able to connect to your server (e.g. I can't connect to my home PC when I'm on my mobile hotspot, UDP gets blocked somewhere on the way to my router). Setting wireguard with TCP wrapping is a pain in the butt, and I wish Wireguard devs wouldn't be so stubborn and just supported both TCP and UDP out of the box for the users' convenience (I really don't buy their argument about performance, it is UDP or nothing, and I would agree on lower performance with TCP if the alternative is "nothing").
Fair point! But watch my newest video, that is the solution to this: czcams.com/video/Kzyolu9yn0E/video.html
if it's UDP it means it's possible for packet loss to happen without retransmitting it??
@@novianindy887 2 layers of TCP is not really useful and can lead to performance loss. VPNs generally should be UDP except in circumstances when UDP is blocked and you're forced to use TCP.
Who blocks udp? That would break so many applications, like anything that streams video
Saved the day ! Changing "FORWARD -i %i" to "FORWARD -i wg0" solved problem with no LAN and internet access. THANKS !
you're welcome friend :)
This is a great video ... explained perfectly
Thanks 😊
very quality lession, keep up hardwork, i'm in :D
Thanks, will do!
Great stuff, thanks a lot
Excellent tutorial, very clear and concise. I went along and it worked perfectly. Did the setup in my Proxmox virtual environment. Now need to experiment further. Thank you!
Thank you so much! :) Keep on experimenting :D
Great video bro, thanks
Gran video bro, gracias.
Thanks - an excellent guide.
Thank you for this video. I will try on RHEL8 now.
Nice! You're welcome ;)
Excellent tutorial, thanks
You're welcome
Thank you. Very good Video. It was very helpful
I'm glad it helped 😊
Now all i need is a video explaining how to assign a free public IP on my server to the client that is connecting and im golden.
Excellent video!
Thank you very much!
Thank you so much, after look your video i already tried success
Hi Christian, love your tutorials these are very helpful.
I'm wondering, is it gonna work if I set up tunel like in your video to connect remotely to my PC with ubuntu from different network?
The problem is that my router changing the IP, it's not static.
If you have any tip, please share :)
Nice video. Saludos desde Perú.
Thank you man!
Whilst setting this up it is worth noting on the server side the iptables mentions "eth0" - however on virtual machines this can be enp0s3 or on new ubuntu servers eno1 - or another number depending on the number of interfaces you have. Hope this saves others time :-)
thanks for highlighting this! 😉
how nicely put tutorial. Thanks. Subscribed.
Thanks ;)
Big thankss for this tutorial 👍👍👍
Thank you! ☺️
Man you rally made my day!
I had been struggling with openvpn for a while...
But with your video i could set up wireguard in no time. Thanks!!!
Thanks man 😊, I'm glad it helped you!
Very well explained. I’m a newbie , Wondering how to implement this approach for 2 IPPBX one in LAN the other one in the cloud . Server at cloud same IPPBx ? Client at premises ? Any hint ?
Thanks! It should work well with any Protocol, so give it a try 😁
please explain if there is differencies in configuring the wireguard server on centos
excellent.
Thank you very much, this saved me from madness
Glad it helped!
probably one of the best videos on this topic even though wireguard has changed slightly it does take longer than 18 minutes to setup the first time LOL :XD
Thank you so much :D
thanks a lot !
waw an fantastic thanks for your effort
So nice of you
"I think, that is not too complicated..."
You know what is not too complicated? My thinking processes. As for THIS...
Аnyway, great video, sir! My tunnel works as swiss watch now! Subscribed.
Great to hear I could help you and it's working! 😋
very nice tutorial ... TY :)
Glad it was helpful!
Hi, I installed wireguard on 2 servers and the conf file setup is quite simple.
That being said, I cannot ping from master to peer or peer to master using the interface I setup. I used a 10.X.X.X like your example
What should I be looking at on the physical server that may not be configured correctly?
I also shutdown the firewall and still the ping failed
Doing this using docker compose, I want that video which will be helpful for docker fans!
I saw you found it already 😊 cheers!
awesome
Thanks!
Good day Christian,
Was thinking if you can consider doing a video on Wireguard Docker Site-to-Site, specifically Home Server to VPS always-on Wireguard Tunnel ?
Many Thanks in advance.
What app did you use to run the servers? Beside the WireGuard
Thank you for such an amazing video! It really made it a lot easier to set things up. However, I have an issue. Everything is working just as it does for you in the video, only I cannot seem to be able to ping neither the server nor any other IP addresses. I have tried a few things, but cannot figure it out. Do you maybe have any ideas? Thank you in advance!
The handshake works, but not ping
Thank you ☺️, check if you have set up the IPtable rules correctly and if set up the IP addresses. Hard to tell without checking your config, so if you have still issues, why not join our discord and share your config, that will help a lot 😊
@@christianlempa Thank you so much for such a quick response! I will check the IPtable rules first and if that does not help, then I will certainly have to join Discord 😁
Great video . Do you know how to bypass certain services as client to the server ? Lets say I dont want a port like 54321 routed via Wireguard . :)
Thanks! Well I guess you'd need a more customized IPTables ruleset for that. It's possible, but needs some customization.
Hi vielen Dank für das Video!
Ich beiße mir leider seit gestern die Zähne daran aus :)
Ich habe in einem Rechenzentrum einen Wireguard server in Openstack Ubuntu, der über eine Floating IP erreichbar ist. Zu hause habe ich einen mac, mit dem ich zum Server einen Tunnel aufbauen möchte. Die Verbindung scheint zustande zu kommen, der Handshake wird angezeigt. Ich kann aber weder Server noch Client Pingen (ICMP ist in Security Group freigegeben). Auf dem wg0 Server Int kommt scheinbar nichts an. Hast Du eine Idee, was es noch sein könnte? An meiner Fritzbox muss ich nichts freieben, da die Verbindung zustande kommt, oder?
Danke! Wegen dem Fehler bin ich leider nicht sicher. Solange der Handshake funktioniert sollte der Tunnel stehen. Eventuell ist hier was mit dem Routing nicht korrekt.
Hey thanks for your videos ! :)
Where can i find the top menu on your windows where displayed cpu informations .. ??
It's a rainmeter plugin you can find on my github dotfiles repository
@@christianlempa Ok thanks
BIG THANX ❤
You're welcome 😀
will also all of my Ipv6 traffic be routed through this vpn tunnel? or is in this configuration an ipv6 leak possible?
You can also configure IPv6 addresses in the config files.
Ok this was awesome. It all works flawlessly. However I have to wg set after I reboot the box. Is there a way to make this active on reboot, or do I just run script at boot?
Yeah figured it out.. just have to read the docs.
Thanks! Sorry havent got to the question but glad you found it out :)
Hello, do you happen to have any videos about setting up WireGuard on TrueNAS? Because I really need some step by step guide on how to do that. Please and thank you. :)
very good
Thank you! Cheers!
Ty
Thank you a lot for great tutorial
I watched it and did as you said and was able to run it on my linux client but no success on windows
Would you plz created another tutorial for windows clients and a bit of help about the dns settings and what should we do to get dns requests straight from von server
Thanks for the reply :) Yea may be a good idea, let me do a quick video about it soon!
how can i configure the server so it forwards all incoming request on wg0 to all the connected peers in the same subnet of that interface? that's so i can have communication between every peer within 10.0.0.X
from Syria ,
best require
Thanks for this video it is really helpful. I learned that tunnel must be started after each system start. Could you please guide me how to start tunnel automatically? Thanks!
I'm glad it helps you :) Sure you can simply add the wg0 interface to systemd: sudo systemctl enable --now wg-quick@wg0.service
Could you please help me , I need to set it up on my vps and synology nas so that I might setup a plex server accessible outside my home network as my isp blocks all ports and ip is dynamic with double NAT
thanks
At 5:53 while you are creating the rules in /etc/wireguard/wg0.conf file.... the eth0 should correspond to anyones adapter?
For instance someone else should put there enp2s0 if that is his adapter giving him connection to net or eth0 is the name of the virtual adapter upon which wireguard will run? What if the server's adapter is also setup on eth0?
Shouldn t be a conflict there?
Also if the client OS is windows, the client gui also has an add a wireguard file option. Nothing else to generate those keys to put it back on the server side ... so is this situation viable only when both server and client using Linux OS?
PS PIvpn has a scrip which makes the process wayyyyyyyyyyyyyyyy more easy than all this procedure. And the server generates everything. Client only imports the key and connect and thats it.
Thank you
Can I install both wg server and client on the same machine or speaking of one PC connected to internet via wifi (wlan) I must install server on virtual machine and client on Ubuntu or vise versa. What the options do I have?
You can configure a WireGuard interfaces as client or server and also configure multiple interfaces. There are a lot of options possible, it just comes down to how you configure it and how your environment looks like. Don't know if that's what you've asked for, but I hope that helps 😀
Forgive me, I have tried what you have in this episode, and I have no doubt that you are doing what is correct, it just isn't as easy for me. I am running pclinuxos 2022 MATE, could I trouble you for a link to a step by step guide for this system?
Newby question - Can the same machine that is running the wg server be used as a client?
You can create a second interface that you can use as client, should work
Well configuring the interface my server suddenly shutdown then had a weird garbled graphic on reboot. I've tried setting this up already but as soon as I activated the client my terminal to ubuntu server suddenly disconnects and I cannot connect to any websites. What am I doing wrong? And now my server PC just shuts down while adding the wg0.config. I obviously cannot install this properly as my PC just shutdown again while editing the wg0.conf file.
Thank you very much for the straight forward guide. I really appreciate it and I already signed up for your channel!
Do you have any idea what this error means? I am trying to run Wireguard on a Ubuntu 20.04 Container in Proxmox
[#] ip link add wg0 type wireguard
Error: Unknown device type.
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"
Thank's 😀, the issue you describe appears if the wireguard kernel modules are not loaded correctly. This usually occurs when the Linux distro you're using doesn't use a newer kernel version where the drivers are already included and it's not able to build the kernel module with the sourcefiles (such as might happen on shared VPS servers without direct access to the kernel).
The issue can also occur when there is an outstanding kernel upgrade that hasn't been installed, yet. Try to update your packages, reboot your machine and try installing wireguard again. I hope this helps
@@christianlempa Vielen Dank! I think that is it. Looks like Proxmox is currently running under 5.4.34 Kernel. I guess I will try installing Wireguard once they moved to 5.6.
Until that day I will try to learn from all your other videos!
hi there, can you give examples how can i access internet via browsers ? it gives me "dns probe finished bad config", thx
Thanks for this very helpful video. My Wiregaurd link came right up. But I do have a small problem, after I shut down the link I notice that my wg0.conf file has the endpoint changed in the file to n.n.n.n ... Is this normal because it defeats the purpose of using a DNS resolver???
Normally all settings get removed after the "wg down" command. And you should be able to change DNS resolver settings in the wg0.conf file. If you have problems with the settings, please share your config on our discord :)
hi i am using mikrotik to mikrotik wireguard tunnel but when my client side mikrotik reboot due to any reason my tunnels can reconnect automaticly i need to change public key and re submit in server side to reconnect my tunnel again Please help me in this regard .
am also using change mss rule in mangle
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
Do you know if you have to download WireGuard kernel modules on raspian (aka raspberry pi OS)????
wireguard is not included in the raspian repo, therefore you should add the debian sources:
echo "deb deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list
very powerful, i need one hand. i have a remote camera rear a snat unreachable ip, have installed a server on gcp and client on raspberry. from my pc i reach raspberry. but i want to make a routing to reach a camera subnet directly, how make this routing? very tnx
Is there a way to automate this setup ?
Does this even support layer 2 tunnels like openvpn? I don't think so... Does it support that the traffic cannot even be decrypted later on with the key like ipsec does? I don't think so...
Kudos..
Could you possibly do a video about Wireguard with udp hole punching...
Or recommend a working open source VPN that implements udp hole punching
Thanks for the good suggestion. I just solved this with DNAT rules and Keep-Alive packets, but I'll have look into this
Excellent tutorial, Danke. The second time I generated pub/privatekey for the client and tried to run this command "sudo vim /etc/wireguard/wg0.conf" to be able to write the next configuration, it pop up the old vim file where I wrote things about server, so there is where I lost the track. Help plz.
Np mate! Have you checked out our Discord for help?
im having trouble to run openvpn as so this is perfect alternative for that..
Hi great Turorial, now I have access to my Router and Nas at home, but I cant get on any website like google.de(ERR_Name_Not_Resolved)(I know I can change this by changing the 0.0.0.0/0 in the config file of the Clients to the IP range I use in my Homenetwork)but how do I configure Wireguard that when im in any other network my devices browse with the Public IP of my Homenetwork, like in other payd VPNs? Do I have to change something with the DNS Server? My Host runs on Ubuntu.
Thanks man! You may check out my other video about WireGuard in Docker, there I explain it in a bit more detail how to set up a VPN Server that's running on cloud or your home network. czcams.com/video/GZRTnP4lyuo/video.html
Hello, really good video there by the way. You mentioned about doing a video on public and private keys but i cant find it anywhere. Have you done one?
Hey, thank you man! :) That's covered in my SSH auth video: czcams.com/video/U_uiVyF6MEs/video.html
@@christianlempa Perfect, what's even better about your videos like on this one is following your blog so you can literally just copy and paste commands
Thank you! That's great to hear :)
thanks. I managed to get it to work. I can ping and ssh between peers, but curl from one peer to the other does not return anything. Is it maybe some apache2 configuration?
Puh thats hard to tell, why not share some details on our discord
@@christianlempa Thanks, I'll have a look at the Discord server. I solved the problem though. I had limited the iptables rules to allow only packets from eth0, but I permitted icmp to all interfaces. All packets except for icmp to wg0 were being dropped.Thanks again for the tutorial. Nice work.
Great video bro, thanks
one problem.when i wg-quick up in client my server freeze even my webserver not respond in web so i must reboot server.i dont know whats hapenning
Thanks man. Hm this sounds strange, I never encountered such an issue, but I believe it must be something related to WireGuard kernel module. I would guess checking kern.log should reveal sth. you can also set the WireGuard kernel module in debug mode and tail the log file. On my blog Cheat-Sheet you can find the command for debug.
did you solve your problem? i am experiencing exactly the same problem. luckily it is a virtual machine I am rooting but so I have the opportunity to do a little debug there is nothing in kernel.log though. when i start wg then the connection dies, i can not ping gateway, google or similar.
"
ping: google.com: Temporary failure in name resolution"
With "sudo wg show" I can also see it is not connected to my vpn server
As soon as I make an "sudo wg-quick down wg0" the connection comes again.
It must be said I test from a local server and to an online server.
Thanks for the wonderful video. I have wireguard up and running. But now when I try to connect, I am getting the error 'handshake did not complete after 5 seconds, retrying. What can be the reason? Thanks in advance...
Thank you for the kind words 😁. The issue is most likely a network issue, means the client is not able to connect to the server or getting back packets. Check for common problems like "port forwarding", "routing", "dns issues", etc.
@@christianlempa thank you sir for your prompt reply. Will check it out.
For me, this works and packets can be traced but it blocks the internet connection on my client VM (server is physical machine and can access internet fine). How to fix this?
@15:00
Can't I just edit the "ip_forward" file and change the value to from 0 to 1?
I have followed your tuto, but at the end, I SSH is not responding...
Hi I love how simple you made tutorial to follow, the official WireGuard site on the otherhand left me confused. Sadly I can't get this to work for 4g between my phone and PC. I can't find much info on this do you have any idea how I can get this to work? I also tried using tailscale but the app never allowed my phone(LineageOS) to be the endpoint.
Thank you for the feedback. Well I'm not sure about the problem, can you share some details on our discord? Maybe we can help you
@@christianlempa Sure, I'll give it a try :)
Did you ever get this to work? I've been trying to get Wireguard to work over a 4G connection for weeks without success.
@@ChefEarthenware Sadly not. I think it has to do with a) finding a way to port forward and b) finding the correct address for your private IP.
I went into Termux(Console for android, I recon adb would be the same) to figure it out. For "a)", I really couldn't find anything online for this. For "b)", there are multiple transmitters, each with their own private IPs but also like a virtual one that acts as an overall switch(I think, can't remember exactly sry). There are commands to change your private IP also.
I struggled finding anything onlinr for using a phone as an endpoint :(
Hope you have better luck :)
p.s. got zero replys on the discord
@@itzsleazy6903 Thanks for the reply.
I've been beginning to think that Wireguard is not able to meet my requirement. I've tried loads of online examples, but none work for me.
The only example I've seen which matches my requirement uses SSH tunnelling, so I think I'll give that a try instead.
what is terminal of at 2.20. i didnt understand
let say my house using double NAT. I install docker wireguard server. now I want to access my network from internet. Can I use wireguard client on my laptop to connect it. I can do that using softether last time
The wireguard server is listening on a udp port, that means if you have a NAT device in front of your wireguard server, you need to add a port-forwarding. If the client is behind a NAT, that doesn't matter. I hope this helps you.
Wie hast du die Leiste mit der Auslastung oben hinbekommen? Die sieht so schön aus.
Danke :) das ist rainmeter
@@christianlempa Dürfte ich Fragen, welcher Skin das ist? Ich suche so ähnliche Rainmeter Skins aber kann nichts finden.
@@bgpengu Klar, den Skin findest du in meinem GitHub: github.com/xcad2k/dotfiles/tree/main/Windows/Rainmeter/Skins/xcad
@@christianlempa Hast du diesen Skin selbst geschrieben?
@@bgpengu Ich hab das von einer Vorlage editiert, allerdings benutze ich den aktuell nicht mehr, da er immer von den Fenstern verdeckt wird und in Windows man das nicht so gut einstellen kann dass der Platz frei wäre. Aber wenn du ihn magst kannst du ihn natürlich gern verwenden und eventuell auch weiter editieren ;)
good, as you can add PresharedKey to peer, by command