Virtual Private Networks (VPNs) are used extensively. Nowadays there are different solutions available which allow users access to any kind of resource while maintaining their confidentiality and privacy.
Lately, one of the most commonly used VPN protocols is WireGuard because of its simplicity, speed and the security it offers. WireGuard’s implementation started in the Linux kernel but currently it is available in other platforms such as iOS and Android among others.
WireGuard uses UDP as its transport protocol and it bases the communication between peers upon Critokey Routing (CKR). Each peer, either server or client, has a pair of keys (public and private) and there is a link between public keys and allowed IPs to communicate with. For further information about WireGuard please visit its page.
This article describes how to set up WireGuard between two peers: PeerA and PeerB. Both nodes are running Fedora Linux and both are using NetworkManager for a persistent configuration.
WireGuard set up and networking configuration
You are only three steps away from having a persistent VPN connection between PeerA and PeerB:
- Install the required packages.
- Generate key pairs.
- Configure the WireGuard interfaces.
Installation
Install the wireguard-tools package on both peers (PeerA and PeerB):
$ sudo -i# dnf -y install wireguard-tools
This package is available in the Fedora Linux updates repository. It creates a configuration directory at /etc/wireguard/. This is where you will create the keys and the interface configuration file.
Generate the key pairs
Next, use the wg utility to generate both public and private keys on each node:
# cd /etc/wireguard# wg genkey | tee privatekey | wg pubkey > publickey
Configure the WireGuard interface on PeerA
WireGuard interfaces use the names: wg0, wg1 and so on. Create the configuration for the WireGuard interface. For this, you need the following items:
- The IP address and MASK you want to configure in the PeerA node.
- The UDP port where this peer listens.
- PeerA’s private key.
# cat << EOF > /etc/wireguard/wg0.conf[Interface]Address = 172.16.1.254/24SaveConfig = trueListenPort = 60001PrivateKey = mAoO2RxlqRvCZZoHhUDiW3+zAazcZoELrYbgl+TpPEc=[Peer]PublicKey = IOePXA9igeRqzCSzw4dhpl4+6l/NiQvkDSAnj5LtShw=AllowedIPs = 172.16.1.2/32EOF
Allow UDP traffic through the port on which this peer will listen:
# firewall-cmd --add-port=60001/udp --permanent --zone=public# firewall-cmd --reloadsuccess
Finally, import the interface profile into NetworkManager. As a result, the WireGuard interface will persist after reboots.
# nmcli con import type wireguard file /etc/wireguard/wg0.confConnection 'wg0' (21d939af-9e55-4df2-bacf-a13a4a488377) successfully added.
Verify the status of device wg0:
# wginterface: wg0public key: FEPcisOjLaZsJbYSxb0CI5pvbXwIB3BCjMUPxuaLrH8=private key: (hidden)listening port: 60001peer: IOePXA9igeRqzCSzw4dhpl4+6l/NiQvkDSAnj5LtShw=allowed ips: 172.16.1.2/32# nmcli -p device show wg0===============================================================================Device details (wg0)===============================================================================GENERAL.DEVICE: wg0-------------------------------------------------------------------------------GENERAL.TYPE: wireguard-------------------------------------------------------------------------------GENERAL.HWADDR: (unknown)-------------------------------------------------------------------------------GENERAL.MTU: 1420-------------------------------------------------------------------------------GENERAL.STATE: 100 (connected)-------------------------------------------------------------------------------GENERAL.CONNECTION: wg0-------------------------------------------------------------------------------GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveC>-------------------------------------------------------------------------------IP4.ADDRESS[1]: 172.16.1.254/24IP4.GATEWAY: --IP4.ROUTE[1]: dst = 172.16.1.0/24, nh = 0.0.0.0, mt =>-------------------------------------------------------------------------------IP6.GATEWAY: ---------------------------------------------------------------------------------
The above output shows that interface wg0 is connected. It is now able to communicate with one peer whose VPN IP address is 172.16.1.2.
Configure the WireGuard interface in PeerB
It is time to create the configuration file for the wg0 interface on the second peer. Make sure you have the following:
- The IP address and MASK to set on PeerB.
- The PeerB’s private key.
- The PeerA’s public key.
- The PeerA’s IP address or hostname and the UDP port on which it is listening for WireGuard traffic.
# cat << EOF > /etc/wireguard/wg0.conf[Interface]Address = 172.16.1.2SaveConfig = truePrivateKey = UBiF85o7937fBK84c2qLFQwEr6eDhLSJsb5SAq1lF3c=[Peer]PublicKey = FEPcisOjLaZsJbYSxb0CI5pvbXwIB3BCjMUPxuaLrH8=AllowedIPs = 172.16.1.254/32Endpoint = peera.example.com:60001EOF
The last step is about importing the interface profile into NetworkManager. As I mentioned before, this allows the WireGuard interface to have a persistent configuration after reboots.
# nmcli con import type wireguard file /etc/wireguard/wg0.confConnection 'wg0' (39bdaba7-8d91-4334-bc8f-85fa978777d8) successfully added.
Verify the status of device wg0:
# wginterface: wg0public key: IOePXA9igeRqzCSzw4dhpl4+6l/NiQvkDSAnj5LtShw=private key: (hidden)listening port: 47749peer: FEPcisOjLaZsJbYSxb0CI5pvbXwIB3BCjMUPxuaLrH8=endpoint: 192.168.124.230:60001allowed ips: 172.16.1.254/32# nmcli -p device show wg0===============================================================================Device details (wg0)===============================================================================GENERAL.DEVICE: wg0-------------------------------------------------------------------------------GENERAL.TYPE: wireguard-------------------------------------------------------------------------------GENERAL.HWADDR: (unknown)-------------------------------------------------------------------------------GENERAL.MTU: 1420-------------------------------------------------------------------------------GENERAL.STATE: 100 (connected)-------------------------------------------------------------------------------GENERAL.CONNECTION: wg0-------------------------------------------------------------------------------GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveC>-------------------------------------------------------------------------------IP4.ADDRESS[1]: 172.16.1.2/32IP4.GATEWAY: ---------------------------------------------------------------------------------IP6.GATEWAY: ---------------------------------------------------------------------------------
The above output shows that interface wg0 is connected. It is now able to communicate with one peer whose VPN IP address is 172.16.1.254.
Verify connectivity between peers
After executing the procedure described earlier both peers can communicate to each other through the VPN connection as demonstrated in the following ICMP test:
[root@peerb ~]# ping 172.16.1.254 -c 4PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.566 ms64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=1.33 ms64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=1.67 ms64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=1.47 ms
In this scenario, if you capture UDP traffic on port 60001 on PeerA you will see the communication relying on WireGuard protocol and the encrypted data:
Conclusion
Virtual Private Networks (VPNs) are very common. Among a wide variety of protocols and tools for deploying a VPN, WireGuard is a simple, lightweight and secure choice. It allows secure point-to-point connections between peers based on CryptoKey routing and the procedure is very straight-forward. In addition, NetworkManager supports WireGuard interfaces allowing persistent configurations after reboots.
