Loading document…
Opening in Pages for Mac...
Choose Media…
Your browser isn’t fully supported.
For the best Pages for iCloud experience, use a supported browser.
Learn More
Cancel
Continue
A WireGuard VPN with Mac and
iOS Clients
MacSysAdmin 2020
Ed Marczak
twitter: @marczak
Canonical link to this doc:
https://www.icloud.com/pages/
0NcXBzXrI6G6oaCofVsnPEOuA#MSA2020-Wireguard
Short link:
https://tinyurl.com/msa20-wg
Greetz!
Thanks to everyone involved with putting on this year’s event, particularly Patrik
Jerneheim.
Thanks to everyone watching, attending, and chatting.
Thanks to my family for putting up with me turning a room in the house into a recording
space for two weeks.
Tycho, we miss you!
Buying your Raspberry Pi
If you’re buying a Raspberry Pi, I’d recommend one of the following high-quality shops:
Pimoroni:
https://shop.pimoroni.com
Adafruit:
https://www.adafruit.com
Do-it-yourself parts list:
Raspberry Pi 3B+, or 4
(you can do this with
any
Raspberry Pi, even the Zero W, but it’s a lot easier with
the 3B+ or better, and that’s what the video covers. A 2GB model is suffi cient for
running WireGuard.)
Raspberry Pi Power Supply
(The 3B+ uses a standard MicroUSB 5v supply, and the 4 uses USB C, so you
may have these already.)
A micro SD card for the Raspberry Pi fi le system (32Gb is plenty)
An SD card adapter to mount the SD card on your computer
...or feel free to use a cloud provider if not doing this for home/offi ce/portable.
Raspberry Pi Imager:
https://www.raspberrypi.org/downloads/
The Setup
1.
Image the SD card using Raspberry Pi Imager(Ubuntu 64-bit LTS 20.04.1 at the
time of the video). The brilliant thing here is that you don’t have to pre-download
anything: just pick the OS you’re interested in and let it go.
2.
After the Raspberry Pi Imager’s verify step, if you plan on connecting via WiFi,
remount the card (just physically remove and re-insert the card, use diskutil if you
like the diffi cult route. If you’re doing everything on Ethernet, you can ignore this
step).
3.
ssh is enabled in Ubuntu server by default, so, nothing to do here!
4.
Confi g WiFi (again, skip this if you’re using Ethernet)
1.
Once the SD card partition mounts (as “system-boot”) edit /Volumes/system-
boot/network-confi g
2.
Sample confi g fi le:
version: 2
ethernets:
eth0:
dhcp4: true
optional: true
wifis:
wlan0:
dhcp4: true
optional: true
access-points:
“
myhomewifi
"
:
password: "S3kr1t"
If you want to be able to roam across different WiFi access points—perhaps you’re
going to make this a travel router/VPN—you can keep the multiple stanzas under
“wifi s:” in the sample fi le.
Boot it!
Insert the SD card into the Raspberry Pi, and plug in the power.
Find your Raspberry Pi on the network and ssh in as “ubuntu”, with a password of
“ubuntu”.
(you’ll be forced to update the password, and have to ssh in again)
Once in, `
sudo -i
` and:
apt update && apt upgrade
apt install wireguard
apt install resolvconf
apt install mosh # optional
Set a static IP address
network: {config: disabled}
network:
ethernets:
eth0:
addresses: [192.168.100.85/24]
gateway4: 192.168.100.1
nameservers:
addresses: [192.168.100.10, 1.1.1.1]
version: 2
Set the hostname:
hostnamectl set-hostname [some hostname]
Add this hostname to /etc/hosts as an additional 127.0.0.1
Reboot!
Confi gure Your
WireGuard
Server
Forward packets across interfaces:
sysctl -w net.ipv4.ip_forward=1 &&
sysctl -w
net.ipv
6.conf.all
.forward
ing
=1
Edit /etc/sysctl.d/99-sysctl.conf and uncomment the two lines:
net.ipv4.ip_forward
net.ipv
6.conf.all
.forward
ing
...and save it.
Create public/private keys for your server:
Change to the /etc/wireguard directory:
cd /etc/wireguard
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
Confi gure fi le
/etc/wireguard/wg0.conf
(Of course, use whatever addresses or
port number you want or need to):
[Interface]
Address = 10.
1
0.
1
0.10/32, fc00:23:5::10/64
ListenPort = 51820
PrivateKey =
[paste the server private key here]
DNS =
[add a suitable DNS server - preferably one you run]
SaveConfig = false
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD
-o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D
FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -
j MASQUERADE
Save it!
Use
wg-quick up wg0
to bring up this interface and get the server listening for
packets.
Use the `
wg
` command to see status of the running server.
Use
wg-quick down wg0
to stop this interface.
Make it permanent:
systemctl enable wg-quick@wg0
# enable at boot
systemctl start wg-quick@wg0
# start it up right now
Choose a port (UDP), and forward it on your fi rewall/edge router. For example:
Confi gure a Client on the Server
Create
/etc/wireguard/clients
, and
cd
into it. (Or do it in some other
location...I’m a document, not a cop.)
Create keys for the client:
umask 077; wg genkey | tee clientprivatekey | wg pubkey >
clientpublickey
Create a client fi le. Use this as a template, and fi ll in the proper keys and server. (Call
this fi le whatever you want to identify it. I’m going to name it `
client1.conf
`.)
[Interface]
PrivateKey = [client_private_key]
Address = [Client Private IP]/24
DNS = 192.168.100.10
[Peer]
PublicKey = [WG Server/peer Public Key]
AllowedIPs = 0.0.0.0/0
Endpoint = [Public WG Address/Router passthrough]:51820
Make a QR code out of it:
apt install qrencode
qrencode -t ansiutf8 < client1.conf
Add client info to server confi g as a
[Peer]
stanza in
/etc/wireguard/wg0.conf
Confi gure an iOS client
Download the iOS client:
https://apps.apple.com/us/app/wireguard/id1441195209
Open
WireGuard
app, tap on “Add a Tunnel”, choose “Scan QR Code”, and then scan
the QR created in the “Create a client on the Server” step above.
(This is at about the 44 minute mark in the video.)
Confi gure a macOS Client
Download the macOS client:
https://apps.apple.com/us/app/wireguard/id1451685025?
mt=12
Instead of scanning a QR code, on the Mac, we can create from scratch,
or
, just use
the client fi le that was created on the server, and import that directly—no typing
necessary!
(This is at about the 55 minute mark in the video.)
Extras
About
WireGuard
WireGuard
Protocol:
https://www.wireguard.com/protocol/
Ubuntu 20.04 LTS backports
WireGuard
into kernel:
https://www.phoronix.com/
scan.php?page=news_item&px=Ubuntu-20.04-Adds-WireGuard
Setup VPN on Cloud Services
Algo VPN:
https://github.com/trailofbits/algo
(Supports
DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google
Compute Engine, Scaleway, OpenStack, CloudStack, Hetzner Cloud, Linode
…and
even your own Ubuntu instance.)
Hardware Routers That Support
WireGuard
OpenSense:
https://opnsense.org
dd-wrt:
https://wiki.dd-wrt.com/wiki/index.php/Wireguard
GL.iNet Slate:
https://www.gl-inet.com/products/gl-ar750s/
WireGuard
as a Service
Tailscale:
https://tailscale.com
Projects That Make Your
WireGuard
Life Easier
Subspace (
WireGuard
GUI):
https://github.com/subspacecloud/subspace
wgconfi g (Python confi g fi le parser):
https://github.com/towalink/wgconfi g
Ansible
WireGuard
:
https://github.com/iamckn/wireguard_ansible
Pi Hole:
https://pi-hole.net/
…and if you watched the video, and made it this far, you may want to see the blooper
reel:
https://radiotope.com/f/MSA2020/MSA2020-Wireguard_Bloopers.m4v
(Hey, I’m human! Recording these talks are more diffi cult than they seem!)
