Super Easy VPN WireGuard

It was super fun. Keep it as your own memorandum.

Preface

I don't like changing SSHD ports, setting Fail2Ban, or kneading AWS security groups on AWS, so I tried using the recently popular WireGuard.

This was really easy.

environment

One micro instance of Amazon Linux
Subnet set in VPC
- 172.31.0.0/20
- 172.31.16.0/20
- 172.31.32.0/20
WireGuard port (51820/udp)
DDNS is hoge.example.jp
My PC is Windows 10
WireGuard network is 192.168.90.0/24
The IP on the WireGuard server VPN is 192.168.90.1.
The IP on the WireGuard client VPN is 192.168.90.10

Rough network

A network diagram of a rough image of accessing AWS from my house with WireGuard.

Server side

EC2 instance

Here, we use a micro instance of Amazon Linux 2.

$ cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

AWS security group

Create one AWS security group and assign it to your WireGuard EC2 instance. I will work with SSH access for a while. When WireGuard becomes available, delete the SSH item.

type	protocol	Port range	Source	Explanation
SSH	TCP	22	0.0.0.0/0
Custom UDP rules	UDP	51820	0.0.0.0/0	wireguard-port

Set DDNS

First, get no-ip and create a DDNS domain. After getting the DDNS domain, install noip with yum and set the user and password with noip2 -C. https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/dynamic-dns.html

$ yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ yum install -y noip
$ /usr/sbin/noip2 -C
$ systemctl enable noip

WareGuard installation

Use the repository for RHEL7 on the official website. https://www.wireguard.com/install/

$ curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
$ yum install wireguard-dkms wireguard-tools

Just in case, restart it once.

$ reboot

ipforward settings

Enable forwarding.

$ cat /etc/sysctl.conf | grep -v ^#
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

$ sysctl -w net.ipv4.ip_forward=1
$ sysctl -w net.ipv6.conf.all.forwarding=1

etckeeper installation

Since the configuration file under / etc is kneaded, put etckeeper in it.

$ yum install etckeeter
$ etckeeper  init
Initialized empty Git repository in /etc/.git/

Create private key public key for server

Create private key for server

$ wg genkey | tee /etc/wireguard/server.key
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
$ chmod 600 /etc/wireguard/server.key

Create public key for server

$ cat /etc/wireguard/server.key | wg pubkey | tee /etc/wireguard/server.pub
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
$ chmod 600 /etc/wireguard/server.pub

Creating a private key public key for a client

Creating a private key for the client

$ wg genkey | tee /etc/wireguard/client.key
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=

Create public key for client

$ cat /etc/wireguard/client.key | wg pubkey | tee /etc/wireguard/client.pub
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=

WireGuard server settings

First, check the NIC with the ip addr command. Remember that the NIC is eth0.

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 06:9a:51:f1:23:ca brd ff:ff:ff:ff:ff:ff
    inet 172.31.45.164/20 brd 172.31.47.255 scope global dynamic eth0
       valid_lft 2382sec preferred_lft 2382sec
    inet6 fe80::49a:51ff:fef1:23ca/64 scope link
       valid_lft forever preferred_lft forever

Create /etc/wireguard/wg0.conf.

$ cat /etc/wireguard/wg0.conf
[Interface]
# server-private-key
PrivateKey = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
Address = 192.168.90.1
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# clients-public-key
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
AllowedIPs = 192.168.90.0/24

The meaning of the setting items is like this.

[Interace]
PrivateKey: Private key for the server
Address: Specify the IP address of the WireGuard server
ListenPort: Specify the WireGuard port
PostUp: Add a rule with the iptables command for IP masquerading Specify the NIC you checked earlier
PostDown: Set to delete the iptables rule set in PostUp when stopped
[Peer]
PublicKey: Public key for client
AllowedIPs: Network addresses used by WireGuard

After completing the settings, start WireGuard + automatically start.

$ systemctl enable --now wg-quick@wg0

DNS server for WireGuard

I want to resolve this FQDN of AWS ip-172-31-47-99.ap-northeast-1.compute.internal, so install unbound.

$ yum install unbound

Remember the AWS nameserver IP.

$ cat /etc/resolv.conf | grep ^namese
nameserver 172.31.0.2

Make /etc/unbound/unbound.conf look like this.

$ cat /etc/unbound/unbound.conf | grep -v ^$
server:
        interface: 0.0.0.0
        interface-automatic: yes
        do-ip4: yes
        do-ip6: no
        access-control: 0.0.0.0/0 allow
        access-control: 127.0.0.1 allow
        #verbosity: 5
        verbosity: 1
        private-domain: "shikumis.com"
remote-control:
        control-enable: yes
        # control-port: 8953
        server-key-file: "/etc/unbound/unbound_server.key"
        # unbound server certificate file.
        server-cert-file: "/etc/unbound/unbound_server.pem"
        # unbound-control key file.
        control-key-file: "/etc/unbound/unbound_control.key"
        # unbound-control certificate file.
        control-cert-file: "/etc/unbound/unbound_control.pem"
# Stub and Forward zones
include: /etc/unbound/conf.d/*.conf
forward-zone:
        name: "."
        forward-addr: 172.31.0.2

Start unbound + start automatically.

$ systemctl enable --now unbound

Client side

Install the Windows WireGuard client

Download and install the Windows installer from here. https://www.wireguard.com/install/

WireGuard client settings

Launch the WireGuard client and make the following settings in "Add tunnel"-> "Add empty tunnel" at the bottom left.

[Interface]
# client-private-key
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 192.168.90.10/32
DNS = 192.168.90.1

[Peer]
# server-public-key
PublicKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AllowedIPs = 192.168.90.1/32, 172.31.16.0/20, 172.31.32.0/20, 172.31.0.0/20
Endpoint = hoge.example.jp:51820
PersistentKeepalive = 25

The meaning of the setting items is like this.

[Interface]
PrivateKey: Private key for the client
Address: IP address of the client
DNS: DNS server (Specify 192.168.90.1. Here, you can specify AWS nameserver if unbound is troublesome)
[Peer]
PublicKey: Public key for the server
AllowedIPs = Networks that allow access
Endpoint: Specify WireGuard server (it is convenient to specify the acquired DDNS domain)
PersistentKeepalive: Time to hold NAT

Connection confirmation

Click "Activate" in the GUI to connect.

Check name resolution and routing at the command prompt.

>nslookup ip-172-31-47-99.ap-northeast-1.compute.internal
server:  UnKnown
Address:  192.168.90.1

Unauthorized answer:
name:    ip-172-31-47-99.ap-northeast-1.compute.internal
Address:  172.31.47.99

>route print -4 | findstr /i 172.31
       172.31.0.0    255.255.240.0 on link 192.168.80.11      5
    172.31.15.255  255.255.255.255 on link 192.168.80.11    261
      172.31.16.0    255.255.240.0 on link 192.168.80.11      5
    172.31.31.255  255.255.255.255 on link 192.168.80.11    261
      172.31.32.0    255.255.240.0 on link 192.168.80.11      5
    172.31.47.255  255.255.255.255 on link 192.168.80.11    261