Ech0's Blog

Ech0 - 22 / 06 / 2021

Automated Wireguard Setup

Before we start, you will need an Ubuntu 16+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your ubuntu 10 server.

You can use DuckDNS to get a free domain name:


[ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Documents/Github/blog/Conf]
→ ssh root@ech4.duckdns.org
The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established.
ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts.
Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@debian-s-1vcpu-1gb-lon1-01:~#

Initial Setup

First update Ubuntu and install curl


apt update -y && apt upgrade -y 
apt install curl -y

Then get angristan's script:


curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
./wireguard-install.sh

And then just hit enter at everything:

Then get your wireguard client config in the /root/ folder:


root@wired:~# cat /root/wg0-client-nowhere.conf
[Interface]
PrivateKey = sIanEImIYOURKEY9ec1ttVFU=
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = 176.103.130.130,176.103.130.131

[Peer]
PublicKey = uA+TgpwXFYWZjYOURKEYWqF0cC0M=
PresharedKey = FpWeYyYOURKEY8feFjN4EUzvg=
Endpoint = 278.276.383.1:52225
AllowedIPs = 0.0.0.0/0,::/0

Setting up a client



Save it locally in /etc/wireguard:


sudo nano /etc/wireguard/wg0.conf

And then just run wg-quick to launch wireguard, and wg to check the status.


echo "deb http://deb.debian.org/debian/ buster-backports main " | \
sudo tee /etc/apt/sources.list.d/buster-backports.list
sudo apt update
sudo apt install -t buster-backports wireguard-dkms wireguard-tools

[ 10.0.0.10/16 ] [ /dev/pts/25 ] [~]
→ sudo apt install wireguard-tools resolvconf -y

[ 10.0.0.10/16 ] [ /dev/pts/25 ] [~]
→ which wg-quick
/usr/bin/wg-quick

[ 192.168.100.1/24 ] [ /dev/pts/11 ] [~]
→ wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.66.66.2/32 dev wg0
[#] ip -6 address add fd42:42:42::2/128 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

[ 192.168.100.1/24 ] [ /dev/pts/11 ] [~]
→ sudo wg
interface: wg0
  public key: Zhjn3QNON+LYOURKEYU0bjyE=
  private key: (hidden)
  listening port: 42771
  fwmark: 0xca6c

peer: uA+TgpwXFYWZjYOURKEYqF0cC0M=
  preshared key: (hidden)
  endpoint: 278.276.383.1:52225
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 4 seconds ago
  transfer: 4.26 KiB received, 6.11 KiB sent

You can check your own IP with the following command:


[ 192.168.100.1/24 ] [ /dev/pts/11 ] [~]
→ curl ifconfig.me
278.276.383.1

Advanced Usage



You can use the following command to run wireguard when the system starts:


systemctl enable --now wg-quick@wg0

Now once wireguard is active, you won't be able to access the local subnets:



→ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^C
--- 192.168.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3070ms

As you can see, with the wireguard connection i cannot access my home router:

So to fix this, i add the routes to the subnets 10.0.0.0/24 and 192.168.0.0/24 manually:


[ 10.66.66.2/32 ] [ /dev/pts/25 ] [~]

[ 10.66.66.2/32 ] [ /dev/pts/25 ] [~]
→ sudo ip route add 192.168.0.0/24 via 10.0.0.1 dev eth0

[ 10.66.66.2/32 ] [ /dev/pts/25 ] [~]
→ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=63 time=3.42 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=63 time=5.03 ms
^C
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 3.419/4.222/5.025/0.803 ms

[ 10.66.66.2/32 ] [ /dev/pts/25 ] [~]
→ sudo ip route del 192.168.0.0/24 via 10.0.0.1 dev eth0

[ 10.66.66.2/32 ] [ /dev/pts/25 ] [~]
→ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^C
--- 192.168.0.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4077ms

If you need to access local networks (like 192.168.0.0/24 or 10.2.0.0/16 and such) while still having the wireguard connection, you can modify your client config as follows using the PostUp and PostDown parameters:



[ 10.66.66.2/32 ] [ /dev/pts/25 ] [~]
→ sudo vim /etc/wireguard/wg0.conf

[Interface]
PrivateKey = AAAA=
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = 1.1.1.1, 1.0.0.1
PostUp =    ip route add 192.168.0.0/24 via 10.0.0.1 dev eth0 ; ip route add 10.0.0.0/24 dev eth0
PostDown =  ip route del 192.168.0.0/24 via 10.0.0.1 dev eth0 ; ip route del 10.0.0.0/24 dev eth0

[Peer]
PublicKey =  BBBBBB=
PresharedKey = CCCCCC=
Endpoint = 78.x.x.x:57692
AllowedIPs = 0.0.0.0/0, ::/0

:wq

With this configuration you can even specify local DNS servers, for example i have 2 local piholes at 192.168.0.198 and 192.168.0.199, thanks to the ip route rules, i am able to access them, so i can use them like so:


[ 10.66.66.2/32 ] [ /dev/pts/25 ] [~]
→ sudo vim /etc/wireguard/wg0.conf

[...]

DNS = 192.168.0.199,192.168.0.198

[...]

:wq

Note: that solution isn't the best because this will probably leak your actual location. You can see it on DNSLeakTest here, so instead i recommend choosing public DNS server IPs by location on public-dns.info here, simply pick 2 DNS servers which are inthe same country as your VPS. Then restart wireguard to refresh the configuration :


[ 10.0.0.10/16 ] [ /dev/pts/25 ] [~]
→ sudo wg-quick down wg0
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[#] resolvconf -d tun.wg0 -f
[#] nft -f /dev/fd/63
[#] ip route del 192.168.0.0/24 via 10.0.0.1 dev eth0 ; ip route del 10.0.0.0/24 dev eth0

[ 10.0.0.10/16 ] [ /dev/pts/25 ] [~]
→ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.66.66.2/32 dev wg0
[#] ip -6 address add fd42:42:42::2/128 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
[#] ip route add 192.168.0.0/24 via 10.0.0.1 dev eth0 ; ip route add 10.0.0.0/24 dev eth0

You can also do it with systemctl directly:


[ 10.0.0.10/16 ] [ /dev/pts/25 ] [~]
→ systemctl stop wg-quick@wg0
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to stop 'wg-quick@wg0.service'.
Authenticating as: nothing,,, (nothing)
Password:
==== AUTHENTICATION COMPLETE ===

[ 10.0.0.10/16 ] [ /dev/pts/25 ] [~]
→ systemctl start wg-quick@wg0
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to start 'wg-quick@wg0.service'.
Authenticating as: nothing,,, (nothing)
Password:
==== AUTHENTICATION COMPLETE ===

[ 10.0.0.10/16 ] [ /dev/pts/25 ] [~]
→ systemctl status wg-quick@wg0
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: disabled)
     Active: active (exited) since Fri 2021-06-11 19:12:53 CEST; 1s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 3988248 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 3988248 (code=exited, status=0/SUCCESS)
        CPU: 143ms

You can also just do a zshrc / bashrc function to do this automatically:



[ 10.66.66.2/32 ] [ /dev/pts/16 ] [blog/servers/wireguard_auto]
→ vim ~/.zshrc

[...]

temple(){
    GREEN="\033[0;32m"
    RED="\033[0;31m"
    ORANGE="\033[0;33m"
    NC="\033[0m"

    if [ $(ip a | grep wg0 | wc -l) -eq "0"  ]; then
        echo -en "${GREEN}[+]${NC} WireGuard is ${RED}DOWN${NC}, ${ORANGE}connecting to Temple...${GREEN}\n\n"
        sudo wg-quick up wg0
        echo -en "\n${GREEN}[+]${NC} your public ip is : ${GREEN} $(curl ifconfig.me) ${NC}"
    else
        echo -en "${GREEN}[+]${NC} WireGuard is ${GREEN}UP, ${ORANGE}disconnecting from Temple...${RED}\n\n"
        sudo wg-quick down wg0
        echo -en "\n${GREEN}[+]${NC} your public ip is : ${ORANGE} $(curl ifconfig.me) ${NC}"
    fi
}

[...]

:wq

My Bunker

Some Address 67120,
Duttlenheim, France.

My Links

Discord
Hack The Box

About Ech0

This cute theme was created to showcase your work in a simple way. Use it wisely.