Wireguard client set up: Difference between revisions
Brian Wilson (talk | contribs) Created page with "''This is part of the Repeater linking project I am working on.'' I assume you have the latest version of the Raspberry Pi OS installed and set up. You should have an ss..." |
Brian Wilson (talk | contribs) mNo edit summary |
||
Line 1: | Line 1: | ||
''This is part of the [[Repeater linking]] project I am working on.'' | ''This is part of the [[Repeater linking]] project I am working on.'' | ||
Scenario. You have a Raspberry Pi set up with the latest version of the Pi OS installed. | |||
You can log in via console. You want to set up remote access via [http://tarra.link tarra.link]. | |||
You should have | === Preliminary set up === | ||
You can change the name of the client in there too | |||
You should have the ssh server installed and enabled. You can do that in raspi-config | |||
under "Interfaces", "SSH". You can change the name of the client in there too, under "System", "Hostname". | |||
The client has to be able to connect to the Internet but it can be on either a static | The client has to be able to connect to the Internet but it can be on either a static | ||
or DHCP dynamic link, it won't matter. | or DHCP dynamic link, it won't matter. Once everything is set up, you will be able to use the Wireguard tunnel connection to get from the Internet to the client even if the DHCP address | ||
changes. | |||
'''CHANGE THE PASSWORD ON THE CLIENT BEFORE EXPOSING IT TO THE INTERNET.''' | '''CHANGE THE PASSWORD ON THE CLIENT BEFORE EXPOSING IT TO THE INTERNET.''' | ||
Use raspi-config or from the command line, use the 'passwd' command. | |||
=== Install | === Install Wireguard === | ||
Working on the client, | Working on the client, | ||
Line 48: | Line 53: | ||
The port number does not matter on this end, there is no firewall between us and tarra. The client has to know tarra's port and the first time it connects to tarra it will tell tarra its port number. | The port number does not matter on this end, there is no firewall between us and tarra. The client has to know tarra's port and the first time it connects to tarra it will tell tarra its port number. | ||
Lots of people use nano to edit files. It's definitely easier than vim. | |||
sudo -s | |||
cd /etc/wireguard | |||
nano wg0.conf | |||
You can 'cat' the private key and copy it so that you can paste it into the wg0.conf file. | |||
cat privatekey | |||
Next use nano to make the file look like this, changing it as needed for your client. | |||
I read somewhere that 25 seconds is a good value to use for the keepalive. | |||
Over a cellular link (data rates apply) a longer interval might be better?? | |||
Some research advised before changing it. | |||
<pre> | |||
[Interface] | |||
# Desired address at this end, the Raspberry Pi | |||
Address = 44.127.9.33/28 | |||
# Paste the private key generated in the previous step here. | |||
PrivateKey = ed4S0jLwfBizpnly40wqFaoAjsk/D7oYwblUZNBd8WE= CHANGE THIS TO YOUR PRIVATE KEY | |||
[Peer] | |||
Endpoint = 45.76.244.170:51820 | |||
# All TARRA AMPR addresses (44.127.9.x)should be sent to tarra at vultr. | |||
# All Internet traffic should be routed over the tunnel (0.0.0.0/0) | |||
# If you leave off the 0.0.0.0/0 you have a "split tunnel" | |||
AllowedIPs = 44.127.9.0/24, 0.0.0.0/0 | |||
PublicKey = KnD5dfwSMAoUGXySxZtxuvfKMIBf+YKc+hiJifGQWwc= | |||
PersistentKeepalive = 25 | |||
</pre> | |||
Leaving out the 0.0.0.0/0 part of AllowedIPs is a split tunnel configuration. | |||
The "split tunnel" config sends traffic for the AMPR net over the tunnel and | |||
lets everything else go out to the Internet without using the tunnel. Faster | |||
but less secure. | |||
=== Bring up the connection === | === Bring up the connection === | ||
Line 53: | Line 95: | ||
wg-quick up wg0 | wg-quick up wg0 | ||
I find that it's useful to run the 'wg show' command to see what things look like. | |||
On my Pi3 "violet" it looks like this when the link is up. | |||
(When the link is down, it shows nothing.) | |||
root@violet:/etc/wireguard# '''wg show''' | |||
interface: wg0 | |||
public key: GRj/PCkIRbcClXPep5IE2nsg9Lg2WmZDkBSW65yl4jw= | |||
private key: (hidden) | |||
listening port: 51820 | |||
peer: KnD5dfwSMAoUGXySxZtxuvfKMIBf+YKc+hiJifGQWwc= | |||
preshared key: (hidden) | |||
endpoint: 45.76.244.170:51820 | |||
allowed ips: 44.127.9.0/24 | |||
latest handshake: 30 seconds ago | |||
transfer: 11.07 KiB received, 28.07 KiB sent | |||
persistent keepalive: every 25 seconds | |||
I don't know if your node will be resolving addresses so I show IP addresses here. | I don't know if your node will be resolving addresses so I show IP addresses here. | ||
Line 76: | Line 134: | ||
ping ren-1.tarra.link | ping ren-1.tarra.link | ||
You should be able to log into the node over the Internet. You did change the password? Great. | You should be able to log into the node over the Internet. '''You did change the password?''' | ||
Otherwise someone will figure out this is a Raspberry Pi and log in and take control of it in about 5 minutes. | Great. Otherwise someone will figure out this is a Raspberry Pi and log in and take control of it in about 5 minutes. I am not exaggerating. | ||
Line 90: | Line 148: | ||
systemctl start wg-quick@wg0 | systemctl start wg-quick@wg0 | ||
Reboot now to make sure it took. Once you reboot, do | Reboot now to make sure it took. Once you reboot, do this again. | ||
wg show | wg show | ||
Line 96: | Line 154: | ||
You should see the link still exists and that there is a connection. Run the tests from | You should see the link still exists and that there is a connection. Run the tests from | ||
the previous section again to satisfy yourself that it rebooted correctly. | the previous section again to satisfy yourself that it rebooted correctly. | ||
Revision as of 06:56, 12 March 2022
This is part of the Repeater linking project I am working on.
Scenario. You have a Raspberry Pi set up with the latest version of the Pi OS installed. You can log in via console. You want to set up remote access via tarra.link.
Preliminary set up
You should have the ssh server installed and enabled. You can do that in raspi-config under "Interfaces", "SSH". You can change the name of the client in there too, under "System", "Hostname".
The client has to be able to connect to the Internet but it can be on either a static or DHCP dynamic link, it won't matter. Once everything is set up, you will be able to use the Wireguard tunnel connection to get from the Internet to the client even if the DHCP address changes.
CHANGE THE PASSWORD ON THE CLIENT BEFORE EXPOSING IT TO THE INTERNET. Use raspi-config or from the command line, use the 'passwd' command.
Install Wireguard
Working on the client,
sudo apt-get install wireguard -y
Some comments. You don't have to enable packet forwarding, because this is a client node and won't be doing any packet forwarding. You don't have to set up a firewall, that will be handled on tarra. We might decide to set up a firewall later but for now it's just extra complexity. It would not hurt to install iptables and fail2ban just so its there for later.
sudo apt-get install fail2ban
Generate a pair of keys
The keys will be called "privatekey" and "publickey", in the folder /etc/wireguard. First make sure the folder is secured (the chmod command).
Still on the client,
sudo -s chmod 700 /etc/wireguard cd /etc/wireguard/ wg genkey | tee privatekey | wg pubkey > publickey
Copy the public key to the server. An easy way is to dump it to the screen and then cut and paste.
cat publickey
On the server now you could paste it, using the name of the host which in the case is "ren-1". This will create a file containing the key called ren-1.pub in /etc/wireguard/
sudo -s echo PASTE_THE_PUBLICKEY_STRING_RIGHT_HERE > /etc/wireguard/ren-1.pub
TO DO = write commands to complete the server set up here.
Set up the client's config file.
The port number does not matter on this end, there is no firewall between us and tarra. The client has to know tarra's port and the first time it connects to tarra it will tell tarra its port number.
Lots of people use nano to edit files. It's definitely easier than vim.
sudo -s cd /etc/wireguard nano wg0.conf
You can 'cat' the private key and copy it so that you can paste it into the wg0.conf file.
cat privatekey
Next use nano to make the file look like this, changing it as needed for your client. I read somewhere that 25 seconds is a good value to use for the keepalive. Over a cellular link (data rates apply) a longer interval might be better?? Some research advised before changing it.
[Interface] # Desired address at this end, the Raspberry Pi Address = 44.127.9.33/28 # Paste the private key generated in the previous step here. PrivateKey = ed4S0jLwfBizpnly40wqFaoAjsk/D7oYwblUZNBd8WE= CHANGE THIS TO YOUR PRIVATE KEY [Peer] Endpoint = 45.76.244.170:51820 # All TARRA AMPR addresses (44.127.9.x)should be sent to tarra at vultr. # All Internet traffic should be routed over the tunnel (0.0.0.0/0) # If you leave off the 0.0.0.0/0 you have a "split tunnel" AllowedIPs = 44.127.9.0/24, 0.0.0.0/0 PublicKey = KnD5dfwSMAoUGXySxZtxuvfKMIBf+YKc+hiJifGQWwc= PersistentKeepalive = 25
Leaving out the 0.0.0.0/0 part of AllowedIPs is a split tunnel configuration. The "split tunnel" config sends traffic for the AMPR net over the tunnel and lets everything else go out to the Internet without using the tunnel. Faster but less secure.
Bring up the connection
wg-quick up wg0
I find that it's useful to run the 'wg show' command to see what things look like. On my Pi3 "violet" it looks like this when the link is up. (When the link is down, it shows nothing.)
root@violet:/etc/wireguard# wg show interface: wg0 public key: GRj/PCkIRbcClXPep5IE2nsg9Lg2WmZDkBSW65yl4jw= private key: (hidden) listening port: 51820
peer: KnD5dfwSMAoUGXySxZtxuvfKMIBf+YKc+hiJifGQWwc=
preshared key: (hidden) endpoint: 45.76.244.170:51820 allowed ips: 44.127.9.0/24 latest handshake: 30 seconds ago transfer: 11.07 KiB received, 28.07 KiB sent persistent keepalive: every 25 seconds
I don't know if your node will be resolving addresses so I show IP addresses here. This is the address for ren-1.tarra.link
ping 44.127.9.33
This is the router end of the tunnel, t3.tarra.link
ping 44.127.9.46
You should be able to hit the main address at the router, tarra.link
ping 44.127.9.254
From tarra you should be able to ping the node. You don't need the full name here.
ping ren-1
From your laptop or anywhere on the Internet you should be able to ping the node now,
ping ren-1.tarra.link
You should be able to log into the node over the Internet. You did change the password? Great. Otherwise someone will figure out this is a Raspberry Pi and log in and take control of it in about 5 minutes. I am not exaggerating.
ssh [email protected]
Make wireguard run after reboot
sudo -s systemctl enable [email protected] systemctl daemon-reload systemctl start wg-quick@wg0
Reboot now to make sure it took. Once you reboot, do this again.
wg show
You should see the link still exists and that there is a connection. Run the tests from the previous section again to satisfy yourself that it rebooted correctly.