Jan 16, 2025

Wireguard

Buran

vpnwireguardwg

533 Words

2025-01-16 09:14 +0000

Basic setup

Install software:

pacman -S wireguard-tools qrencode

Enable forwarding:

cat > /etc/sysctl.d/90-local.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
[Ctr+D]

Apply:

systemctl restart systemd-sysctl

Generate keys

For each peer(client and server) you should generate pair of keys: public and private. You can do that in this manner:

wg genkey | (umask 0077 && tee alice-laptop.key) | wg pubkey > alice-laptop.pub

(for generationg the server keys you can use the same command)

then we need to setup server and client configs.

Server configuration

Keep in mind: the main point of wireguard is that it is peer to peer secured tunnel, so you have to specify local peer (private) key in peer config and the public key of another end of tunnel, so for server we should specify private key of server and public keys of clients (peers), for client - private key of client (peer) and public key of server.

Create /etc/wireguard/wg0.conf:

[Interface]
Address = 10.10.10.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# alice-laptop
PublicKey = ALICE_PUB_KEY
AllowedIPs = 10.10.10.2/32

[Peer]
# bob-phone
PublicKey = BOB_PUB_KEY
AllowedIPs = 10.10.10.3/32

Enable and start wireguard:

systemctl enable wg-quick@wg0.service && systemctl start wg-quick@wg0.service

Client configuration

Alice laptop config may looks like:

[Interface]
# alice-laptop
Address = 10.10.10.2/32
PrivateKey = ALICE_PRIVATE_KEY

[Peer]
PublicKey = SERVER_PUB_KEY
Endpoint = my.ddns.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0

(the last line will forward all trafic over the vpn)

share with QR code:

qrencode -t ansiutf8 -r alice-laptop.conf

Import wireguard vpn to network manager:

nmcli connection import type wireguard file alice-laptop.conf

Linux network optimization

Sysctl

Create /etc/sysctl.d/91-wireguard.conf or similar custom sysctl file and place there these instructions:

# Increase network buffer sizes
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 30000

# Select a modern congestion control algorithm (e.g., BBR or CUBIC)
# BBR often provides better performance than the default Cubic
net.ipv4.tcp_congestion_control = bbr

MTU

Optimize MTU/MSS size, please add to wireguard config MTU and extra iptables rules:

[Interface]
MTU = 1420
.... ....
# The most critical optimization is adjusting the MTU to account for the overhead of WireGuard's encryption, which is usually around 80 bytes.
# Set the WireGuard MTU: A reliable starting point is 1420 bytes. You may need to experiment with values between 1280 and 1500 to find the optimal size for your specific network path.
# The value 1380 is derived from the standard 1420 MTU minus the TCP/IP header sizes (40 bytes), but this might need adjustment based on testing.
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; iptables -t mangle -A POSTROUTING -o %i -p tcp --tcp-flags SYN,RST SYN -m comment --comment "WG-MSS-Clamp" -j TCPMSS --set-mss 1380
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; iptables -t mangle -D POSTROUTING -o %i