How to setup WireGuard VPN with ChromeOS client

You read my last post about strongSwan because you wanted to setup a VPN for yourself? Too complicated? Well, give Wireguard a try then.

My IPsec connection seems to be more fast and responsive than WireGuard (When I route everything through IPsec vs I route everything through WireGuard). However, I assume this is a matter of encryption algorithms used. So for you WireGuard might be faster. Maybe I will run some tests and provide numbers on this one.

Anyway. WireGuard is more easy to setup and integrates better with e.g. ChromeOS currently. While my IPsec tunnel has to be manually restarted after sleep/suspend WireGuard just makes all this on it’s own. But hey – don’t take my word, try it yourself.

Install wireguard on your server / host

apt-get install wireguard

Create a public and private key

cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Add connection

Now create your first connection by adding a file /etc/wireguard/wg0.conf

[Interface]
PrivateKey = -- put the created private key here -- 
Address = 10.7.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens7 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens7 -j MASQUERADE
ListenPort = 51820

Start the tunnel:

root@vpn1:~# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.7.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens7 -j MASQUERADE

Add Client

In ChromeOS install Wireguard and click the + button to add a new tunnel. Click create new:

Name: Just pick a name for this VPN
Private Key: Click the two arrows so it will create a private key as well as a public key
Public Key: will be created.
Adresses: 10.7.0.2/32
Nameserver: 8.8.8.8

Add Peer:

Public Key: Enter the public key which you created before (see server publickey file)
Endpoint: IP:PORT of your WireGuard VPN Server
Allowed IPs: 0.0.0.0/0 to route everything through the tunnel.

On the server type:

wg set wg0 peer <publickey> allowed-ips 10.7.0.2/32

Replace <publickey> with the publickey of the WireGuard Client (in the ChromeOS WireGuard Dialog, which appears after you press the two arrows so it created a private key and public key pair).

Also add to the server’s /etc/wireguard/wg0.conf:

[Peer]
PublicKey = --public key of the client--
AllowedIPs = 10.7.0.2/32

Just to make sure stop and start wireguard and connect to it:

stop

root@vpn1:~# wg-quick down wg0
[#] ip link delete dev wg0
[#] iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens7 -j MASQUERADE

start

root@vpn1:~# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.7.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens7 -j MASQUERADE

check status

root@vpn1:~# wg show
interface: wg0
  public key: --publickey--
  private key: (hidden)
  listening port: 51820

peer: --publickey--
  endpoint: xxx.xx.59.15x:46589
  allowed ips: 10.7.0.2/32
  latest handshake: 3 seconds ago
  transfer: 7.02 KiB received, 12.07 KiB sent

Should be up and running. 🙂

Don’t forget the enable IP Forwarding with sysctl (net.ipv4.ip_forward = 1) and enable the systemd script (systemctl enable wq-quick@wg0) so that it starts automatically after a boot.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.