WireGuard VPN Setup: The Fast and Simple Guide for Linux and ChromeOS

You read my last post about StrongSwan and thought it was too complicated? I understand. WireGuard is the revolutionary, simple VPN solution that often proves faster and integrates better with modern operating systems like ChromeOS.

While I found my specialized IPsec connection to be slightly faster, WireGuard excels in ease of setup and client usability: the tunnel automatically resumes after sleep/suspend without manual intervention.

1. Server Setup and Key Generation

The WireGuard implementation under Linux is robust and straightforward.

Installation and Key Generation

# Install wireguard on your server / host
apt-get install wireguard

# Create a private and public key pair using secure umask settings
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Initial Configuration (wg0.conf)

I define the server’s interface, assign an internal network, and set up the necessary firewall rules for NAT (Network Address Translation). The PostUp/PostDown rules automate firewall setup upon connection.

# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = -- put the created private key here -- 
Address = 10.7.0.1/24
ListenPort = 51820

# PostUp/PostDown automate NAT and routing when the interface comes up/down
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens7 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens7 -j MASQUERADE

Note: The egress interface (ens7 in this example) should be replaced with your host’s public-facing NIC name.

Enabling the Service

Don’t forget to enable IP Forwarding in the kernel and enable the systemd service for automatic startup after boot.

# Enable IP Forwarding
sysctl -w net.ipv4.ip_forward=1

# Enable systemd service for automatic start
systemctl enable wg-quick@wg0

2. Client Setup (ChromeOS)

WireGuard integrates natively with ChromeOS through a dedicated application. This simplifies the client configuration significantly.

Client Key Generation and Peer Setup

  1. Install WireGuard on the ChromeOS device and create a new tunnel configuration.
  2. Generate Keys: Click the key icon in the ChromeOS dialog to generate a secure private/public key pair for the client.
  3. Client Settings: Set the client’s internal IP (10.7.0.2/32) and the desired DNS server.
  4. Peer Setup: Enter the Server’s Public Key, the Endpoint (Server IP:Port), and Allowed IPs as 0.0.0.0/0 to route all traffic through the tunnel (Full-Tunnel VPN).

Server Peer Integration

The client’s public key must be added to the server’s wg0.conf file, along with its assigned internal IP address.

# /etc/wireguard/wg0.conf (Server Peer)
[Peer]
PublicKey = --public key of the client--
AllowedIPs = 10.7.0.2/32

The tunnel must be restarted for the changes to take effect:

# Stop and restart the tunnel
root@vpn1:~# wg-quick down wg0
root@vpn1:~# wg-quick up wg0

3. Verification

The wg show command verifies the successful key exchange and data transfer, confirming the tunnel is up and running.

root@vpn1:~# wg show
interface: wg0
  public key: --server-publickey--
  private key: (hidden)
  listening port: 51820

peer: --client-publickey--
  endpoint: xxx.xx.59.15x:46589
  allowed ips: 10.7.0.2/32
  latest handshake: 3 seconds ago
  transfer: 7.02 KiB received, 12.07 KiB sent

This simple setup successfully provides a reliable, persistent VPN connection for the ChromeOS client.


Sources / See Also

Hier sind die Quellen und weiterführenden Links im üblichen Blog-Stil und in englischer Sprache.

  • WireGuard Official Documentation. Quick Start Guide for Linux and Cross-Platform Integration. https://www.wireguard.com/quickstart/
  • WireGuard Documentation. Technical Details and Cryptography. https://www.wireguard.com/protocol/
  • Netfilter Project. Working with NAT and MASQUERADE Rules in iptables. https://www.netfilter.org/documentation/
  • Linux Networking (Sysctl). Kernel Parameters for IP Forwarding. https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html
  • ChromeOS Help Center. Set up a VPN on your Chromebook (WireGuard client). https://support.google.com/chromebook/answer/1282338

StrongSwan VPN: Mastering IKEv2 EAP-TLS and ChromeOS Client Integration

StrongSwan is the complete IPsec solution used to secure communication between servers and clients via mutual certificate-based authentication and encryption. This guide documents the necessary implementation steps for the highly secure IKEv2 EAP-TLS protocol, focusing on critical workarounds for seamless ChromeOS integration.

1. Installation

The base installation of StrongSwan on Debian/Ubuntu is straightforward. Using the swanctl approach for declarative configuration is recommended.

# Installation of required strongSwan packages
apt-get install strongswan strongswan-pki strongswan-swanctl charon-systemd

Critical Host Configuration: IP Forwarding

Since the VPN host functions as a gateway, activating IP forwarding (routing) is mandatory.

# Enable IP forwarding:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding=1

2. Certificate Infrastructure (CA)

The choice of cryptographic algorithm is crucial for ChromeOS compatibility. While ED25519 is supported by StrongSwan, ECDSA certificates were found to be necessary for client importability into ChromeOS.

Certificate Authority (CA)

The CA should ideally be created on a secured system that does not have direct internet exposure.

# Create the ECDSA key for the CA
pki --gen --type ecdsa --outform pem > ca.key

# Create the CA Cert with a lifetime of 10 years. [The values for C=, O= and CN= must be replaced.]
pki --self --ca --lifetime 3652 --in ca.key --dn "C=DE, O=jeanbruenn.info, CN=jeanbruenn Root CA" --outform pem > ca.crt

# Optional: Create a Certificate Revocation List (CRL)
pki --signcrl --cacert ca.crt --cakey ca.key --lifetime 30 > strongswan.crl

Gateway and Client Certificates

The Gateway certificate is used on the VPN server; an ED25519 key is suitable for this purpose. For the Chromebook client, an ECDSA key is required for successful browser import.

Gateway Setup: The Gateway certificate must be issued with the serverAuth flag.

# Generate the ED25519 key for the gateway
pki --gen --type ed25519 --outform pem > vpn1.key

# Sign and issue the Gateway certificate
pki --issue --cacert ca.crt --cakey ca.key --type pkcs10 --in vpn1.req --serial 01 --lifetime 1826 --outform pem --flag serverAuth > vpn1.crt

Chromebook Client Setup: The client requires a PKCS#12 file for authentication. ECDSA must be used for the client key to overcome import issues on ChromeOS.

# Generate the ECDSA key for the Chromebook
pki --gen --type ecdsa --outform pem > chromebook.key

# Create the PKCS12 container for client import
openssl pkcs12 -export -inkey chromebook.key -in chromebook.crt -name "chromebook" -certfile ca.crt -caname "jeanbruenn Root CA" -out chromebook.p12

Client Import: The ca.crt (potentially renamed to .pem) is added to the Certificate Authorities under chrome://settings/certificates. The chromebook.p12 is then imported under user certificates.

3. StrongSwan Configuration (swanctl)

The declarative configuration defines a standard “road warrior” setup with client pools for address assignment.

# /etc/swanctl/conf.d/rw-vpn.conf

connections {
  rw {
    encap = yes
    pools = pool_v4, pool_v6

    local {
      auth = pubkey
      certs = vpn1.crt
      id = vpn1.jeanbruenn.info
    }

    remote {
      auth = pubkey
    }

    children {
      rw {
        # Local Traffic Selectors: 0.0.0.0/0 and ::/0 enforce Full-Tunnel VPN
        local_ts  = 0.0.0.0/0,::/0
        updown = /usr/lib/ipsec/_updown iptables
      }
    }
  }
}

pools {
   pool_v6 {
      dns = 2001:4860:4860::8888
      addrs = xxxx:xxxx:x:xx:xxxx::x/64
   }
   pool_v4 {
      dns = 8.8.8.8
      addrs = 10.8.0.2/24
   }
}

4. Advanced Network Troubleshooting (PMTU & NAT)

Operating a full-tunnel VPN requires advanced Linux network tuning to ensure connection stability.

NAT (MASQUERADE Rules)

MASQUERADE rules are used to translate the private VPN addresses to the public IP of the gateway. The policy clause ensures that only IPsec-tunneled traffic is masked.

# MASQUERADE for IPv4
iptables -t nat -A POSTROUTING -o ens7 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -o ens7 -j MASQUERADE

# MASQUERADE for IPv6
ip6tables -t nat -A POSTROUTING -o ens7 -m policy --dir out --pol ipsec -j ACCEPT
ip6tables -t nat -A POSTROUTING -o ens7 -j MASQUERADE

PMTU Blackholing Workaround (TCPMSS)

The solution to connection hanging due to PMTU Blackholing is to adjust the MSS (Maximum Segment Size) for TCP SYN packets in the Mangle table.

# Reduces the MSS to prevent PMTU blackholing
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

# Disabling PMTU Discovery (as a fallback)
net.ipv4.ip_no_pmtu_disc=1

Sources / See Also

  • StrongSwan Documentation. IKEv2 VPN Setup and Configuration Guide. https://docs.strongswan.org/docs/5.9/config/vpn_setup.html
  • StrongSwan Documentation. Creating Certificates with PKI Utility. https://docs.strongswan.org/docs/5.9/pki/pki-howto.html
  • StrongSwan Wiki. Android VPN Client Compatibility and Certificate Issues. https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient
  • StrongSwan Documentation. Policy-based NAT Traversal (MASQUERADE rules). https://docs.strongswan.org/docs/5.9/config/routing.html
  • Libreswan Project (PMTU). Understanding PMTU Blackholing and the TCPMSS fix. https://wiki.libreswan.org/wiki/Path_MTU_Discovery_Issues
  • OpenSSL Documentation. Creating PKCS#12 (.p12) Bundles. https://www.openssl.org/docs/man1.1.1/man1/pkcs12.html