WireGuard VPN Server einrichten
Installation
apt update -y && apt upgrade -y
apt install wireguard -ySchlüsselpaar erstellen
Server-Schlüssel
wg genkey | tee server_private_key | wg pubkey > server_public_keyClient-Schlüssel
wg genkey | tee client_private_key | wg pubkey > client_public_key
Server-Konfiguration
Datei öffnen:
nano /etc/wireguard/wg0.confBeispiel wg0.conf
[Interface]
Address = 10.13.37.1/24
SaveConfig = true
PrivateKey = <insert server_private_key>
ListenPort = 51194
[Peer]
PublicKey = <insert client_public_key>
AllowedIPs = 10.13.37.11/32WireGuard aktivieren
chown -v root:root /etc/wireguard/wg0.conf
wg-quick up wg0
systemctl enable wg-quick@wg0.serviceIP Forwarding aktivieren
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
rebootFirewall-Regeln konfigurieren
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 51194 -m conntrack --ctstate NEW -j ACCEPT
# DNS Zugriff (Subnetz anpassen)
iptables -A INPUT -s 10.13.37.0/24 -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.13.37.0/24 -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# Alternative mit größerem Netz
# iptables -A INPUT -s 10.13.36.0/22 -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# iptables -A INPUT -s 10.13.36.0/22 -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
# NAT
iptables -t nat -A POSTROUTING -s 10.13.37.0/24 -o eth0 -j MASQUERADE
# oder
# iptables -t nat -A POSTROUTING -s 10.13.36.0/22 -o eth0 -j MASQUERADEDauerhaft speichern
apt install iptables-persistentBenutzerverwaltung
Skripte auf den Server kopieren:
createWireGuardUser.sh
deleteWireGuardUser.sh
Ausführbar machen
chmod +x createWireGuardUser.sh deleteWireGuardUser.shDatei für Clients anlegen
nano /etc/wireguard/Clients