mirror of
https://github.com/Qubes-Community/Contents.git
synced 2025-01-08 13:57:58 -05:00
Add wireguard guide
This commit is contained in:
parent
bdcb657aaa
commit
346dba19d0
@ -11,6 +11,7 @@
|
||||
- ![](/_res/l.png) [use Qubes OS as a smartTV](https://github.com/Aekez/QubesTV)
|
||||
- ![](/_res/l.png) [VM hardening (fend off malware at VM startup)](https://github.com/tasket/Qubes-VM-hardening)
|
||||
- ![](/_res/l.png) [VPN configuration](https://github.com/tasket/Qubes-vpn-support)
|
||||
- [Run wireguard on server and use as VPN for Qubes](wireguard/README.md)
|
||||
- [Make an HTTP Filtering Proxy](configuration/http-proxy.md)
|
||||
- ![](/_res/l.png) [Ansible Qubes](https://github.com/Rudd-O/ansible-qubes) (see Rudd-O's [other repos](https://github.com/Rudd-O?tab=repositories) as well)
|
||||
- [shrink VM volumes](configuration/shrink-volumes.md)
|
||||
|
141
docs/wireguard/README.md
Normal file
141
docs/wireguard/README.md
Normal file
@ -0,0 +1,141 @@
|
||||
# Using WireGuard as VPN in QubesOS
|
||||
|
||||
Based on https://www.scaleway.com/en/docs/installing-wireguard-vpn-linux/
|
||||
|
||||
To use this guide you need VPS to use as VPN server.
|
||||
|
||||
Use Debian 10 on both server and client.
|
||||
|
||||
## On both server and client
|
||||
|
||||
In Qubes, do the following steps in TemplateVM (debian-10).
|
||||
|
||||
If needed, enable buster-backports:
|
||||
|
||||
```
|
||||
$ echo 'deb http://deb.debian.org/debian buster-backports main' | sudo tee /etc/apt/sources.list.d/buster-backports.list
|
||||
$ sudo apt-get update
|
||||
```
|
||||
|
||||
If needed, install kernel headers:
|
||||
|
||||
```
|
||||
$ sudo apt-get install linux-headers-amd64
|
||||
```
|
||||
|
||||
Install WireGuard:
|
||||
|
||||
```
|
||||
$ sudo apt-get install wireguard resolvconf
|
||||
```
|
||||
|
||||
Make sure kernel module was installed:
|
||||
|
||||
```
|
||||
$ sudo modprobe wireguard
|
||||
$ echo $?
|
||||
0
|
||||
```
|
||||
|
||||
In Qubes, shutdown `debian-10` TemplateVM and do the following steps
|
||||
in ProxyVM `sys-wireguard` based on `debian-10`. On the server, continue
|
||||
in the same terminal.
|
||||
|
||||
Generating Public and Private Keys
|
||||
|
||||
```
|
||||
# mkdir -p /etc/wireguard/keys
|
||||
# cd /etc/wireguard/keys
|
||||
# umask 077
|
||||
# wg genkey | tee privatekey | wg pubkey > publickey
|
||||
```
|
||||
|
||||
## On server
|
||||
|
||||
Create the file `/etc/wireguard/wg0.conf` with the following content:
|
||||
|
||||
```
|
||||
[Interface]
|
||||
PrivateKey = <private key of the server>
|
||||
Address = 192.168.66.1/32
|
||||
ListenPort = <random port for server>
|
||||
PostUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -o %i -j DROP; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
PostDown = iptables -D FORWARD -i %i -o %i -j DROP; iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
[Peer]
|
||||
PublicKey = <public key of the client>
|
||||
AllowedIPs = 192.168.66.2/32
|
||||
|
||||
<add more clients if needed>
|
||||
```
|
||||
|
||||
Run:
|
||||
|
||||
```
|
||||
$ sudo wg-quick up wg0
|
||||
```
|
||||
|
||||
You can also enable the start of WireGuard on server at boot time with the following command:
|
||||
|
||||
```
|
||||
$ sudo systemctl enable wg-quick@wg0.service
|
||||
```
|
||||
|
||||
## On client
|
||||
|
||||
Create the file `/home/user/wg0.conf` with the following content:
|
||||
|
||||
```
|
||||
[Interface]
|
||||
PrivateKey = <private key of the client>
|
||||
Address = 192.168.66.2/32
|
||||
DNS = 1.1.1.1
|
||||
PostUp = iptables -t nat -I PREROUTING 1 -p udp -m udp --dport 53 -j DNAT --to-destination 1.1.1.1
|
||||
|
||||
[Peer]
|
||||
PublicKey = <public key of the client>
|
||||
Endpoint = <public ip of server>:<public port of server>
|
||||
AllowedIPs = 0.0.0.0/0
|
||||
PersistentKeepalive = 25
|
||||
```
|
||||
|
||||
Run:
|
||||
|
||||
```
|
||||
$ sudo wg-quick up /home/user/wg0.conf
|
||||
```
|
||||
|
||||
It should work at this point.
|
||||
|
||||
Add the following to `/rw/config/rc.local`:
|
||||
|
||||
```
|
||||
wg-quick up /home/user/wg0.conf
|
||||
```
|
||||
|
||||
Then `chmod +x /rw/config/rc.local`
|
||||
|
||||
Then go to Qubes firewall settings and limit outgoing connections to UDP `<public ip of server>:<public port of server>`.
|
||||
Then do to dom0 console and use `qvm-firewall` command to remove unneeded exceptions for ICMP and DNS:
|
||||
|
||||
```
|
||||
$ qvm-firewall sys-wireguard
|
||||
... 4 rules, including unwanted DNS and ICMP rules ...
|
||||
$ qvm-firewall sys-wireguard del --rule-no 1
|
||||
$ qvm-firewall sys-wireguard del --rule-no 1
|
||||
$ qvm-firewall sys-wireguard
|
||||
... 2 rules ...
|
||||
```
|
||||
|
||||
Make sure it now has only the server rule and then DROP.
|
||||
|
||||
## On Android/iOS
|
||||
|
||||
You can use wireguard on Android or iOS devices.
|
||||
|
||||
Android: https://play.google.com/store/apps/details?id=com.wireguard.android&hl=fr
|
||||
|
||||
iOS: https://apps.apple.com/us/app/wireguard/id1441195209?ls=1
|
||||
|
||||
In the app, select `Create from scratch` and configure it the same way you did
|
||||
in sys-wireguard. The form has the same fields as the file.
|
Loading…
Reference in New Issue
Block a user