Rat Poison f74b31ad0b WireGuard guide: fix MTU issue
Some sites work in sys-wireguard, but did not work in an AppVM
connected to sys-wireguard. Examples:

https://duckduckgo.com
https://atlassian.net

The problem is caused by MTU. The solution was proposed on
https://github.com/QubesOS/qubes-issues/issues/5264#issuecomment-707683771
2020-11-24 13:22:48 +01:00
..
2020-11-24 13:22:48 +01:00

Using WireGuard as VPN in QubesOS

Based on https://www.scaleway.com/en/docs/installing-wireguard-vpn-linux/

To use this guide you need VPS to use as VPN server.

Use Debian 10 on both server and client.

On both server and client

In Qubes, do the following steps in TemplateVM (debian-10).

If needed, enable buster-backports:

$ echo 'deb http://deb.debian.org/debian buster-backports main' | sudo tee /etc/apt/sources.list.d/buster-backports.list
$ sudo apt-get update

If needed, install kernel headers:

$ sudo apt-get install linux-headers-amd64

Install WireGuard:

$ sudo apt-get install wireguard resolvconf

Make sure kernel module was installed:

$ sudo modprobe wireguard
$ echo $?
0

In Qubes, shutdown debian-10 TemplateVM and do the following steps in ProxyVM sys-wireguard based on debian-10. On the server, continue in the same terminal.

Generating Public and Private Keys

# mkdir -p /etc/wireguard/keys
# cd /etc/wireguard/keys
# umask 077
# wg genkey | tee privatekey | wg pubkey > publickey

On server

Create the file /etc/wireguard/wg0.conf with the following content:

[Interface]
PrivateKey = <private key of the server>
Address = 192.168.66.1/32
ListenPort = <random port for server>
PostUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -o %i -j DROP; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -o %i -j DROP; iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <public key of the client>
AllowedIPs = 192.168.66.2/32

<add more clients if needed>

Run:

$ sudo wg-quick up wg0

You can also enable the start of WireGuard on server at boot time with the following command:

$ sudo systemctl enable wg-quick@wg0.service

On client

Create the file /home/user/wg0.conf with the following content:

[Interface]
PrivateKey = <private key of the client>
Address = 192.168.66.2/32
DNS = 1.1.1.1
PostUp = iptables -t nat -I PREROUTING 1 -p udp -m udp --dport 53 -j DNAT --to-destination 1.1.1.1; iptables -t nat -I POSTROUTING 3 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

[Peer]
PublicKey = <public key of the client>
Endpoint = <public ip of server>:<public port of server>
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Run:

$ sudo wg-quick up /home/user/wg0.conf

It should work at this point.

Add the following to /rw/config/rc.local:

wg-quick up /home/user/wg0.conf

Then chmod +x /rw/config/rc.local

Then go to Qubes firewall settings and limit outgoing connections to UDP <public ip of server>:<public port of server>. Then do to dom0 console and use qvm-firewall command to remove unneeded exceptions for ICMP and DNS:

$ qvm-firewall sys-wireguard
... 4 rules, including unwanted DNS and ICMP rules ...
$ qvm-firewall sys-wireguard del --rule-no 1
$ qvm-firewall sys-wireguard del --rule-no 1
$ qvm-firewall sys-wireguard
... 2 rules ...

Make sure it now has only the server rule and then DROP.

On Android/iOS

You can use wireguard on Android or iOS devices.

Android: https://play.google.com/store/apps/details?id=com.wireguard.android&hl=fr

iOS: https://apps.apple.com/us/app/wireguard/id1441195209?ls=1

In the app, select Create from scratch and configure it the same way you did in sys-wireguard. The form has the same fields as the file.