Geekices

How to set up a simple Wireguard VPN

Install Wireguard

I’m using a Debian virtual machine for the server. In Debian 10, you’ll need to install the following two packages:

apt install wireguard-dkms wireguard-tools

Set up keys

First, navigate to /etc/wireguard (If not created, run mkdir /etc/wireguard as root) and then run the following commands as root:

wg genkey | tee laptop-private.key |  wg pubkey > laptop-public.key
wg genkey | tee server-private.key |  wg pubkey > server-public.key

The first line is for the public and private keys of the client, named laptop because, well, it’ll be used on a laptop. But you can choose any other name.

Configure the Wireguard server

First, enable IP forwarding. Since we’re only using IPv4, edit the /etc/sysctl.conf file as root, locate the net.ipv4.ip_forward line, uncomment it and change the value to 1.

Now, you need to create the /etc/wireguard/wg0.conf. This will be both the name of the connection interface and the configuration file for that interface. I’m using just one for a simple setup.

[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = <copy private key from server-private.key>
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# laptop
PublicKey = <copy public key from laptop-public.key>
AllowedIPs = 10.200.200.2/32

Now you are ready to start the Wireguard daemon, so it can accept connections. Just run:

wg-quick up wg0

Some things to know

[Interface]

Address: the private IPv4 addresses (you can also use IPv6 addresses) for the Wireguard server subnet. In this example, clients connection to the server will be assigned IPs ranging from 10.200.200.1 to 10.200.200.254.

ListenPort: the port where Wireguard will listen. Don’t forget to open it in your firewall.

PrivateKey: the content from server-private.key.

PostUp and PostDown: defines steps to be run after the interface is turned on or off, respectively. In this case, iptables is used to set IP masquerade rules to allow all the clients to share the server’s IPv4 address. The rules will then be cleared once the tunnel is down. Don’t forget to change eth0 to your server’s network device.

[Peer]

PublicKey: the content from laptop-public.key.

AllowedIPs: the subnet IP assigned to that client when it connects to the server

Set up the client

On the client side, you’ll also have to install Wireguard. If you’re using Debian, Ubuntu or any distribution based on the previous two, the command will be the same (I’m assuming Ubuntu uses the same package names. If not, change it to your needs). In Arch, the distribution I’m currently using, you can install packages with:

pacman -Syuv wireguard-dkms wireguard-tools

Configure the Wireguard client

Create the /etc/wireguard/wg0.conf file and populate it with the following content:

[Interface]
Address = 10.200.200.2/24
PrivateKey = <copy private key from laptop-private.key>

[Peer]
PublicKey = <copy public key from server-public.key>
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.xxx.xxx.xxx:51820 
PersistentKeepalive = 25

Some things to know

[Interface]

Addresss: the client’s IP address in Wiregard’s subnet.

PrivateKey: the content from laptop-private.key.

[Peer]

PublicKey: the content from server-public.key.

AllowedIPs: set it to 0.0.0.0/0 to forward all IPv4 traffic through Wireguard.

Endpoint: the server IP address, followed by the port to connect to.

PersistentKeepalive: the number of seconds you wish the client sends a keepalive packet to the server. This is useful if the client is behind NAT or a firewall

Test the connection

On the client side, run wg-quick up wg0. You should now have a working Wireguard connection just like any VPN.

If you found a typo or an error, please use the comment box to report it. Also, if you found the post useful, please share it on social media, so it can reach a larger audience.


Geekices

How-to customize the Bash prompt

In order to adapt a bit more my Debian Stable installation to my workflow, I’ve been tweaking the bash prompt. Simplicity and small line width are key here, because I often have tmux running with several panes in the same window and small panes with large one-liner prompts suck a lot! Everything feels crammed and hard to read. Just take a look at the image below to get an idea.

crammed bash prompt

After running a few commands in each pane with this prompt configuration, everything gets really crowded and confuse. For sanity safeguarding reasons and workflow improvement, the only thing to do is customize the prompt.

The Debian Stable bash prompt, shown on the image above, default value is:

if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt

To make it more useful, I changed the second line to this:

PS1="[\033[00;32m]\u@\h[\033[00m]:\w[\033[00m]\n└─ [$(tput bold)]\$(__git_ps1 '[%s] ')\$: [$(tput sgr0)]"

All put together:

if [ "$color_prompt" = yes ]; then
		PS1="\[\033[00;32m\]\u@\h\[\033[00m\]:\w\[\033[00m\]\n└─ \[$(tput bold)\]\$(__git_ps1 '[%s] ')\$: \[$(tput sgr0)\]"
else
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt

And this is the result:

readable bash prompt

Not only I get a more readable prompt (and with “more room to breathe”, if you may), but I get the name of the current branch if I’m in a Git repository folder. This is a convenient feature to have if you work with this version control system.

There are a lot more ways one can configure the prompt. Both How-To Geek and Boolean World websites have nice introductory guides to get you started. The Arch Linux wiki entry about this is also a good read. Oh, and RTFM (Read The … Fine … Manual).


Geekices

Trying Debian Stable for everyday desktop usage

A few days ago I installed Debian Stable. I’d been using Sparky Linux, which is based on Debian Testing, and was happy with it. The tools it integrates make the life of a desktop user easier when managing the system, I had no issues with it and had a bunch of software available in the repositories.

Well, since Sparky is based on Debian, the “bunch of software available in the repositories” part was a given from the start.

Although happy, I was looking for an operating system a bit more conservative in terms of stability and reliability. I’d been inspired very recently by the short OpenBSD usage I had on a virtual machine and some readings about BSD systems, so I thought Debian Stable would be the best choice.

Here are my motives for choosing Debian over, say, CentOS or Slackware or even a BSD system:

  • It’s a Linux kernel based operating system and I’ve been mostly using Debian Testing or Debian-based systems for over a decade, so I’m familiar with it;
  • It prioritizes stability over the latest stable version of a software;
  • It has a lot of software available;
  • It has a very large community.

Almost a week went by and my fears of using older versions of any software (motivated almost exclusively by a potential lack of some functionality) are gone. The system is really stable and I have almost all the tools I need in the repositories. I only needed to install a handfull of apps from external sources (deb-multimedia, github, flatpak and snap) because they were not packaged in the distro’s repositories.