2020-12-06

Cloud-hosted LAN gateway using Wireguard

Synopsis

Provides a local LAN gateway that forwards all packets to a cloud-hosted proxy server using Wireguard.

OS used

Debian 10 with a 4.x kernel (the default kernel version in stable)

DNS Service used

Cloudflare (1.1.1.1)

Cloud Service used

Google Cloud (GCE)

Networks used

  • 192.168.123.0/24 - Wireguard network
  • 10.20.30.0/24 - Local LAN network

Prerequisites

  • A virtual machine or old computer to be used as your LAN gateway.
  • A cloud-hosted virtual machine with a static external IP address.

Instructions

All steps must be run as root.

Step 1 - Install Wireguard (both servers)

  1. Enable Debian backports.
    echo "deb http://deb.debian.org/debian buster-backports main contrib non-free" > /etc/apt/sources.list.d/buster-backports.list
  2. Update APT package cache.
    apt update
  3. Install Wireguard.
    apt install wireguard
  4. Setup Wireguard keys.
cd /etc/wireguard/
umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Step 2 - Setup Wireguard on proxy server

Paste into /etc/wireguard/wg0.conf and customize:

[Interface]
Address = 192.168.123.1/24
PrivateKey = [INSERT PROXY SERVER PRIVATE KEY HERE]
PostUp   = echo nameserver 1.1.1.1 | resolvconf -a tun.%i -m 0 -x; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE
PostDown = resolvconf -d tun.%i; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens4 -j MASQUERADE
ListenPort = 11194
MTU = 1380

[Peer]
PublicKey = [INSERT LAN GATEWAY PUBLIC KEY HERE]
AllowedIPs = 192.168.123.2/32, 10.20.30.40/24

Step 3 - Setup Wireguard on LAN gateway

Paste into /etc/wireguard/wg0.conf and customize:

[Interface]
Address = 192.168.123.2/24
PrivateKey = [INSERT LAN GATEWAY PRIVATE KEY HERE]
PostUp   = iptables -A FORWARD -s 10.20.30.0/24 -i %i -j ACCEPT; iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
PostDown = iptables -D FORWARD -s 10.20.30.0/24 -i %i -j ACCEPT; iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
MTU = 1380
DNS = 1.1.1.1

[Peer]
Endpoint = [INSERT PUBLIC IP ADDRESS OF CLOUD VM HERE]:[INSERT PORT NUMBER OF CLOUD VM HERE]
PublicKey = [INSERT PROXY SERVER PUBLIC KEY HERE]
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 20

Step 4 - Enable and start Wireguard service (both servers)

systemctl enable --now wg-quick@wg0

Step 5 - Configure local computers to use your new gateway

  1. Change default gateway to the local IP address (10.20.30.x) of your LAN gateway.
  2. Change DNS Server IP address to 1.1.1.1. 

Appendix A - Check Wireguard status

sudo wg

Appendix B - Updating your 4.x kernel

Take care when updating the kernel, since Wireguard on 4.x kernels depends on a on-demand custom built kernel module to function. If you don't install kernel headers for the new kernel version BEFORE updating the kernel package, Wireguard will stop working. To fix this, do the following:

  1. Reboot into your new kernel version.
    sudo reboot
  2. Install kernel headers for the current kernel version.
    sudo apt-get install linux-headers-$(uname -r)
  3. Rerun Wireguard DKMS.
    sudo dpkg-reconfigure wireguard-dkms
  4. Reboot
    sudo reboot

Posted by at No comments:
Subscribe to: Posts (Atom)