Jom belajar Linux

Install Wireguard With Fullcone NAT Routing On Debian / Ubuntu

To read this tutorial in Malay, click here.

Part 1 – Install Iptables With Fullcone From Source

Update Dan Upgrade

First of all, we need to update and upgrade as usual;

apt-get update && apt-get upgrade -y

Install Kernel Headers

Install kernel headers with the following command;

apt-get install linux-image-amd64 linux-headers-amd64 -y

Reboot the server;

reboot

Install Dependencies

apt install build-essential autoconf autogen libtool pkg-config libgmp3-dev bison flex libreadline-dev git -y

Git Dependencies Fullcone

cd /root/
mkdir fullcone
apt-get install git
cd fullcone
git clone git://git.netfilter.org/libmnl
git clone git://git.netfilter.org/libnftnl.git
git clone git://git.netfilter.org/iptables.git
git clone https://github.com/Chion82/netfilter-full-cone-nat.git

Compile LIBMNL

cd libmnl
sh autogen.sh
./configure
make && make install
whereis libmnl
ldd /usr/local/lib/libmnl.so

Compile LIBNFTNL

cd /root/fullcone/libnftnl
sh autogen.sh
./configure
make && make install

Enable NETFILTER-FULLCONE NAT

cd /root/fullcone/netfilter-full-cone-nat
make
modprobe nf_nat
insmod xt_FULLCONENAT.ko

Finally, Build IPTables From Source

cp /root/fullcone/netfilter-full-cone-nat/libipt_FULLCONENAT.c /root/fullcone/iptables/extensions/
cd /root/fullcone/iptables
ln -sfv /usr/sbin/xtables-multi /usr/bin/iptables-xml
./autogen.sh
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig 
export PKG_CONFIG_PATH
./configure
make && make install
rm -rf /sbin/iptables
rm -rf /sbin/iptables-restore
rm -rf /sbin/iptables-save
cd /usr/local/sbin
cp /usr/local/sbin/iptables /sbin/
cp /usr/local/sbin/iptables-restore /sbin/
cp /usr/local/sbin/iptables-save /sbin/

Verify the new version of iptables;

iptables -V

To load fullcone on startup;

cd /root/
kernel=`uname -r`
cp /root/fullcone/netfilter-full-cone-nat/xt_FULLCONENAT.ko /lib/modules/$kernel/
depmod
echo '#!/bin/sh' >> /etc/rc.local 
echo 'modprobe xt_FULLCONENAT' >> /etc/rc.local 
chmod +x /etc/rc.local 
reboot

Then reboot the server;

reboot

Verify fullcone is loaded;

lsmod | grep xt_FULLCONENAT

Part 2 – Wireguard Server Installation and Configuration

Installation

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list 
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard-dkms wireguard-tools -y

Configure Wireguard Server

Once installed, we need to create configuration for the server;

cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Then we will create wg0.conf

nano wg0.conf
[Interface] 
PrivateKey = CHANGE_ME
Address = 10.0.0.1/24
ListenPort = 8080
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j FULLCONENAT
SaveConfig = true
PrivateKey = CHANGE_ME, you need to change the word CHANGE_ME with your server's private key

Then, we turn on the Wireguard server;

wg-quick up wg0

To verify your Wireguard server is up;

wg show
[email protected]: wg show
interface: wg0
  public key: dadwwadawdswwwFHjyR0QAUU2dYtxI/0l6RH6jWQ=
  private key: (hidden)
  listening port: 8080

Configure Wireguard Client

Create client folder

cd /root/
mkdir client
cd client

Generate private and public key for client1;

wg genkey | tee client1.priv | wg pubkey > client1.pub

Show and copy client1 public key;

cat client1.pub

To register client1 to the Wireguard server;

wg set wg0 peer XXXXXXXXXXXXXXXXX allowed-ips 10.0.0.2/32
Replace XXXXXXXXXXXXXXXXX with client1 public key

Remember to save the server config;

wg-quick save wg0

Make Client Conf File

nano client1.conf
[Interface]
PrivateKey = PRIVATEKEYCLIENT1
Address = 10.0.0.2/32
DNS = 1.1.1.1
MTU = 1280

[Peer]
PublicKey = PUBLICKEYSERVER
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 123.123.123.12:8080
10.0.0.2 is the internal IP for client 1

PUBLICKEYSERVER should be replaced with the public key of the server

123.123.123.12 is the public IP address of the server, and port 8080 is the port number in which the Wireguard server is running.

Then save client1.conf. Import the config to the Wireguard client application.

37 comments

Jom belajar Linux

Recent Posts

Kategori