Skip to content

- wireguard

WireGuard Setup -- public-risk infrastructuur

Overzicht

Deze handleiding documenteert hoe WireGuard is ingericht:

  • Server: Ubuntu 24.04 (Hetzner, public-risk stack)
  • Client: macOS
  • VPN subnet: 10.8.0.0/24
  • Doel:
    • Veilige SSH-toegang
    • Interne services bereikbaar maken via VPN
    • Geen open SSH naar de wereld

1. Architectuur

Mac (10.8.0.2) → WireGuard → Server (10.8.0.1)

WireGuard draait op UDP 51820.

2. Server Setup (Ubuntu)

Installatie

sudo apt update
sudo apt install wireguard

Keys genereren

sudo mkdir -m 700 /etc/wireguard
cd /etc/wireguard

sudo wg genkey | sudo tee server_private.key | sudo wg pubkey | sudo tee server_public.key
sudo chmod 600 server_private.key

Configuratie /etc/wireguard/wg0.conf

[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>

PostUp = sysctl -w net.ipv4.ip_forward=1
PostUp = nft add rule inet filter input udp dport 51820 accept
PostDown = nft delete rule inet filter input udp dport 51820 accept

[Peer]
PublicKey = <MAC_PUBLIC_KEY>
AllowedIPs = 10.8.0.2/32

Service activeren

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Controle:

sudo wg

3. nftables configuratie

udp dport 51820 ct state new accept
ip saddr 10.8.0.0/24 accept

4. macOS Setup

Installatie

Via App Store (WireGuard) of:

brew install wireguard-tools

Keys genereren

wg genkey | tee private.key | wg pubkey > public.key

macOS configuratie

[Interface]
PrivateKey = <MAC_PRIVATE_KEY>
Address = 10.8.0.2/24
DNS = 10.8.0.1

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <SERVER_PUBLIC_IP>:51820
AllowedIPs = 10.8.0.0/24
PersistentKeepalive = 25

5. SSH via VPN

~/.ssh/config

Host vpn
    HostName 10.8.0.1
    User pi

Gebruik:

ssh pi@vpn

6. Beveiligingsstrategie

  • SSH alleen via VPN
  • Publieke SSH poort beperken of sluiten
  • Default DROP policy
  • Alleen UDP 51820 open

Voorbeeld:

ip saddr 10.8.0.0/24 tcp dport 22 accept
tcp dport 22 drop

7. Troubleshooting

Geen handshake

sudo wg
sudo systemctl status wg-quick@wg0

Poortcontrole

sudo ss -ulnp | grep 51820

IP forwarding

sysctl net.ipv4.ip_forward

Moet zijn:

net.ipv4.ip_forward = 1

8. Operationeel beheer

Herstart:

sudo systemctl restart wg-quick@wg0

Nieuwe peer toevoegen:

sudo wg syncconf wg0 <(wg-quick strip wg0)

9. Security Notes

  • Private keys nooit committen
  • /etc/wireguard rechten: 700
  • Private keys: 600
  • PersistentKeepalive nodig bij NAT-clients
  • UDP 51820 is enige publieke VPN-poort

Netwerkoverzicht

Device VPN IP Rol

Server 10.8.0.1 Gateway Mac 10.8.0.2 Client

Einde document