H 240: Wireguard VPN (15 pts)

What You Need for This Project

A Google Cloud Debian 10 server
A Windows computer to serve as the client

Purpose

To make a point-to-point VPN connection from the Window client to the Debian server.

Server Setup

On your Debian 10 Linux cloud server, in a Terminal session, execute these commands:

sudo apt update sudo apt install linux-headers-$(uname -r) -y sudo apt install -y wireguard sudo su - cd /etc/wireguard wg genkey | tee privatekey | wg pubkey > publickey chmod 600 * cat privatekey cat publickey exit

Make a note of your private and public keys, as shown below.

Execute this command:

sudo nano /etc/wireguard/wg0.conf

In nano, insert this text, as shown below.

Change the private key to the correct value for your system.

[Interface] Address = 192.168.100.1/24 ListenPort = 51194 PrivateKey = IOmxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxO0M= SaveConfig = true

Save the file with Ctrl+X, Y, Enter.

Execute these commands:

sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 sudo ss -nau

You should see a service listening on port 51194, as shown below.

Execute this command:

ip a

You see an interface named "wg0" with your server's local IP address of 192.168.100.1, as shown below.

Opening a Port in the Google Cloud Firewall

In the Google Cloud Console, at the top left, click the three-bar "hamburger" icon. Scroll down to the NETWORKING section and click "VPC networks, "Firewall rules".

At the top center, click "CREATE FIREWALL RULE".

Enter these values, as shown below.

Name: wg
Targets: All instances in the network
Source IP ranges: 0.0.0.0/0
udp: 51194

At the bottom of the page, click the Create button.

Finding your Server's Public IP Address

In the Google Cloud Console, at the top left, click the three-bar "hamburger" icon. Scroll down to the COMPUTE section and click "Compute Engine, "VM instances".

Find your server's public IP address, as shown below.

Make a note of it. You'll need it to configure your client.

Client Setup

On your Windows system, download and install the Windows client from this page:

Windows Client

In the WireGuard window, at the lower left, click the down-arrow next to "Add Tunnel" and click "Add empty tunnel...".

Enter a Name of GoogleCloud.

Add these lines below the automatically generated PrivateKey, as shown below.

You will have to change the EndPoint IP to your Google Cloud public IP and the PublicKey to your Linux server's wireguard public key.

Address = 192.168.100.2/24 [Peer] EndPoint = 35.239.173.115:51194 PublicKey = oUaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxIUk= AllowedIPs = 192.168.100.0/24 PersistentKeepalive = 20

Make a note of the client's Public key, outlined in red in the image below.

Click Save.

Click Activate.

Allow the Client on the Server

On your Debian 10 Linux cloud server, in a Terminal session, execute these commands:

sudo systemctl stop wg-quick@wg0 sudo nano /etc/wireguard/wg0.conf

Add these lines to the end of the file, as shown below, using the correct value for your client's public key.

[Peer] PublicKey = JGWxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4nA= AllowedIPs = 192.168.100.2/32

Save the file with Ctrl+X, Y, Enter.

Execute these commands:

sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0

Flag H 240: Keepalive (15 pts)
On your Windows machine, in the lower right, click the up-arrow and click the Wireguard icon, as shown below.
In the WireGuard window, click the Log tab.
Find a line beginning with "Sending keepalive".
The flag is covered by a green rectangle in the image below.

References

Debian 10 set up WireGuard VPN server
How to Install Kernel Headers in Ubuntu and Debian

Posted 5-18-2020
More explicit client instructions added 6-8-2020