After the pandemic occurred, I purchased [DELL XPS 13 (9300)] [] on 2020/04. As a laptop PC, I have no complaints about its performance. The screen is wide (1920x1200), the keyboard is good, and there is nothing to say.
However, it is still insufficient in processing huge data, and You will want to use your home desktop PC. (I don't go out for work at all now, so I'm anticipating the future) Therefore, I decided to create an environment where I can log in by setting up a VPN inside my home from outside my home.
At first, use your home router Yamaha RTX830 [] as a VPN server and iPhone as a VPN client. I tried to connect, but I couldn't connect at all ...
Maybe the difference between IKEv1 / v2, ISP filter, mobile operator filter, misconfiguration ... etc. I think I can think of it, but I'm tired.
Thinking so, I asked Google Sensei, I created an environment where I can develop a home server over VPN with WireGuard [] He explained how to build a VPN using WireGuard [] in a very easy-to-understand manner.
So, I put it on the Raspberry Pi 4 Model B under Yamaha RTX830 []. With [DELL XPS 13 (9300)] [](Ubuntu 20.04-LTS) that I installed WireGuard [] and took it out of the house I decide to build a VPN.
WireGuard [] is a Peer to Peer connection, so there is no server / client concept. This means that WireGuard [] must be installed on both the Raspberry Pi and your laptop.
WireGuard-Raspi [] explains how to install it on Raspberry Pi.
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install raspberrypi-kernel-headers
$ echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list
$ sudo apt-get install dirmngr
$ wget -O - https://ftp-master.debian.org/keys/archive-key-$(lsb_release -sr).asc | sudo apt-key add -
$ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable
$ sudo apt-get update
$ sudo apt-get install wireguard
$ sudo reboot
It's easy because it can be installed with apt.
$ sudo apt update
$ sudo apt install wireguard
There is a packet forwarding setting for Wireguard [].
Set so that packets can be transferred. This is because Wireguard [] creates a P2P tunnel with UDP, To access your home network from a laptop PC outside your home This is because the Raspberry Pi side also operates as a NAT box.
$ sudo perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
$ sudo reboot
Check if it is set properly.
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
Generate private and public keys for VPN. Generate keys on both Raspberry Pi and laptop PCs.
The protocol is P2P, For convenience, let's set the Raspberry Pi side as the server and the laptop PC as the client.
$ mkdir wgkeys
$ cd wgkeys/
$ umask 077
$ wg genkey > server_private.key
$ wg pubkey > server_public.key < server_private.key
$ mkdir wgkeys
$ cd wgkeys/
$ umask 077
$ wg genkey > client_private.key
$ wg pubkey > client_public.key < client_private.key
Create a / etc / wireguard directory and place the configuration file (wg0.conf) there.
$ sudo mkdir /etc/wireguard/
$ sudo vim /etc/wireguard/wg0.conf
[Interface]
# 1.Set the IP address used in the virtual VPN network.
#This time for easy understanding 10.0.0.1/I set it at 24.
Address = 10.0.0.1/24
# 2.The port on which WireGuard listens. Since it is used to open the port of the router, change it appropriately.
#The port number can be anything.
ListenPort = 1194
# 3.Private key generated by wg command(Server side)Enter as a character string.
PrivateKey = <server private key>
# 4. replace eth0 with the interface open to the internet (e.g might be wlan0 if wifi)
#A command that works at startup and termination is issued. Think of it as a spell for nat for now.
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# 5.Public key generated by wg command(Client side)Enter as a character string.
PublicKey = <client public key>
# 6.10 client virtual IPs for clarity.0.0.2/Set to 32.
#Add to the IP that allows connection to the server.
AllowedIPs = 10.0.0.2/32
To be able to connect from multiple Peers
It is OK if you increase the item of [Peer] by the amount of the client.
Set the laptop PC side in the same way as Raspberry Pi.
$ sudo mkdir /etc/wireguard/
$ sudo vim /etc/wireguard/wg0.conf
However, no NAT settings are required on the laptop side.
[Interface]
# 1.Private key generated by wg command(Client side)Enter as a character string
PrivateKey = <client private key>
# 2.Client virtual IP
Address = 10.0.0.2/24
[Peer]
# 3.Enter the public key of the server as a string
PublicKey = <server public key>
# 4.Server virtual IP(10.0.0.1/32)Is added to the allowed connection IP to the client.
#Also add the home network address space.
AllowedIPs = 10.0.0.1/32,192.168.0.0/24
# 5.Global IP of the server(FQDN is fine)When
# ListenPort(The one who decided 1194 on the server side)To set.
Endpoint = <server global ip address>:1194
Raise WireGuard on the Raspberry Pi (server) side as follows.
$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Make WireGuard [] start automatically when starting Raspberry Pi.
$ sudo wg-quick down wg0
$ sudo systemctl enable wg-quick@wg0
$ sudo systemctl start wg-quick@wg0
Set the port forwarding in Yamaha RTX830 [].
Converts the port number 11194 received on the outside to the port number 1194 of Raspberry Pi and transfers it.
pp select 1
ip filter 200100 pass * <IP address of Raspberry Pi> udp * 1194
pp1# ip pp secure filter in ... 200100
no pp select
nat descriptor type 1000 masquerade
nat descriptor masquerade static 1000 1 <IP address of Raspberry Pi> udp 11194=1194
Set according to your home router.
When making a VPN connection from a laptop PC with Wireguard [] Execute the command as follows.
$ sudo wg-quick up /etc/wireguard/wg0.conf
To disconnect the VPN connection:
$ sudo wg-quick down /etc/wireguard/wg0.conf
Now you can connect to your home network from outside your home. Now you can access your desktop PC and comfortably process huge amounts of data.
If you don't want to keep your desktop PC running all the time ...
Please read.
References
Recommended Posts