Wireguard: Fedora server and Android client

Computer Tips - Wireguard: Fedora server and Android client

Date: 2021feb26 Q. Wireguard: Fedora server and Android client A. This article in Fedora Magazine https://fedoramagazine.org/build-a-virtual-private-network-with-wireguard was my starting point. However I changed some things. Fedora Server Install

dnf install wireguard-tools

Make config folder

mkdir /etc/wireguard cd /etc/wireguard umask 077

Make keys

wg genkey | tee privatekey | wg pubkey > publickey

Make the server config file /etc/wireguard/wg0.conf

[Interface] Address = 192.168.2.1/24 PrivateKey = <SERVER-PRIVATE-KEY> # PostUp = Not necessary # PostDown = Not necessary ListenPort = 51820 [Peer] # My phone PublicKey = <PHONE-PUBLIC-KEY> AllowedIPs = 192.168.2.3/32

The 192.168.2.x range is for examples - changed it to something else Ensure you have forwarding enabled in /etc/sysctl.conf

net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1

If you needed to change that file do:

sysctl -p

I made a file called /etc/firewalld/services/mywireguard.xml with a custom port:

<?xml version="1.0" encoding="utf-8"?> <service> <short>Wireguard VPN</short> <description>Wireguard VPN</description> <port protocol="udp" port="51820"/> </service>

And added a reference to /etc/firewalld/zones/FedoraServer.xml

<?xml version="1.0" encoding="utf-8"?> <zone target="default"> <short>Public</short> ... <service name="mywireguard"/> <masquerade/> </zone>

Then reload

firewall-cmd --reload

Now we can start the server

systemctl start wg-quick@wg0

Android client Here is how I setup a client on Android The interface

This assigns the Android phone as address 192.168.2.3 It tells it to use the DNS server at 192.168.2.53 which is the DNS server on my LAN. The peer (ie the server)

The entry in Allowed IPs says we want Wireguard for all IP-addresses If you're on a paid link you may want to turn off the keep alive. Testing Use termux on Android to

ping google.com

On the Fedora side

wg

Will show

interface: wg0 public key: <PUBLIC-KEY> private key: (hidden) listening port: 51000 peer: <PUBLIC-KEY> endpoint: <IP-ADDRESS>:41984 allowed ips: 192.168.2.3/32 latest handshake: 39 seconds ago transfer: 4.62 MiB received, 71.96 MiB sent

So you can see if its handshaked and how much has been transferred Dump all Wireguard traffic

tcpdump -n -v -i wg0