VPN

Table of Contents§

• Wireguard
  • Server
  • Peer
  • NetworkManager
• FortiGate
  • Peer

Wireguard§

Server§

Wireguard Website

Install Kernel module (wireguard.ko), tools wg and wg-quick:

sudo apt update
sudo apt install wireguard

Generate server keys:

cd /etc/wireguard
umask 077
wg genkey | tee server_privatekey | wg pubkey > server_publickey

Create wireguard server config:

[Interface]
PrivateKey = <private key content>
Address = 172.16.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;

To enable IP forwarding uncomment or add this line in /etc/sysctl.conf:

net.ipv4.ip_forward=1

Apply IP forwarding and start the wireguard server:

sudo sysctl -p
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Firewall configuration:

sudo ufw allow 51820/udp

Peer§

To create a user (peer) connection in WireGuard, you need to configure both the server and the client (user). Below is a complete and clear step-by-step guide for adding a new WireGuard peer (user) connection.

On admin Linux VM:

wg genkey | tee user1_privatekey | wg pubkey > user1_publickey

Create user's wireguard configuration:

[Interface]
PrivateKey = <contents of user1_privatekey>
Address = <peer-ip>
DNS = <dns-server-ip>

[Peer]
PublicKey = <server-public-key>
Endpoint = <server-ip>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Also you can set MTU=1200 for using VPN in the L2TP ISP networks.

The peer-ip should be set with mask /32. The dns-server-ip is internal infrastructure DNS server to resolve domain names for services. For example in Azure it will be 168.63.129.16 or it can be your custom infrastructure DNS resolver.

It is better to set AllowedIPs parameter to certain IP ranges you really want to access:

172.16.1.0/24, 10.12.1.0/24, 10.12.2.0/24, 10.12.3.0/24, 10.12.4.0/24, 168.63.129.0/24

Add peer to the server side configuration file /etc/wireguard/wg0.conf:

[Peer] # username
PublicKey  = <contents of user1_publickey>
AllowedIPs = <peer-ip>

sudo systemctl restart wg-quick@wg0

You can monitor the connection on the server:

sudo wg show

NetworkManager§

nmcli connection add type wireguard \
  con-name wg0 ifname wg0 autoconnect yes \
  wireguard.private-key <CLIENT_PRIVATE_KEY>

FortiGate§

Peer§

sudo apt install network-manager-fortisslvpn
nmcli connection add type vpn con-name <CONNECTION-NAME> \
    vpn-type fortisslvpn \
    -- \
    vpn.data "gateway=<GATEWAY-IP-ADDRESS>:<PORT>,user=<USERNAME>" \
    vpn.secrets "password=<PASSWORD>" \
    ipv4.never-default yes \
    connection.autoconnect no

Debug:

sudo journalctl -u NetworkManager -f

If your gateway certificate validation failed - add trusted-cert digest parameter:

    vpn.data "gateway=<GATEWAY-IP-ADDRESS>:<PORT>,user=<USERNAME>,trusted-cert=<CERT-DIGEST>" \