Skip to content

Setting up Wireguard on BuyVM using Ubuntu with IPv4 (NAT) and IPv6 (routed)

Background steps

Start with these steps prior to configuring your server (slice).

Obtain your link-local subnet

First, you’ll need a link-local subnet. Run the following commands:

date +%s%N
cat /var/lib/dbus/machine-id

Make note of the data that follows each command. Execute the following:

printf <date-code><machine-id> | sha1sum

Take the ensuing string before the dash and execute the following command:

printf <string> | cut -c 31-

The resulting string will be 10 digits that represent your link-local IP without the initial “fd” prefix. The commands in series when executed will look like the following:

jeffl@thunder:~$ date +%s%N
1691408593566195307
jeffl@thunder:~$ cat /var/lib/dbus/machine-id
007cc62312139d9d7e0ed89a94007567
jeffl@thunder:~$ printf 1691384330103279541007cc62312139d9d7e0ed89a94007567 | sha1sum
bf9fac1f2453e2177384d0ef2ebb18014deef615 -
jeffl@thunder:~$ printf bf9fac1f2453e2177384d0ef2ebb18014deef615 | cut -c 31-
014deef615

In this case, the value 014deef615 corresponds to a link-local subnet of fd01:4dee:f615::/64.

Install Wireguard

Execute:

apt install wireguard

Configure networking

Log into Stallion and configure your IPv4 and IPv6 settings. Assuming you used a template to install Ubuntu, your IPv4 should already be configured on the slice. You’ll need to assign an IPv6 IP and get your routed subnet.

NOTE: In Stallion, for IPv6, we do not need to setup an address for each peer, the purpose of the routed subnet is to assign the entire block of IPs to our slice and the client will determine the IP in its configuration. With this setup, your client can assign any IP within your routed subnet (or even multiple IPs so long as they are in your subnet). Since we are using NAT for IPv4, we have only 1 public IP and there is no configuration needed.

Your routed subnet will appear as something like 2605:xxxx:yyyy::/48 where xxxx and yyyy will be your specific values.

Edit /etc/netplan/<yourconfig>.yaml:

network:
  version: 2
  ethernets:
    eth0:
      addresses:
          - 45.61.aaa.bbb/24
          - 2605:xxxx:yyyy:zzzz::1/48
          - 2605:xxxx:yyyy::1/48
      routes:
        - to: "0.0.0.0/0"
          via: 45.61.aaa.1
        - to: "::/0"
          via: 2605:xxxx:yyyy::1
      nameservers:
        addresses: [169.254.168.53, 169.254.169.53]

Here, we explicitly set our IP addresses and we assign our routed subnet to eth0 which is our main network interface to the internet. We also set the routes 0.0.0.0/0 and ::/0 so that our IPv4 and IPv6 traffic goes to the appropriate gateway. You will find your gateway under Network > IPv6; click on the gear icon and select “network settings” from the dropdown and you’ll get a window of various settings.

Make sure to set your next hop address (after assigning your IPv6 address) under the Networking > Routed Subnets configuration or your subnet won’t be routed!

Values in the netplan configuration need to be adjusted accordingly to match your IPs and Gateway settings from Stallion.

After editing netplan, apply the changes to the configuration to make sure there are no errors:

netplan apply

Configure Sysctl

You’ll need to edit /etc/sysctl.conf:

Uncomment the lines:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

And add the line:

net.ipv6.conf.eth0.accept_ra = 2

Execute the follow to apply your changes to sysctl.conf:

sysctl -p

Configure Wireguard Server

Set it up like the following:

[Interface]
Address = 10.8.0.1/24
Address = fd01:4dee:f615::1/64
SaveConfig = true
PostUp = ip6tables -A FORWARD -i eth0 -o wg0 -j ACCEPT; ip6tables -A FORWARD -i wg0 -j ACCEPT;
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = ip6tables -D FORWARD -i eth0 -o wg0 -j ACCEPT; ip6tables -D FORWARD -i wg0 -j ACCEPT;
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>

[Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.8.0.2/32, 2605:xxxx:yyyy::2/128


Substitute your keys respectively and change eth0 if you need to.

Configure the Wireguard Client

Your client configuration will look something similar to:

[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.8.0.2/32, 2605:xxxx:yyyy::2/128
DNS = 2001:4860:4860::8888, 2001:4860:4860::8844, 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <SLICE_ADDRESS>:51820
PersistentKeepalive = 25

The DNS addresses chosen here are the IPv6 and IPv4 addresses of Google. You can bring up Wireguard with:

wg-quick up wg0

If you get an error, you will see the commands executed by the script and any errors and can adjust accordingly. If you want, you can set Wireguard to autoexecute Wireguard on system start with the following:

systemctl enable wg-quick@wg0

Test

You can use the following websites: DNS Leak Test and Test-IPv6.

References

Check out the following links (as of September 10, 2024):

PFSense Wireguard Documentation

How to use Wireguard with UFW

1 thought on “Setting up Wireguard on BuyVM using Ubuntu with IPv4 (NAT) and IPv6 (routed)”

  1. Pingback: Wireguard with Pi-hole, unbound and IPv6/DNSSEC/UFW – K1VZX

Leave a Reply

Your email address will not be published. Required fields are marked *