Background steps
Start with these steps prior to configuring your server (slice).
Obtain your link-local subnet
First, you’ll need a link-local subnet. Run the following commands:
date +%s%N
cat /var/lib/dbus/machine-id
Make note of the data that follows each command. Execute the following:
printf <date-code><machine-id> | sha1sum
Take the ensuing string before the dash and execute the following command:
printf <string> | cut -c 31-
The resulting string will be 10 digits that represent your link-local IP without the initial “fd” prefix. The commands in series when executed will look like the following:
jeffl@thunder:~$ date +%s%N
1691408593566195307
jeffl@thunder:~$ cat /var/lib/dbus/machine-id
007cc62312139d9d7e0ed89a94007567
jeffl@thunder:~$ printf 1691384330103279541007cc62312139d9d7e0ed89a94007567 | sha1sum
bf9fac1f2453e2177384d0ef2ebb18014deef615 -
jeffl@thunder:~$ printf bf9fac1f2453e2177384d0ef2ebb18014deef615 | cut -c 31-
014deef615
In this case, the value 014deef615 corresponds to a link-local subnet of fd01:4dee:f615::/64.
Install Wireguard
Execute:
apt install wireguard
Configure networking
Log into Stallion and configure your IPv4 and IPv6 settings. Assuming you used a template to install Ubuntu, your IPv4 should already be configured on the slice. You’ll need to assign an IPv6 IP and get your routed subnet.
NOTE: In Stallion, for IPv6, we do not need to setup an address for each peer, the purpose of the routed subnet is to assign the entire block of IPs to our slice and the client will determine the IP in its configuration. With this setup, your client can assign any IP within your routed subnet (or even multiple IPs so long as they are in your subnet). Since we are using NAT for IPv4, we have only 1 public IP and there is no configuration needed.
Your routed subnet will appear as something like 2605:xxxx:yyyy::/48 where xxxx and yyyy will be your specific values.
Edit /etc/netplan/<yourconfig>.yaml:
network:
version: 2
ethernets:
eth0:
addresses:
- 45.61.aaa.bbb/24
- 2605:xxxx:yyyy:zzzz::1/48
- 2605:xxxx:yyyy::1/48
routes:
- to: "0.0.0.0/0"
via: 45.61.aaa.1
- to: "::/0"
via: 2605:xxxx:yyyy::1
nameservers:
addresses: [169.254.168.53, 169.254.169.53]
Here, we explicitly set our IP addresses and we assign our routed subnet to eth0 which is our main network interface to the internet. We also set the routes 0.0.0.0/0 and ::/0 so that our IPv4 and IPv6 traffic goes to the appropriate gateway. You will find your gateway under Network > IPv6; click on the gear icon and select “network settings” from the dropdown and you’ll get a window of various settings.
Make sure to set your next hop address (after assigning your IPv6 address) under the Networking > Routed Subnets configuration or your subnet won’t be routed!
Values in the netplan configuration need to be adjusted accordingly to match your IPs and Gateway settings from Stallion.
After editing netplan, apply the changes to the configuration to make sure there are no errors:
netplan apply
Configure Sysctl
You’ll need to edit /etc/sysctl.conf:
Uncomment the lines:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
And add the line:
net.ipv6.conf.eth0.accept_ra = 2
Execute the follow to apply your changes to sysctl.conf:
sysctl -p
Configure Wireguard Server
Set it up like the following:
[Interface] Address = 10.8.0.1/24 Address = fd01:4dee:f615::1/64 SaveConfig = true PostUp = ip6tables -A FORWARD -i eth0 -o wg0 -j ACCEPT; ip6tables -A FORWARD -i wg0 -j ACCEPT; PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; PostDown = ip6tables -D FORWARD -i eth0 -o wg0 -j ACCEPT; ip6tables -D FORWARD -i wg0 -j ACCEPT; PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ListenPort = 51820 PrivateKey = <SERVER_PRIVATE_KEY> [Peer] PublicKey = <CLIENT_PUBLIC_KEY> AllowedIPs = 10.8.0.2/32, 2605:xxxx:yyyy::2/128
Substitute your keys respectively and change eth0 if you need to.
Configure the Wireguard Client
Your client configuration will look something similar to:
[Interface] PrivateKey = <CLIENT_PRIVATE_KEY> Address = 10.8.0.2/32, 2605:xxxx:yyyy::2/128 DNS = 2001:4860:4860::8888, 2001:4860:4860::8844, 8.8.8.8, 8.8.4.4 [Peer] PublicKey = <SERVER_PUBLIC_KEY> AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = <SLICE_ADDRESS>:51820 PersistentKeepalive = 25
The DNS addresses chosen here are the IPv6 and IPv4 addresses of Google. You can bring up Wireguard with:
wg-quick up wg0
If you get an error, you will see the commands executed by the script and any errors and can adjust accordingly. If you want, you can set Wireguard to autoexecute Wireguard on system start with the following:
systemctl enable wg-quick@wg0
Test
You can use the following websites: DNS Leak Test and Test-IPv6.