Search the Community

In this guide I decided to describe few use cases which can be used with wireguard on all operating systems as well to share some of my observations and experience. Private networks are not always private and on one side one would like to encrypt full communication with specific devices. Torguard offers 8 connections/devices at the same time, but not with all IP's/Ports at the same time and that part is a little bit undocumented by TorGuard which makes it a little bit more complicated. As example, shared IP's can be used with wireguard with all 8 devices at the same time, openvpn would require each of them to use different port/encryption. However, if one used shared IP address to open port on it with wireguard, then you can not connect with another device to that same ip which technically is kinda still shared IP, at least that was my observation and if I as example create a config with one public key for port forwarded address, then creating another config for second client would invalidate the first one. With the example above we see that there are sometimes restrictions, in this guide I will explicitly talk about shared ip address which is used for port forwarding when I mention portforwarding/dedicated ip. Guide status: in progress (I will remove this status line after I have finished the guide, it got now quite long and I guess I need to make it more compact with more use cases) Goals of this guide: Encrypt communication of local and remote devices with by wireguard Use TorGuard server/servers for and home server in one config file (one interface) Easy and simple setup and maintenance using any/max amount of allowed torguard connections for any amount of devices by any of those devices Requirements: Wireguard client and knowledge how to install/use it - Installation - Key generation - Command-line Interface Torguard config for wireguard which you can create on your account page In this guide I will ref to 123.123.123.123 as torguard server (torguard uses currently udp port 1443 as default for wireguard protocol) WGPeer VPN IPs - 178.10.10.x for non torguard vpn ip's. Peer1 - 192.168.0.10 IP of device which is connected to TorGuard VPN, with local VPN IP 178.10.10.10 Peer2 - 192.168.0.20 IP of device which is connected to 192.168.0.10 as peer using TorGuard VPN with local VPN IP 178.10.10.20 Install wireguard Create wireguard config, download it and test it login to your account on torguard and navigate to vpn config generator where you choose wireguard as protocol and follow instructions. Test your config and make sure you are connected to wireguard and that everything works, only then proceed to next step. this is our Peer1 which provides wireguard connection Open downloaded config with any text editor, here is example config for this guide: [Interface] PrivateKey = SOO07buK67PnUXqVP3naf3YmZ8oI4BetwAqSXI3SR30= ListenPort = 51820 DNS = 1.1.1.1 Address = 10.11.12.13/32 [Peer] PublicKey = OdW/kT7XD8BZqngz2EilBjDkY0bXb66rDyQjA4/tJHA= AllowedIPs = 0.0.0.0/0 Endpoint = 123.123.123.123:1443 PersistentKeepalive = 25 This config does not require a lot explanation, maybe AllowedIP's should be explained, if you want all your traffic to go through specific peer then and only then use 0.0.0.0/0. You can specify subnets/ip's which you want to be routed. For this guide this is exactly what we want, all traffic from this wireguard interface should go through TorGuards server 123.123.123.123:1443. Create new private, public and preshared keys for Peer2 (here is info how to do it) Create new key wg genkey 2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M= Peer2 interface private key: 2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M= Create public key of previously generated private key echo 2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M= | wg pubkey PMQhHUrCEAPoKxwczbDcGbNTkrGx7c9gczNCRTiLDWc= Peer2 interface public key: PMQhHUrCEAPoKxwczbDcGbNTkrGx7c9gczNCRTiLDWc= Create new preshared key to add additional layer of security wg genpsk gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc= Peer2 preshared key: gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc= Get public key from TorGuard's downloaded config in case that it was autogenerated by TorGuard echo SOO07buK67PnUXqVP3naf3YmZ8oI4BetwAqSXI3SR30= | wg pubkey oocXPHWZR3T1WylFNaowJ5CHvSEIg8eNFonvDkZTPmM= Peer 1's public key: oocXPHWZR3T1WylFNaowJ5CHvSEIg8eNFonvDkZTPmM= Create wireguard config for Peer2 Here you can configure if Peer2 wants to use Peer1 to route all traffic through it by setting allowedip of Peer1 to 0.0.0.0/0. In case that you do not want anything else to be routed but as example only communication to this device, then use VPN address of your peer one, below in example I marked it out: AllowedIPs = 178.10.10.10/32 # Peer 2's interface [Interface] SaveConfig = false PrivateKey = 2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M= Address = 178.10.10.20/32 ListenPort = 51821 DNS = 1.1.1.1,1.0.0.1 # Peer 1 - local connection [Peer] PublicKey = oocXPHWZR3T1WylFNaowJ5CHvSEIg8eNFonvDkZTPmM= PresharedKey = gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc= #AllowedIPs = 178.10.10.10/32 AllowedIPs = 0.0.0.0/0 Endpoint = 192.168.0.10:51820 PersistentKeepalive = 0 Add Peer2 to Peer1's config (to the config which you generated with torguard's config generation tool) # Peer 1 interface [Interface] PrivateKey = SOO07buK67PnUXqVP3naf3YmZ8oI4BetwAqSXI3SR30= ListenPort = 51820 DNS = 1.1.1.1 Address = 10.11.12.13/32 # TorGuard VPN connection [Peer] PublicKey = OdW/kT7XD8BZqngz2EilBjDkY0bXb66rDyQjA4/tJHA= AllowedIPs = 0.0.0.0/0 Endpoint = 123.123.123.123:1443 PersistentKeepalive = 10 # Peer 2 [Peer] PublicKey = PMQhHUrCEAPoKxwczbDcGbNTkrGx7c9gczNCRTiLDWc= PresharedKey = gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc= AllowedIPs = 178.10.10.20/32 Endpoint = 192.168.0.20:51821 PersistentKeepalive = 10 Peer 2 Endpoint is optional, I simply it added it here so that one can see better which device it is, for devices outside of your network like phone devices, removing Endpoint line will set it automaticaly to the IP address which connects. You can also use dynamic dns here if you really want to restrict it for devices with changing ip. Configure firewall and final steps Open your wireguard interface ports (udp) on your peers, 51820 for Peer 1 and 51821 on Peer 2, example with ufw on linux with sudo: sudo ufw allow 51820/udp Please ref to your firewall manual how to open UDP port. If you want to have access to your LAN or other interfaces on same device, the you have to enable masquerading on openwrt. For most linux distributions, check which interfaces you have with ifconfig, assuming your local network device is eth0, then add this to your wireguard config file interface configuration: PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE For current guide it would look like this for peer 1: # Peer 1 interface [Interface] PrivateKey = SOO07buK67PnUXqVP3naf3YmZ8oI4BetwAqSXI3SR30= ListenPort = 51820 DNS = 1.1.1.1 Address = 10.11.12.13/32 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE # TorGuard VPN connection [Peer] PublicKey = OdW/kT7XD8BZqngz2EilBjDkY0bXb66rDyQjA4/tJHA= AllowedIPs = 0.0.0.0/0 Endpoint = 123.123.123.123:1443 PersistentKeepalive = 10 # Peer 2 [Peer] PublicKey = PMQhHUrCEAPoKxwczbDcGbNTkrGx7c9gczNCRTiLDWc= PresharedKey = gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc= AllowedIPs = 178.10.10.20/32 Endpoint = 192.168.0.20:51821 PersistentKeepalive = 10 and for Peer 2, assuming interface name is enp3s0: # Peer 2's interface [Interface] SaveConfig = false PrivateKey = 2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M= Address = 178.10.10.20/32 ListenPort = 51821 DNS = 1.1.1.1,1.0.0.1 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE # Peer 1 - local connection [Peer] PublicKey = oocXPHWZR3T1WylFNaowJ5CHvSEIg8eNFonvDkZTPmM= PresharedKey = gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc= #AllowedIPs = 178.10.10.10/32 AllowedIPs = 0.0.0.0/0 Endpoint = 192.168.0.10:51820 Restart wireguard on both devices As a result, both devices would use TorGuards IP 123.123.123.123 and all communication is encrypted. You can add to your Peer 1 as well as Peer 2 as many peers as you want (as long as there are enough ip's, with ipv6 this number is quite huge). Most users would like to split wireguard into functions like server config and client config, but wireguard is peer based vpn and any client is a server at the same time if configured to be. You can configure each separate Peer to use any of existing peers for connections to different networks. Multiple Connections to TorGuard from Same peer Normally I would split devices using different torguard servers to offer gateways which can be used, in case of wireguard it is not required at all, I can add additional (even all 8 allowed by TorGuard) to one single peer and that peer can share all 8 connections to any device. For everybody who plans to run this from home, be aware, that when you connect from outside, your download speeds outside can not be higher than your upload speed of your home connection, many offer 1Gbit download, but I do not know many providers who offer same speed for uploads for acceptable price. Sometimes I want to use my internet without VPN but still be connected to my peers and changing it is simply to change allowedips line in the peer config. Full encryption in local networks There are many possible cases where a users would like to have all connections, including local connections encrypted, good example are private networks for students as well as some public networks where anybody in local network could actually intercept communication. All devices where wireguard can be installed and it reaches full/acceptable speed, those should be then configured over wireguard. I use currently over 60 devices which are connected to each other over wireguard accross 3 different countries using differnt ip addresses including torguards and it works like a charm. First time setup could be confusing and if you have many devices, better write scripts creating all configs and QR codes for your mobile devices. With that, I do not need to use anymore wireguard client as all my 60 connected devices can use any of IP's which I set and all of it is easy it change if one needs changes. Performance If all your local network communication runs over wireguard, then copying large files which would use full bandwith of your interface might get slower. Considering that rpi4 easily reaches 500Mbit/s over wireguard, without VPN it gets quite the full 1Gb which the interface offers, it would be only an issue for people who daily copy large amounts of data from one pc to another, like snapshots or backups, however, you can always use also direct, non encrypted communication by simply using its local address instead of vpn's. On one location I do use rock pi4 device which is kinda the same as rpi4, my connection there is 250/50Mb and rockpi4 reaches 100% where the cpu is used maybe max at 5-6%. Locally rock pi4 reaches over wireguard around 520, without wireguard 980. @Support this is what I meant back then with extending functionality of torguard by letting users configure additional peers where all steps above can be easily implemented into the GUI, currently, I can use torguard-wg and wg0 if configured properly, but having more than one wg interface makes it all less transparent and brings some troubles with it and possibility for required interface restart grows. I also miss some specifications, like about when which servers and in which combinations can be used by multiple clients at the same time as everything I wrote here is based on only my experience.