Jump to content
TorGuard

🔥 Wireguard guide/use case example & Torguard feature suggestion (full local encryption and sharing torguard connection to unlimited amount of devices)

Rate this topic


Recommended Posts

19807409

In this guide I decided to describe few use cases which can be used with wireguard on all operating systems as well to share some of my observations and experience. Private networks are not always private and on one side one would like to encrypt full communication with specific devices. Torguard offers 8 connections/devices at the same time, but not with all IP's/Ports at the same time and that part is a little bit undocumented by TorGuard which makes it a little bit more complicated. As example, shared IP's can be used with wireguard with all 8 devices at the same time, openvpn would require each of them to use different port/encryption. However, if one used shared IP address to open port on it with wireguard, then you can not connect with another device to that same ip which technically is kinda still shared IP, at least that was my observation and if I as example create a config with one public key for port forwarded address, then creating another config for second client would invalidate the first one.

With the example above we see that there are sometimes restrictions, in this guide I will explicitly talk about shared ip address which is used for port forwarding when I mention portforwarding/dedicated ip.

Guide status: in progress (I will remove this status line after I have finished the guide, it got now quite long and I guess I need to make it more compact with more use cases)

Goals of this guide:

  • Encrypt communication of local and remote  devices with by wireguard
  • Use TorGuard server/servers for and home server in one config file (one interface)
  • Easy and simple setup and maintenance using  any/max amount of allowed torguard connections for any amount of devices by any of those devices

 

Requirements:

  1. Wireguard client and knowledge how to install/use it
    - Installation
    - Key generation
    - Command-line Interface
  2. Torguard config for wireguard which you can create on your account page

 

In this guide I will ref to

  • 123.123.123.123 as torguard server
    (torguard uses currently udp port 1443 as default for wireguard protocol)
  • WGPeer VPN IPs  - 178.10.10.x for non torguard vpn ip's.
    • Peer1     - 192.168.0.10 IP of device which is connected to TorGuard VPN, with local VPN IP 178.10.10.10
    • Peer2    - 192.168.0.20 IP of device which is connected to 192.168.0.10 as peer using TorGuard VPN with local VPN IP 178.10.10.20

 

  1. Install wireguard
  2. Create wireguard config, download it and test it
    login to your account on torguard and navigate to vpn config generator where you choose wireguard as protocol and follow instructions.
  3. Test your config and make sure you are connected to wireguard and that everything works, only then proceed to next step.
    this is our Peer1 which provides wireguard connection
  4. Open downloaded config with any text editor, here is example config for this guide:
    [Interface]
    PrivateKey = SOO07buK67PnUXqVP3naf3YmZ8oI4BetwAqSXI3SR30=
    ListenPort = 51820
    DNS = 1.1.1.1
    Address = 10.11.12.13/32
    
    [Peer]
    PublicKey = OdW/kT7XD8BZqngz2EilBjDkY0bXb66rDyQjA4/tJHA=
    AllowedIPs = 0.0.0.0/0
    Endpoint = 123.123.123.123:1443
    PersistentKeepalive = 25

    This config does not require a lot explanation, maybe AllowedIP's should be explained, if you want all your traffic to go through specific peer then and only then use 0.0.0.0/0. You can specify subnets/ip's which you want to be routed. For this guide this is exactly what we want, all traffic from this wireguard interface should go through TorGuards server 123.123.123.123:1443.

  5. Create new private, public and preshared keys for Peer2 (here is info how to do it)
    • Create new key
      wg genkey
      2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M=

      Peer2 interface private key: 2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M=

    • Create public key of previously generated private key
      echo 2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M= | wg pubkey
      PMQhHUrCEAPoKxwczbDcGbNTkrGx7c9gczNCRTiLDWc=

      Peer2 interface public key: PMQhHUrCEAPoKxwczbDcGbNTkrGx7c9gczNCRTiLDWc=

    • Create new preshared key to add additional layer of security
      wg genpsk
      gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc=

      Peer2 preshared key: gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc=

  6. Get public key from TorGuard's downloaded config in case that it was autogenerated by TorGuard
     

    echo SOO07buK67PnUXqVP3naf3YmZ8oI4BetwAqSXI3SR30= | wg pubkey
    oocXPHWZR3T1WylFNaowJ5CHvSEIg8eNFonvDkZTPmM=

    Peer 1's public key: oocXPHWZR3T1WylFNaowJ5CHvSEIg8eNFonvDkZTPmM=

  7. Create wireguard config for Peer2
    Here you can configure if Peer2 wants to use Peer1 to route all traffic through it by setting allowedip of Peer1 to 0.0.0.0/0. In case that you do not want anything else to be routed but as example only communication to this device, then use VPN address of your peer one, below in example I marked it out: AllowedIPs = 178.10.10.10/32
    # Peer 2's interface
    [Interface]
    SaveConfig = false
    PrivateKey = 2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M=
    Address = 178.10.10.20/32
    ListenPort = 51821
    DNS = 1.1.1.1,1.0.0.1
    
    # Peer 1 - local connection
    [Peer]
    PublicKey = oocXPHWZR3T1WylFNaowJ5CHvSEIg8eNFonvDkZTPmM=
    PresharedKey = gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc=
    #AllowedIPs = 178.10.10.10/32
    AllowedIPs = 0.0.0.0/0
    Endpoint = 192.168.0.10:51820
    PersistentKeepalive = 0

     

  8. Add Peer2 to Peer1's config
    (to the config which you generated with torguard's config generation tool)
    # Peer 1 interface
    [Interface]
    PrivateKey = SOO07buK67PnUXqVP3naf3YmZ8oI4BetwAqSXI3SR30=
    ListenPort = 51820
    DNS = 1.1.1.1
    Address = 10.11.12.13/32
    
    # TorGuard VPN connection
    [Peer]
    PublicKey = OdW/kT7XD8BZqngz2EilBjDkY0bXb66rDyQjA4/tJHA=
    AllowedIPs = 0.0.0.0/0
    Endpoint = 123.123.123.123:1443
    PersistentKeepalive = 10
    
    # Peer 2
    [Peer]
    PublicKey = PMQhHUrCEAPoKxwczbDcGbNTkrGx7c9gczNCRTiLDWc=
    PresharedKey = gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc=
    AllowedIPs = 178.10.10.20/32
    Endpoint = 192.168.0.20:51821
    PersistentKeepalive = 10

    Peer 2 Endpoint is optional, I simply it added it here so that one can see better which device it is, for devices outside of your network like phone devices, removing Endpoint line will set it automaticaly to the IP address which connects. You can also use dynamic dns here if you really want to restrict it for devices with changing ip.

  9. Configure firewall and final steps
    Open your wireguard interface ports (udp) on your peers, 51820 for Peer 1 and 51821 on Peer 2, example with ufw on linux with sudo:
    sudo ufw allow 51820/udp

    Please ref to your firewall manual how to open UDP port. If you want to have access to your LAN or other interfaces on same device, the you have to enable masquerading on openwrt.
    For most linux distributions, check which interfaces you have with ifconfig, assuming your local network device is eth0, then add this to your wireguard config file interface configuration:
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

    For current guide it would look like this for peer 1:
    # Peer 1 interface
    [Interface]
    PrivateKey = SOO07buK67PnUXqVP3naf3YmZ8oI4BetwAqSXI3SR30=
    ListenPort = 51820
    DNS = 1.1.1.1
    Address = 10.11.12.13/32
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
    
    # TorGuard VPN connection
    [Peer]
    PublicKey = OdW/kT7XD8BZqngz2EilBjDkY0bXb66rDyQjA4/tJHA=
    AllowedIPs = 0.0.0.0/0
    Endpoint = 123.123.123.123:1443
    PersistentKeepalive = 10
    
    # Peer 2
    [Peer]
    PublicKey = PMQhHUrCEAPoKxwczbDcGbNTkrGx7c9gczNCRTiLDWc=
    PresharedKey = gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc=
    AllowedIPs = 178.10.10.20/32
    Endpoint = 192.168.0.20:51821
    PersistentKeepalive = 10

    and for Peer 2, assuming interface name is enp3s0:
    # Peer 2's interface
    [Interface]
    SaveConfig = false
    PrivateKey = 2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M=
    Address = 178.10.10.20/32
    ListenPort = 51821
    DNS = 1.1.1.1,1.0.0.1
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE
    
    # Peer 1 - local connection
    [Peer]
    PublicKey = oocXPHWZR3T1WylFNaowJ5CHvSEIg8eNFonvDkZTPmM=
    PresharedKey = gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc=
    #AllowedIPs = 178.10.10.10/32
    AllowedIPs = 0.0.0.0/0
    Endpoint = 192.168.0.10:51820
  10. Restart wireguard on both devices

     

As a result, both devices would use TorGuards IP 123.123.123.123 and all communication is encrypted. You can add to your Peer 1 as well as Peer 2 as many peers as you want (as long as there are enough ip's, with ipv6 this number is quite huge). Most users would like to split wireguard into functions like server config and client config, but wireguard is peer based vpn and any client is a server at the same time if configured to be. You can configure each separate Peer to use any of existing peers for connections to different networks.

Multiple Connections to TorGuard from Same peer

Normally I would split devices using different torguard servers to offer gateways which can be used, in case of wireguard it is not required at all, I can add additional (even all 8 allowed by TorGuard) to one single peer and that peer can share all 8 connections to any device. For everybody who plans to run this from home, be aware, that when you connect from outside, your download speeds outside can not be higher than your upload speed of your home connection, many offer 1Gbit download, but I do not know many providers who offer same speed for uploads for acceptable price.

Sometimes I want to use my internet without VPN but still be connected to my peers and changing it is simply to change allowedips line in the peer config.

Full encryption in local networks

There are many possible cases where a users would like to have all connections, including local connections encrypted, good example are private networks for students as well as some public networks where anybody in local network could actually intercept communication. All devices where wireguard can be installed and it reaches full/acceptable speed, those should be then configured over wireguard.

I use currently over 60 devices which are connected to each other over wireguard accross 3 different countries using differnt ip addresses including torguards and it works like a charm. First time setup could be confusing and if you have many devices, better write scripts creating all configs and QR codes for your mobile devices.

With that, I do not need to use anymore wireguard client as all my 60 connected devices can use any of IP's which I set and all of it is easy it change if one needs changes.

Performance

If all your local network communication runs over wireguard, then copying large files which would use full bandwith of your interface might get slower. Considering that rpi4 easily reaches 500Mbit/s over wireguard, without VPN it gets quite the full 1Gb which the interface offers, it would be only an issue for people who daily copy large amounts of data from one pc to another, like snapshots or backups, however, you can always use also direct, non encrypted communication by simply using its local address instead of vpn's.

On one location I do use rock pi4 device which is kinda the same as rpi4, my connection there is 250/50Mb and rockpi4 reaches 100% where the cpu is used maybe max at 5-6%. Locally rock pi4 reaches over wireguard around 520, without wireguard 980.

 

@Support this is what I meant back then with extending functionality of torguard by letting users configure additional peers where all steps above can be easily implemented into the GUI, currently, I can use torguard-wg and wg0 if configured properly, but having more than one wg interface makes it all less transparent and brings some troubles with it and possibility for required interface restart grows. I also miss some specifications, like about when which servers and in which combinations can be used by multiple clients at the same time as everything I wrote here is based on only my experience.

 

GIF by The FruitGuys

Link to post
Share on other sites
James8078
On 1/6/2021 at 5:23 AM, 19807409 said:

 

 

  1. Install wireguard
  2. Create wireguard config, download it and test it
    login to your account on torguard and navigate to vpn config generator where you choose wireguard as protocol and follow instructions.
  3. Test your config and make sure you are connected to wireguard and that everything works, only then proceed to next step.
    this is our Peer1 which provides wireguard connection
  4. Open downloaded config with any text editor, here is example config for t

     

    • Create new key
      
      wg genkey
      2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M=

      Peer2 interface private key: 2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M=

    • Create public key of previously generated private key
      
      echo 2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M= | wg pubkey
      PMQhHUrCEAPoKxwczbDcGbNTkrGx7c9gczNCRTiLDWc=

      Peer2 interface public key: PMQhHUrCEAPoKxwczbDcGbNTkrGx7c9gczNCRTiLDWc=

    • Create new preshared key to add additional layer of security
      
      wg genpsk
      gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc=

      Peer2 preshared key: gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc=

  5. Get public key from TorGuard's downloaded config in case that it was autogenerated by TorGuard
     

    
    echo SOO07buK67PnUXqVP3naf3YmZ8oI4BetwAqSXI3SR30= | wg pubkey
    oocXPHWZR3T1WylFNaowJ5CHvSEIg8eNFonvDkZTPmM=

    Peer 1's public key: oocXPHWZR3T1WylFNaowJ5CHvSEIg8eNFonvDkZTPmM=

  6. Create wireguard config for Peer2
    Here you can configure if Peer2 wants to use Peer1 to route all traffic through it by setting allowedip of Peer1 to 0.0.0.0/0. In case that you do not want anything else to be routed but as example only communication to this device, then use VPN address of your peer one, below in example I marked it out: AllowedIPs = 178.10.10.10/32
    
    # Peer 2's interface
    [Interface]
    SaveConfig = false
    PrivateKey = 2B6k+dn4vU6u8N62VITgc/yo9ihg7HDd1xHXqTGcC0M=
    Address = 178.10.10.20/32
    ListenPort = 51821
    DNS = 1.1.1.1,1.0.0.1
    
    # Peer 1 - local connection
    [Peer]
    PublicKey = oocXPHWZR3T1WylFNaowJ5CHvSEIg8eNFonvDkZTPmM=
    PresharedKey = gYSW5zINURuquF776RMQelKujCN5DOHJzxnHx1yzyTc=
    #AllowedIPs = 178.10.10.10/32
    AllowedIPs = 0.0.0.0/0
    Endpoint = 192.168.0.10:51820
    PersistentKeepalive = 0

     

  7. Add Peer2 to Peer1's config
    (to the config which you generated with torguard's config generation too

    sudo:

  8. 
    sudo ufw allow 51820/udp

     
    
    #

     

 

 

 

 

 

and step 1, after using generator config, you say to try it, we try that on linux device? I have linux mint on my laptop since a week 😉

Link to post
Share on other sites
19807409
2 hours ago, James8078 said:

and step 1, after using generator config, you say to try it, we try that on linux device? I have linux mint on my laptop since a week 😉

yes, to try it I meant, verify that your config is working and connects before proceeding to next step, where showing your conf with wg show you can see if there was a handshake meaning it is connected.

In links above to wireguard faq, you can see there how one can test the config with wg-quick, assumed your config is wg0 (full path to config: /etc/wireguard/wg0.conf), to enable it:

wg-quick up wg0

then check if you are connected, as example by checking which IP you have:

curl ifconfig.me

 

to stop it:

wg-quick down wg0

 

Later, when you are finished, to enable it on boot:

sudo systemctl enable [email protected]

To start it with systemctl:

sudo systemctl start [email protected]

 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...