WireGuard & TunSafe

New Wireguard Docu Volker:
https://gueldenpfennigs.blogspot.com/2025/09/firewalld.html 

https://www.wireguard.com

Ubuntu ...

https://docs.pi-hole.net/guides/vpn/wireguard/

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. 

• Linux native
• Windows native
• iOS & Andoid
• Option for "Full Tunneling" through Mannheim ... (we have to think on because of using Zscaler)

How to use IPv4 & IPv6 within the tunnel? 

https://oliver-kaestner.de/posts/anleitung-wireguard-vpn-server-dual-stack-einrichten

IPv6 Test: https://fast.com/de - this requires IPv6! (via 3390 OG it does not work)

Activate Routing in Ubuntu

https://serverspace.io/de/support/help/set-up-wireguard-vpn-server-on-ubuntu/

( https://www.altmetaller.de/ubuntu-als-router/ )

vi /etc/sysctl.conf

net.ipv4.ip_forward=1

( net.ipv6.conf.all.forwarding=1 )

sysctl -p

Additionally, in case IPv6 should be deactivated

vi /etc/sysctl.conf

https://itsfoss.com/disable-ipv6-ubuntu-linux/

... this seems to be very risky - perhaps nothing works then anymore ;-(((

net.ipv6.conf.all.disable_ipv6=1

net.ipv6.conf.default.disable_ipv6=1

net.ipv6.conf.lo.disable_ipv6=1

sysctl -p

vi /etc/rc.local

#!/bin/bash

# /etc/rc.local

/etc/sysctl.d

/etc/init.d/procps restart

exit 0

********

chmod 755 /etc/rc.local

... seems not really to work after reboot ...

Perhaps remove IP in /etc/netplan/50-cloud-init.yaml as well?

# Change "enp0s18" to the name of your network interface in the following two settings. This commands configures iptables for WireGuard.

PostUp = iptables -A FORWARD -i wg-service -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s18 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg-service -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s18 -j MASQUERADE

Here, we could add IPv6 NAT as well ;-))

https://www.reddit.com/r/VPN/comments/1oq855m/sip_phone_through_wireguard/

ip6tables -A FORWARD -i eth1 -o wg-service -j ACCEPT;

ip6tables -A FORWARD -i wg-service -j ACCEPT

ip6tables -D FORWARD -i eth1 -o wg-service -j ACCEPT;

ip6tables -D FORWARD -i wg-service -j ACCEPT

Weitere Informationen:

https://reintech.io/blog/installing-using-iptables-ubuntu-22

Einrichtung wireguard auf Linux Host linux-volker im Internet mit IPv4

• How to Install WireGuard: https://www.wireguard.com/install
•  apt install wireguard
• IP Forwarding needs to be activated
  vi /etc/sysctl.conf
  net.ipv4.ip_forward=1
• Config Commands
•  wg
•  wg-quick
•  man wg & wg-quick does work as well
• Best 5-Minute-Docu ever :-)
  https://www.freecodecamp.org/news/build-your-own-wireguard-vpn-in-five-minutes/
• Good as well ... https://upcloud.com/resources/tutorials/get-started-wireguard-vpn
• Default Quick Start: https://www.wireguard.com/quickstart (with Video)
• DE Doku WireGuard: https://www.thomas-krenn.com/de/wiki/WireGuard_Grundlagen
• WireGuard on Ubuntu: https://www.thomas-krenn.com/de/wiki/Ubuntu_Desktop_als_WireGuard_VPN_Client_konfigurieren
• Ubuntu Wireguard Docu: https://ubuntu.com/server/docs/introduction-to-wireguard-vpn
• as well: https://wiki.archlinux.org/title/WireGuard#systemd-networkd
• Show own IPs
  ip addr show eth0 | grep inet | awk '{ print $2; }' | sed 's/\/.*$//'
• How to setup IPv6 well?
  ip -6 addr
  ip -6 addr show scope global 
• Hätte dann auch eine IPv4 :-)
• Install "ifconfig" <<< mostly default in the meantime ...
  apt install net-tools
• Crontab Setup
  crontab -e
  # Update Linux every day - volker
  #minute  hour  Day of Month  Month  Day of Week  Command
     0       3         *         *         *       apt upgrade >/tmp/apt-upgrade.txt
     0       4         *         *         *       apt autoremove >/tmp/apt-autoremove.txt
• iptables - Routing - Firewall => Documentation in Pi-hole ONLY!
  netfilter-persistent save
  iptables-save > /etc/iptables/rules.v4

https://www.wireguard.com/quickstart/

systemctl enable wg-quick@wg-service.service  <<<

systemctl disable wg-quick@wg-service.service 

systemctl status wg-quick@wg-service.service  <<<

systemctl restart wg-quick@wg-service.service

systemctl start wg-quick@wg-service.service 

systemctl stop wg-quick@wg-service.service

=> this file can be imported in the new client ... 

... or even better: convert this into a QR Code as described here :-)

Server Config linux-volker

wg-service.conf

[Interface]

PrivateKey = <Private Key>   # The server_private.key value

ListenPort = 51001  # UDP Port for incoming connections

Address = 192.168.223.1/24, 2a01:367:c204:ffff::192.168.223.1/120  # Internal IPv4 & Global IPv6 networks of the VPN server. Different network required for routing!!!

# Change "eth0/enp0s18" to the name of your network interface in the following two settings.

# This commands configures iptables for IPv4 for WireGuard.

PostUp   = iptables  -A FORWARD -i wg-service -j ACCEPT; iptables  -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg-service -j ACCEPT

PostDown = iptables  -D FORWARD -i wg-service -j ACCEPT; iptables  -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg-service -j ACCEPT

# IP" .2" = iPad Volker

[Peer]

PublicKey = okNwR06gBWX8tywGeJRVu0Ep3q/wcecaG/+xEB38dyw=

AllowedIPs = 192.168.223.2/32

PersistentKeepalive = 180

... similar for all other ones as well :-)

"X" can be used for the "target IP" ...

cd /etc/wireguard/keys

umask 077

wg genkey > private-keyX

wg pubkey > public-keyX < private-keyX

IPv4 ONLY - How does a "normal" Client (!) Config File looks like?

Filename: "ipX.conf"

[Interface]

PrivateKey = [private Key of the new Device] # <<<<

# PublicKey for better reference: [public Key of the new Device] # <<<<

Address = 192.168.223.X/32 # <<<< IP of the new Device ... (needs to be unique!!!)

DNS = 8.8.8.8

[Peer]

PublicKey = crxYA4Mzmqj+Mai5vSe+D2bMT9g/Tl+rTzTu/uTmuws= # Public key of the Server!

PresharedKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= # this means: there is no PresharedKey ;-)

AllowedIPs = 0.0.0.0/0, ::/0 # this moves the complete IPv4 & IPv6 traffic via this Wireguard VPN - IPv6 will die and therefore not be used ;-)

Endpoint = linux.gueldenpfennig.info:51001 # this is the host & port of the Wireguard server in germany

PersistentKeepalive = 180 # we test, if this is sufficient "eats less battery on mobiles" - otherwise, the default would be 25 (on both sides!)

QR-Code Generator

https://www.wireguardconfig.com/qrcode

... just paste the ipX.conf file into this QR-Code Generator and then you do have a great QR-Code solution :-)

Einrichtung wireguard auf Linux Host h3006155 (Ole) im Internet mit IPv4

• How to Install WireGuard: https://www.wireguard.com/install
•  apt install wireguard

ip link add dev wg0 type wireguard

=>

RTNETLINK answers: Operation not supported
It looks like, wireguard is not installed ...

https://www.reddit.com/r/WireGuard/comments/snxc8w/rtnetlink_operation_not_supported_wireguard_error/

lsmod | grep wireguard

https://www.mpex.de/techblog/fehlermeldung-rtnetlink-answers-operation-not-supported.html

root@h3006155:/# dpkg-reconfigure wireguard-dkms

Deleting module wireguard-1.0.20210606 completely from the DKMS tree.

Loading new wireguard-1.0.20210606 DKMS files...

Building for 5.2.0

Module build for kernel 5.2.0 was skipped since the

kernel headers for this kernel does not seem to be installed.

apt-get install linux-headers-generic

=>

https://www.zdnet.com/article/ubuntu-20-04-arrives-with-linux-5-4-kernel-and-wireguard-vpn/#google_vignette

https://www.rpiathome.com/2020/05/13/the-unofficial-non-definitive-wireguard-troubleshooting-page/#When_I_try_to_start_WireGuard_I_get_an_error_like_RTNETLINK_answers_Operation_not_supported_OR_Unable_to_access_interface_Protocol_not_supported

xxxxxxx

https://www.thomas-krenn.com/de/wiki/Ubuntu_Desktop_als_WireGuard_VPN_Client_konfigurieren

ip address add dev wg0 192.168.111.1/24

# cd /etc/wireguard/keys

# umask 077

# wg genkey > private-key

# wg pubkey > public-key < private-key

wg setconf wg0 myfirstconfig.conf

... edit the config file ...

[Interface]

PrivateKey = <Private Key>

ListenPort = 51000

Address = 192.168.222.0/24

[Peer]

# office

PublicKey = crxYA4Mzmqj+Mai5vSe+D2bMT9g/Tl+rTzTu/uTmuws=

###Endpoint = wg.example.com:51000 # fake endpoint, just an example

AllowedIPs = 0.0.0.0/0, ::/0

Example fb4040

Öffentlicher Schlüssel - AmrP03l/c09yZSoYMh/TIfzj1NH723lP/pP9RMqIXEk=

Internet-Adresse Ihrer FRITZ!Box - xxxxxx.myfritz.net:52150

[Interface]

PrivateKey = <fb4040-private-key>

ListenPort = 52150

Address = 192.168.231.1/24

DNS = 192.168.231.1

DNS = fritz.box

[Peer]

PublicKey = 4Pr7PL0MAASGljfxClAaY6RUCqaokGXmqW4WsRLPZn4=

PresharedKey = <preshared-key>

AllowedIPs = 192.168.231.201/32

PersistentKeepalive = 25

# iPad Volker

[Peer]

PublicKey = mJJTMBOnUvlD0NQpD4HmUGI0FYgKYy9eehFWypOod0M=

PresharedKey = <preshared-key>

AllowedIPs = 192.168.231.202/32

PersistentKeepalive = 25

[Peer]

PublicKey = zOpu3TnWXZIE6uceBXqfqoZWICpj+kKgc6IrXPiipzU=

PresharedKey = <preshared-key>

AllowedIPs = 192.168.231.203/32

PersistentKeepalive = 25

[Peer]

PublicKey = 30ADjaEP9A6n1v9n7pqUv1d+y0B2lNplA7IJan0b3lc=

PresharedKey = <preshared-key>

AllowedIPs = 192.168.231.204/32

PersistentKeepalive = 25

[Peer]

PublicKey = NJchlnyKKvqcAgIhpxP9lqi8NIn2KHD6KBIP8DuTqVI=

PresharedKey = <preshared-key>

AllowedIPs = 192.168.231.205/32

PersistentKeepalive = 25

IPv4 & IPv6: How does a "normal" Client (!) Config File looks like?

Filename: "xxxx.conf"

[Interface]

PrivateKey = [private Key of the new Device]

# PublicKey for better reference: [public Key of the new Device]

Address = 192.168.223.7/32, fde9:f809:cf9a::192.168.223.7/128 # ULA IP of the new Device ... (needs to be unique & requires NAT!!!)

!!!One OR the other!!!

Address = 192.168.223.7/32, 2a01:367:c204:ffff::192.168.223.7/128 # Global IP of the new Device ... (needs to be unique!!!)

DNS = 8.8.8.8, 2001:4860:4860::8888

[Peer]

PublicKey = crxYA4Mzmqj+Mai5vSe+D2bMT9g/Tl+rTzTu/uTmuws= # Public key of the Server!

PresharedKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= # this means: there is no PresharedKey ;-)

AllowedIPs = 0.0.0.0/0, ::/0 # this moves the complete IPv4 & IPv6 traffic via this Wireguard VPN ;-)

Endpoint = linux.gueldenpfennig.info:51001 # this is the host & port of the Wireguard server in germany

PersistentKeepalive = 180 # we test, if this is sufficient "eats less battery on mobiles" - otherwise, the default would be 25 (on both sides!)

=> this file can be imported in the new client ... 

... or even better: convert this into a QR Code as described here :-)

IPv6 Setup Volker - Global IPs

• https://de.wikipedia.org/wiki/IPv6
• Unique Local Unicast - Unique Local Addresses (ULA)
• Random Numbers for 40 Bit => 1 - 1099511627776 - https://www.matheretter.de/rechner/zufallszahlengenerator
  => Volker's Number: 1.004.888.772.506 Decimal => E9 F809 CF9A Hexadecimal
• Volker's IPv6 Network: fde9:f809:cf9a::/48
• fd = Unique Local Unicast Prefix
• e9 f809 cf9a = 40 Bit "nearly unique" 40 bit identifier for "Volker"
• IPv6 Setup Wireguard Linux Volker: fde9:f809:cf9a::192.168.223.1/120 => we can use always similar addresses for IPv4 and IPv6 ;-)))
• IPv6 Default Route: ::/0 (identical to 0.0.0.0/0 in IPv4)
• Google IPv6 DNS does use 2001:4860:4860::8888 - but NOT 2001:4860:4860::8.8.8.8 or converted 2001:4860:4860::0808:0808
• IPv4 linux.gueldenpfennig.info = 45.89.126.26
• IPv6 linux.gueldenpfennig.info = 2a01:367:c204::20:2f (Prefix /48)
• https://www.freecodecamp.org/news/setting-a-static-ip-in-ubuntu-linux-ip-address-tutorial/
  cd /etc/netplan ... does not survive a "cloud-reboot" - but normal "reboot now" ... has to be fixed somwewhere else ... is described in the top of the file ...
• 
  

IPv6 Setup Volker - ULA & NAT - not fully working (no full routing)

• https://de.wikipedia.org/wiki/IPv6
• Unique Local Unicast - Unique Local Addresses (ULA)
• Random Numbers for 40 Bit => 1 - 1099511627776 - https://www.matheretter.de/rechner/zufallszahlengenerator
  => Volker's Number: 1.004.888.772.506 Decimal => E9 F809 CF9A Hexadecimal
• Volker's IPv6 Network: fde9:f809:cf9a::/48
• fd = Unique Local Unicast Prefix
• e9 f809 cf9a = 40 Bit "nearly unique" 40 bit identifier for "Volker"
• IPv6 Setup Wireguard Linux Volker: fde9:f809:cf9a::192.168.223.1/120 => we can use always similar addresses for IPv4 and IPv6 ;-)))
• IPv6 Default Route: ::/0 (identical to 0.0.0.0/0 in IPv4)
• Google IPv6 DNS does use 2001:4860:4860::8888 - but NOT 2001:4860:4860::8.8.8.8 or converted 2001:4860:4860::0808:0808
• IPv4 linux.gueldenpfennig.info = 45.89.126.26
• IPv6 linux.gueldenpfennig.info = 2a01:367:c204::20:2f

Einrichtung eigene Fritzbox „zu Hause“ mit Wireguard-Server

• Von überall über die Hausleitung surfen ;-)
• Alles aus Deutschland ist weiterhin erreichbar
• In jedem WLAN surft man zu 100% verschlüsselt 
• Es funktioniert auch mit IPv6, wo IPv4 nicht verfügbar ist
• Benötigt natürlich FritzOS 7.50+ (also nicht mit 7560, aber mit 4040)
• Klappt supi mit der neuen 4040 ;-)

HowTo von einem coolen Typen:

https://stadt-bremerhaven.de/fritzbox-wireguard-einrichten-und-nutzen/

Test IPv4 & IPv6

https://test-ipv6.com

https://ipv6-test.com

WireGuard - Native Windows Implementation

https://www.golem.de/news/vpn-wireguard-bekommt-nativen-windows-kernel-port-2108-158613.html

TunSafe Features

• VPN on top of Wireguard
• 2FA (as of 1.5-rc2)
• TCP Support (instead of UDP only) - (as of 1.5-rc2)

https://tunsafe.com

https://de.wikipedia.org/wiki/WireGuard

and TCP ...

https://tunsafe.com/user-guide/tcp

Windows WireGuard Server Setup

https://www.andysblog.de/wireguard-server-unter-windows-einrichten

https://www.henrychang.ca/how-to-setup-wireguard-vpn-server-on-windows

WireGuard zwischen Fritzboxen

https://avm.de/service/vpn/wireguard-vpn-zwischen-zwei-fritzbox-netzwerken-einrichten

Fritzbox-Port-Forwarding: https://www.andysblog.de/wireguard-server-unter-windows-einrichten

Idee für "dauerhafte" DE-IP 

• WireGuard Windows-Server oder Fritzbox in DE mit IPv4 (&IPv6) hinstellen
• Smartphone als Client dazu einrichten
• Laptop als Client dazu einrichten
• Fritzbox als Client dazu einrichten
• => GEO-Blocking sollte im Ausland mit diesen Trick umgangen werden können

Setup WireGuard on sap208 & Lenovo Laptop ...

• *** GREAT TOOL ***
  https://github.com/micahmo/WgServerforWindows <<<< ONLY use this tool on WINDOWS !!!
• BUT: It is not stable with windows as server ...

FURTHER INFORMATION... but do not use the "manual setup described there"!!! ... look above

• Great general information on WireGuard ;-)
  https://dev.to/tangramvision/what-they-don-t-tell-you-about-setting-up-a-wireguard-vpn-1h2g
• https://golb.hplar.ch/2019/07/wireguard-windows.html
• Activation Issue - Unable to configure adapter network settings: unable to set ips: The object already exists.
  https://www.reddit.com/r/WireGuard/comments/bn03vo/wireguard_prealpha_tunnel_activation_issue/
• Windows Client WireGuard-GUI without Admin ...
  https://www.andysblog.de/wireguard-client-unter-windows
  

  reg add HKLM\Software\WireGuard /v LimitedOperatorUI /t REG_DWORD /d 1 /f

• Windows Server WireGuard
  https://www.andysblog.de/wireguard-server-unter-windows-einrichten
  oder
  https://www.henrychang.ca/how-to-setup-wireguard-vpn-server-on-windows
  (mit speziellem NAT-Script und Demo Config Client & Server)
• Windows IP Routing:
  http://www.winfaq.de/faq_html/Content/tip0500/onlinefaq.php?h=tip0908.htm
  HKEY_LOCAL_MACHINE\ System\ CurrentControlSet\ Services\ Tcpip\ Parameters => IPEnableRouter = 1
• Issues with Default Gateway ? ????
  At least a routing issue!
  Access to I67 does work!!! but nothing to other IPs ...

Setup WireGuard Server on Linux

• https://www.linuxbabe.com/centos/wireguard-vpn-server-centos

Fritzbox & WireGuard

• Fritzbox als VPN-Server IPv4
  https://persoft.de/tips-tricks/wireguard-client-und-fritz-box/
• Fritzbox als VPN-Server mit DS-Lite (IPv6 & keiner individuellen IPv4)
  https://persoft.de/tips-tricks/wireguard-vpn-server-auf-fritzboxen-am-ds-lite-anschluss/
• Fritzbox als VPN-Server
  https://www.ip-insider.de/praxis-wireguard-vpn-auf-der-fritzbox-a-80473536b04c33d4ab56565e8bda4286/
• Fritzbox als VPN-Server (auch DS-Lite):
  https://schroederdennis.de/tutorial-howto/avm-fritzbox-wireguard-vpn-einrichten-anleitung-tutorial-7590-6690/
• DynDNS-Dienst IPv64.net
• Was ist DS-Lite und wie kann die Fritzbox trotzdem IPv4 nutzen? (Port Control Protocol = PCP)
  https://avm.de/service/wissensdatenbank/dok/FRITZ-Box-7590/1611_Was-ist-DS-Lite-und-wie-funktioniert-es/#:~:text=Dual%2DStack%20Lite%20(DS%2D,v6%20(IPv6)%20nutzen%20lassen.
• SecurePoint-UTM & Fritzbox via WireGuard verbinden
  https://wiki.securepoint.de/UTM/VPN/WireGuard-S2S_v12.2.5
  ... ganz unten: "Variable Upload Konfig für Fritzbox" - s.u.
• Probleme mit IPv4 & IPv4/6
  https://forum.qnapclub.de/thread/61433-wireguard-vpn-client-profil-anlegen/
  ... letzter Punkt "#13" ...
• WireGuard & OpenWRT
  https://openwrt.org/docs/guide-user/services/vpn/wireguard/start

Fritzbox & WireGuard II (lampert.at)

https://lampert.at/service-hilfe/avm/detail/FRITZ-Box-7590-AX$3737_FRITZ-Box-als-VPN-Client-WireGuard-mit-anderer-FRITZ-Box-verbinden

 

3 VPN-Client einrichten

Richten Sie in der FRITZ!Box, die als VPN-Client eingesetzt werden soll, eine VPN-Verbindung zur entfernten FRITZ!Box ein:

1. Klicken Sie in der Benutzeroberfläche der FRITZ!Box (VPN-Client) auf "Internet".
2. Klicken Sie im Menü "Internet" auf "Freigaben".
3. Klicken Sie auf die Registerkarte "VPN (WireGuard)".
4. Klicken Sie auf die Schaltfläche "Verbindung hinzufügen".
5. Klicken Sie auf "Netzwerke koppeln oder spezielle Verbindungen herstellen" und dann auf "Weiter".
6. Klicken Sie bei "Wurde diese WireGuard-Verbindung bereits auf der Gegenstelle erstellt?" auf "Ja".
7. Klicken Sie auf "Weiter".
8. Tragen Sie im Eingabefeld "Name der WireGuard-Verbindung" einen individuellen Namen für die Verbindung (FRITZ!Box VPN-Server) ein.
9. Klicken Sie auf die Schaltfläche "Datei auswählen" bzw. "Durchsuchen...".
10. Wählen Sie die Einstellungs-Datei für die WireGuard-Verbindung aus, die Sie von der FRITZ!Box (VPN-Server) heruntergeladen haben (Conf-Datei), und klicken Sie auf "Öffnen".
11. Falls die VPN-Verbindung nicht nur für Zugriffe auf das entfernte Netzwerk genutzt werden soll, sondern auch sämtliche Internetanfragen über die VPN-Verbindung an die FRITZ!Box (VPN-Server) gesendet werden sollen, aktivieren Sie die Option "Gesamten Netzwerkverkehr über die VPN-Verbindung senden".
12. Falls auf Windows Datei- und Druckerfreigaben (SMB-Freigaben) im entfernten Netzwerk zugegriffen werden soll, aktivieren Sie die Option "NetBIOS über diese Verbindung zulassen".
13. Klicken Sie auf die Schaltfläche "Fertigstellen".
14. Falls Sie dazu aufgefordert werden, bestätigen Sie die Ausführung zusätzlich an der FRITZ!Box, und klicken Sie auf "OK", um den Vorgang abzuschließen.

Jetzt ist die VPN-Verbindung zwischen den beiden FRITZ!Boxen eingerichtet und die FRITZ!Box (VPN-Client) verbindet sich dauerhaft mit der FRITZ!Box (VPN-Server).

ääääääääääääääääää

Upload Konfig für Fritzbox:

[Interface]

PrivateKey = $PRIVATE_KEY_FRITZBOX

ListenPort = $LISTENPORT_WIREGUARD_FRITZBOX

Address = $LOCAL_IP_FRITZBOX/$NETMASK

[Peer]

PublicKey = $PUBLIC_KEY_UTM

PresharedKey = $PRESHAREDKEY

AllowedIPs = $NETWORK_UTM/$NETMASK

Endpoint = $HOSTNAME_UTM:$LISTENPORT_WIREGUARD_UTM

PersistentKeepalive = 1

ääääääääääääääääää

Cheap Linux Hosting

• https://www.kamatera.com/express/compute/products.php - pay as you go with 0,5 Ct/h as well
• https://www.ovhcloud.com/de/vps/cheap-vps - 4,19 EUR/Monat (in DE as well?)

#