Wireguard Tunneling

1. Overview

CommentThis document outlines the process of setting up a WireGuard VPN between a local machine and an AWS EC2 instance, where only specific traffic is routed through the VPN tunnel. Internet traffic will not be routed through the VPN, but only traffic destined for the VPN network or EC2 instance will be.

---

2. Prerequisites

2.1. AWS EC2 Instance

• A running AWS EC2 instance with:

  • Public IP (13.233.64.77 in this example)

  • Private IP (172.31.13.140 in this example)

  • WireGuard installed (sudo apt install wireguard)

2.2. Local Machine

• A local machine with a public IP (183.87.214.118 in this example).

• WireGuard installed on the local machine (sudo apt install wireguard).

---

3. WireGuard VPN Configuration

3.1. Server (EC2) Configuration

1. Install WireGuard on the EC2 instance:sudo apt updatesudo apt install wireguard

2. Generate Server Keys:wg genkey | tee server_private_key | wg pubkey > server_public_key

3. Configure WireGuard on the EC2 instance:Create the WireGuard configuration file (/etc/wireguard/wg0.conf):[Interface]Address = 10.0.0.1/24 # Server VPN IPListenPort = 51820 # WireGuard portPrivateKey = <server_private_key> # Use the generated server private key​[Peer]PublicKey = <client_public_key> # Client's public keyAllowedIPs = 10.0.0.2/32 # Client's VPN IP

4. Enable IP Forwarding on the EC2 instance:sudo sysctl -w net.ipv4.ip_forward=1sudo sysctl -p

5. Set up NAT for internet access:sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEsudo iptables -A FORWARD -i wg0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPTsudo iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT

6. Persist iptables rules:sudo apt install iptables-persistentsudo netfilter-persistent save

7. Start WireGuard on the EC2 instance:sudo wg-quick up wg0

---

3.2. Client (Local Machine) Configuration

1. Generate Client Keys:wg genkey | tee client_private_key | wg pubkey > client_public_key

2. Configure WireGuard on the Local Machine:Create the WireGuard configuration file (/etc/wireguard/wg0.conf):[Interface]Address = 10.0.0.2/24 # Client VPN IPPrivateKey = <client_private_key> # Use the generated client private keyDNS = 8.8.8.8 # DNS server (optional)​[Peer]PublicKey = <server_public_key> # Server's public keyEndpoint = 13.233.64.77:51820 # EC2 server's public IP and WireGuard portAllowedIPs = 10.0.0.0/24 # Only route traffic to the VPN subnet (no full tunnel)PersistentKeepalive = 25

   • AllowedIPs = 10.0.0.0/24: Routes only traffic to the VPN network (i.e., EC2's private network) through the VPN. Internet traffic will bypass the VPN.

3. Start WireGuard on the Local Machine:sudo wg-quick up wg0

---

4. Verifying the Configuration

4.1. On the EC2 Server (AWS)

1. Check the status of WireGuard:sudo wg show

2. Ensure IP forwarding is working by running:sudo sysctl net.ipv4.ip_forwardCommentThis should return net.ipv4.ip_forward = 1.

3. Check the NAT and routing rules:sudo iptables -t nat -LCommentEnsure that the MASQUERADE rule is present for the VPN interface (wg0).

---

4.2. On the Local Machine

1. Verify VPN connection:

   • Test connectivity to the VPN server's private IP (from the local machine):ping 10.0.0.1

2. Verify that internet traffic is bypassing the VPN:

   • Test general internet access:ping google.com # Should use the local machine's regular internet connection

   CommentComment

3. Check the routing table to verify that only the VPN network traffic goes through the VPN tunnel:ip routeCommentExpected output:10.0.0.0/24 dev wg0 # VPN traffic routes via wg0default via <gateway_ip> # Default traffic goes via the normal interface

---

5. Troubleshooting

5.1. No Internet on Client

• Ensure that the EC2 instance has IP forwarding enabled and iptables NAT rules are configured correctly.

• Check the security group of the EC2 instance to ensure it allows UDP traffic on port 51820 and outbound traffic on port 80 (for internet access).

5.2. VPN Connection Not Established

• Ensure that the public keys on the server and client match.

• Verify the WireGuard service is running on both the server and client.

• Check for firewall rules or network issues that may be blocking the connection.

---

6. Optional: Additional Configuration

6.1. Use a Custom DNS Server

If you'd like to ensure that the client always uses a specific DNS server when connected to the VPN, add the following to the [Interface] section of the client configuration:DNS = 8.8.8.8 # Google's DNS (or your preferred DNS)

---

6.2. Use Policy-Based Routing

If you need even more control over which traffic goes through the VPN, you can use policy-based routing (using ip rule) on the local machine. This method allows routing specific applications or destinations through the VPN while other traffic remains on the default route.

---

7. Conclusion

This setup provides a WireGuard VPN that routes only specific traffic (i.e., traffic destined for the VPN network) through the VPN tunnel, while all other traffic (including internet access) bypasses the VPN. This ensures selective routing for improved performance and security.