N3FJP WireGuard Setup

Goal

A VPN solution will allow for stations in separate locations to communicate securely over the internet as if they are at the same physical location or network.  Network traffic is encrypted which allows for greater peace of mind.  WireGuard is our recommended VPN solution due to it's ease of use and efficient execution.

Preparation

In order to set up a VPN between stations, a network must be created with it's own IP range separate from that of the local area network.  For instance, if your computers exist on a network beginning with 10.0.0., you must select a different subnet for your VPN addresses.

Selecting a subnet such as 10.5.0.0/24 will allow for 254 clients on the VPN with the following IP range:

  • Start: 10.5.0.1
  • End: 10.5.0.254

Choosing a VPN subnet is up to you based on the network requirements of the stations involved.

The table below lists the information generally required to set up a WireGuard VPN between stations.  This information will be referenced in the following section.

  Station A (server) Station B (client)
VPN IP Example: 10.5.0.1 Example: 10.5.0.2
Public Key Automatically generated by WireGuard Automatically generated by WireGuard
Internet IP Obtain from: https://api.ipify.org/ Not required
Listen Port
Example: 52953 Not required

VPN Setup

  1. On each station PC, download and install WireGuard
  2. Click the down arrow next to Add Tunnel then click Add empty tunnel...image-1586949290082.png
  3. A public and private key is generated.

    Take care to never share your Private Key.  This is meant to be known only by you and kept secure.

  4. Give the tunnel a descriptive name such as N3FJP
  5. The text area below is where the VPN configuration takes place and can vary depending on setup.  The following is an example setup.  Certain values are taken from the information table prepared in the previous section.

Server Station - VPN Configuration

The following configuration example is for the station acting as the server that maintains the central log file.

  • For most setups, you can paste the example configuration into the text area and adjust as needed for your environment.  Please do not  overwrite the PrivateKey as doing so will invalidate the public key for this station.
[Interface]
PrivateKey = <Leave Unchanged>

### Copy and paste text below ###

# Use VPN IP for Station A followed by "/24"
Address = 10.5.0.1/24

# If left blank, WireGuard will randomly select a ListenPort on each activation
ListenPort = 52953

[Peer]
# Ask the operator from Station B to provide their public key and paste as the value for PublicKey
PublicKey = 

# Use VPN IP for Station B followed by "/32"
AllowedIPs = 10.5.0.2/32

# If additional stations will be connecting, duplicate the [Peer] section above and adjust for each station

Provide the following information to the operator of the client station so they will be able to connect:

Once the configuration values have been set, click Save and then Activate to enable the VPN.

The next step, specific to server stations when operating behind a router, is to configure Port Forwarding.  This tells your router to accept external connections for a specific port and to send them specifically to the server station system.

In the example above, we used a listen port of 52953.  Router interfaces vary, but what needs to be accomplished is to forward UDP port 52953 to the LAN IP address of the server station.

Locating your LAN IP address will vary based on operating system.  Here is a guide from Netgear to locate your LAN IP: https://kb.netgear.com/20878/Finding-your-IP-address-without-using-the-command-prompt  And here is a guide with Windows 10 screenshots: https://www.groovypost.com/howto/find-windows-10-device-ip-address/ If you are comfortable with the command prompt you can also use the command ipconfig

With your LAN IP address in-hand, log into your router (usually your network gateway address) and locate the PortForwarding section.  This will also vary depending on manufacturer.  A few examples are below.

Verizon Model: Fios-G1100

Located under Firewall > Port Forwarding.  Enter the LAN IP and UDP ListenPort, then click "Add"

image-1587563789708.png

Verizon Model: MI424WR-GEN3I

Located under Firewall Settings > Port Forwarding.  Enter the LAN IP and UDP ListenPort, then click "Add"

image-1587564008156.png


A quick note on Listen Port:  From a security perspective, is a good idea to choose your own Listen Port.  WireGuard will do this automatically if left blank.  However, as WireGuard will regenerate ListenPort on each startup, the Port Forwarding rule and client configurations would also need to be updated; so for simplicity a static value is chosen for the purposes of this guide.

Client Station - VPN Configuration

The following configuration example are for stations acting as clients connecting to the server station.

  • For most setups, you can paste the example configuration into the text area and adjust as needed for your environment.  Please do not  overwrite the PrivateKey as doing so will invalidate the public key for this station.
[Interface]
PrivateKey = <Leave Unchanged>

### Copy and paste text below ###

# Use VPN IP for Station B followed by "/24"
Address = 10.5.0.2/24

[Peer]
# Ask the operator from Station A to provide their public key and paste as the value for PublicKey
PublicKey = 

# Ask the operator from Station A to provide their Internet IP and paste as the value for Endpoint
# followed by the ListenPort for Station A.  Example: "<Public IP from Station A>:52953"
Endpoint = <Public IP from Station A>:52953

# AllowedIPs only needs to change if using a different subnet for the VPN
AllowedIPs = 10.5.0.0/24

PersistentKeepalive = 25

Provide the following information to the operator of the server station so they can update their WireGurad configuration:

  • PublicKey
  • VPN IP

Once the configuration values have been set, click Save and then Activate to enable the VPN.

Verification

Once the server and client VPN tunnels have been activated, it is time to test!  Please reference http://www.n3fjp.com/help/networkinghelp.html for help setting up a file share for the .mdb file.

When clicking File > Open... in the contesting software, enter two backslashes \\  followed by the server VPN IP into the address bar to display the file shares presented by the server system.

\\10.5.0.1

Locate and open the shared MDB file as normal:

For Status and Chat functions: In the network section of N3FJP's logging application, client stations will specify the server VPN IP as well in order to establish a connection.

image-1587567408993.png

Then click the checkbox for Enable Status / Chat Functions to attempt the connection.  A connected message should appear at the bottom of the window.

image-1587585529971.png


Acknowledgements

A quick thank you to the following projects and resources that made this guide possible.  Your contributions are greatly appreciated!


Revision #23
Created Wed, Apr 15, 2020 10:57 AM by Chris
Updated Wed, Apr 22, 2020 8:02 PM by Chris