Algo: There are no instructions on how to use Wireguard as a client on Ubuntu

Created on 15 Aug 2018  路  7Comments  路  Source: trailofbits/algo

OS / Environment (where do you run Algo on)

Ubuntu 16.04
Ubuntu 18.04

Cloud Provider (where do you deploy Algo to)

DigitalOcean - in my case 
(but I think that it does not matter which of the providers)

Summary of the problem


For example:
There is an instruction for strongswan https://github.com/trailofbits/algo#ubuntu-server-1804-example
And there is an instruction for Android https://github.com/trailofbits/algo#android-devices

But there's no way to find out what the user needs to do to run Wireguard as a client on Ubuntu.
Thanks to the people in the gitter chat they point to this issue #910. And thanks @davidemyers for this comment https://github.com/trailofbits/algo/pull/910#issuecomment-390624689

But as a user, I don't understand this is the right way or not because I'm not a expert in networks and security.

For example, this line in _wg0.conf_

PostUp = systemd-resolve -i %i --set-dns=172.16.0.1 --set-domain=~.

works in Ubuntu 18.04, but does not work with 16.04 (systemd-resolve: unrecognized option '--set-dns=172.16.0.1' )

Can someone from Algo core team approve David comment and add it to the README? Or offer your own solution, if for some reason David's solution is bad.

Steps to reproduce the behavior

  1. Try to search how to setup Wireguard as a client in this repo
documentation needs_pr

Most helpful comment

Thanks for the feedback. I've edited the message above to try to make the distinction between the two systems more obvious.

Edited to add: I've edited the message above again to include a link to installation instructions for distributions other than Ubuntu.

Edited yet again to add: I'l submit a PR shortly after the ansible2.5 branch is merged.

All 7 comments

PRs welcome

@in-in, do the conf files work for you without modification on Ubuntu 16.04?

Yes exactly

Do these instructions look correct?


To connect to your Algo VPN using WireGuard from an Ubuntu 16.04 (Xenial) or 18.04 (Bionic) client, first install WireGuard on the client:

# Add the WireGuard repository:
sudo add-apt-repository ppa:wireguard/wireguard
# Update the list of available packages (not necessary on Bionic):
sudo apt update 
# Install the tools and kernel module:
sudo apt install wireguard

(For installation on other Linux distributions, see the Installation page on the WireGuard site.)

The Algo-generated config files for WireGuard are named configs/<ip_address>/wireguard/<username>.conf on the system where you ran ./algo. One file was generated for each of the users you added to config.cfg before you ran ./algo. Each Linux and Android client you connect to your Algo VPN must use a different WireGuard config file. Choose one of these files and copy it to your Linux client.

If your client is running Bionic (or another Linux that uses systemd-resolved for DNS) you should first edit the config file. Comment out the line that begins with DNS = and replace it with:

PostUp = systemd-resolve -i %i --set-dns=172.16.0.1 --set-domain=~.

Use the IP address shown on the DNS = line (for most, this will be 172.16.0.1). If the DNS = line contains multiple IP addresses, use multiple --set-dns= options.

Finally, install the config file on your client as /etc/wireguard/wg0.conf and start WireGuard:

# Install the config file to the WireGuard configuration directory on your
# Bionic or Xenial client:
sudo install -o root -g root -m 600 <username>.conf /etc/wireguard/wg0.conf
# Start the WireGuard VPN:
sudo systemctl start wg-quick@wg0
# Check that it started properly:
sudo systemctl status wg-quick@wg0
# Verify the connection to the Algo VPN:
sudo wg
# See that your client is using the IP address of your Algo VPN:
curl ipv4.icanhazip.com
# Optionally configure the connection to come up at boot time:
sudo systemctl enable wg-quick@wg0

(If your Linux distribution does not use systemd, you can bring up WireGuard with sudo wg-quick up wg0).

@davidemyers Probably need to make it clear in there somewhere that the config file needs to be copied from the Algo server, or whatever machine was used to run Algo, to the Ubuntu client, and to specify what directory on the client machine (was it /etc/wireguard/?). I think the two Ubuntu machines part is confusing a lot of people.

Thanks for the feedback. I've edited the message above to try to make the distinction between the two systems more obvious.

Edited to add: I've edited the message above again to include a link to installation instructions for distributions other than Ubuntu.

Edited yet again to add: I'l submit a PR shortly after the ansible2.5 branch is merged.

Thank you @davidemyers

Was this page helpful?
0 / 5 - 0 ratings

Related issues

mikaelf picture mikaelf  路  5Comments

mosesrenegade picture mosesrenegade  路  5Comments

ComputerJy picture ComputerJy  路  3Comments

dguido picture dguido  路  3Comments

dsecareanu picture dsecareanu  路  5Comments