Bart Simons

guide

A 2 post collection


WireGuard.io Getting Started Guide/Tutorial

 •  Filed under getting started, guide, tutorial, WireGuard, WireGuard.io

In todays networking world, virtual private networks are unmissable. With IT needs growing exponentially in the current modern era, it is essential to make the right choices on what VPN software you are going to use. While IPSec tunnels are commonly deployed and proven to deliver good performance while being stable at the same time, are there any other alternatives?

Yes there are. Here are some VPN solutions I have deployed in the past:

  • OpenVPN, both in peer-to-peer and remote access configurations
  • PPTP (with pptpd on Linux)
  • SoftEther (Has its own VPN protocol over an SSL connection)

Recently - on a long journey on Google - I came across WireGuard. They claim to have the networking code of their VPN software running in kernel-space for optimal performance, so that seems all good. I decided to dig deeper into WireGuard, so I could write a guide/tutorial on the getting started and configuration process.

My test environment

My test environment consists over two Linux servers in the cloud, they are directly connected to each other over a private network:

  • server-01: 10.129.29.151
  • server-02: 10.129.30.154

For benchmarking networking speeds I used iperf, and this is the traffic speed test result I got over this private network:

iperf raw network speeds

Installing WireGuard

This step is pretty straight forward, just copy and paste this code into your terminal:

add-apt-repository -y ppa:wireguard/wireguard  
apt update  
apt install -y wireguard-dkms wireguard-tools  

If you don't use Ubuntu on your servers, check out this page on the WireGuard website to find out how to install it on your Linux distribution of preference.

Initialisation of WireGuard's virtual interfaces

Configuring a simple peer-to-peer tunnel on WireGuard is not that complicated.

First of all, let's create the wg0 interface on both servers - this will be the virtual interface for your virtual private network between both servers:

ip link add dev wg0 type wireguard  

Your virtual network also needs an IP address for each node so that machines can communicate between each other over IP:

# For server-01:
ip address add dev wg0 192.168.2.1/24

# For server-02:
ip address add dev wg0 192.168.2.2/24  


Generating a configuration for each node

WireGuard uses a key-based VPN solution for communication between nodes. This system insists of a private key and a public key for each node. You can generate these keys on each node with the following command:

# For server-01:
wg genkey | tee privatekey01 | wg pubkey > publickey01

# For server-02
wg genkey | tee privatekey02 | wg pubkey > publickey02  

Create a configuration file named wireguard.conf and store it somewhere safe with the right Linux permissions applied on this file (chown/chmod). Here's what you need to put in this configuration file:

# On server-01:

[Interface]
ListenPort = 4820  
PrivateKey = privatekey01's content goes here

[Peer]
Endpoint = ip:port of endpoint (10.129.30.154:4820)  
PublicKey = publickey02's content goes here  
AllowedIPs = 0.0.0.0/0  
# On server-02:

[Interface]
ListenPort = 4820  
PrivateKey = privatekey02's content goes here

[Peer]
Endpoint = ip:prt of endpoint (10.129.29.151:4820)  
PublicKey = publickey01's content goes here  
AllowedIPs = 0.0.0.0/0  

Link the configuration to the interface on all nodes:

wg setconf wg0 wireguard.conf  

Bring the interface up on all nodes:

ip link set up dev wg0  

You are now connected, you can test connectivity by sending ICMP echo packets:

WireGuard ICMP connectivity test


Benchmarking performance

Run this command on the first node (server-01 in my case):

iperf -s  

Run this command on the second node (server-02 in my case):

iperf -c 192.168.2.1  

These are the results I got over the tunnel:

Pretty good results for just a dual-core server. I'm sure that there are possibilities/tweaks to make WireGuard perform even better, we'll see...

NGINX RTMP Streaming Server Installation Guide

 •  Filed under tutorial, nginx, rtmp, streaming, server, installation, guide

Personally, I find NGINX the best choice as a web server, and so this website runs on NGINX too. Today I found out about the NGINX RTMP module, originally developed by Roman Arutyunyan. This module allows you to expand NGINX with RTMP capabilities so you can use NGINX as a media streaming server! You can build it by compiling NGINX with a separate module which can be done manually or by using this bash script:

#!/bin/bash

echo  
echo   NGINX RTMP SERVER INSTALLER V2  
echo   COPYLEFT BARTSIMONS.ME, 2016  
echo 

## CHECKING FOR ROOT ACCESS...
user=$(whoami)  
if [[ $user != "root" ]]; then  
    echo "You are not root. Please run this script as superuser!"
    exit
fi

## GLOBAL VARIABLES AND PACKAGE CACHE UPDATE
nginx_url="http://nginx.org/download/nginx-1.11.4.tar.gz"  
nginx_tar="nginx-1.11.4.tar.gz"  
nginx_fld="nginx-1.11.4"  
rtmp_url="https://github.com/arut/nginx-rtmp-module.git"

echo "Updating package cache..."  
apt -qqq update

## CONTINUE WHEN USER IS ROOT & INSTALL WGET IF NOT INSTALLED...
long_out_wget_check=$(dpkg-query --list | grep wget)  
short_out_wget_check=${long_out_wget_check:0:2}  
wget_installed=0

if [[ $short_out_wget_check == "ii" ]]; then  
    wget_installed=1
else  
    echo "Installing wget..."
    apt install -qqq -y wget
fi

## INSTALL BUILD-ESSENTIAL IF NOT INSTALLED...
long_out_be_check=$(dpkg-query --list | grep build-essential)  
short_out_be_check=${long_out_be_check:0:2}  
be_installed=0

if [[ $short_out_be_check == "ii" ]]; then  
    be_installed=1
else  
    echo "Installing build-essential..."
    apt install -qqq -y build-essential
fi

## INSTALL LIBPCRE3 DEV HEADERS IF NOT INSTALLED...
long_out_pcre_dev_check=$(dpkg-query --list | grep libpcre3-dev)  
short_out_pcre_dev_check=${long_out_pcre_dev_check:0:2}  
pcre_dev_installed=0

if [[ $short_out_pcre_dev_check == "ii" ]]; then  
    pcre_dev_installed=1
else  
    echo "Installing libpcre3 development headers..."
    apt install -qqq -y libpcre3-dev
fi

## INSTALL LIBPCRE IF NOT INSTALLED...
long_out_pcre_check=$(dpkg-query --list | grep libpcre3-dev)  
short_out_pcre_check=${long_out_pcre_check:0:2}  
pcre_installed=0

if [[ $short_out_pcre_check == "ii" ]]; then  
    pcre_installed=1
else  
    echo "Installing libpcre3..."
    apt install -qqq -y libpcre3
fi

## INSTALL GIT IF NOT INSTALLED
long_out_git_check=$(dpkg-query --list | grep "git ")  
short_out_git_check=${long_out_git_check:0:2}  
git_installed=0

if [[ $short_out_git_check == "ii" ]]; then  
    git_installed=1
else  
    echo "Installing git..."
    apt install -qqq -y git
fi

## INSTALL LIBSSL DEV HEADERS IF NOT INSTALLED...
long_out_libssl_dev_check=$(dpkg-query --list | grep libssl-dev)  
short_out_libssl_dev_check=${long_out_libssl_dev_check:0:2}  
libssl_dev_installed=0

if [[ $short_out_libssl_dev_check == "ii" ]]; then  
    libssl_dev_installed=1
else  
    echo "Installing libssl-dev..."
    apt install -qqq -y libssl-dev
fi

## DOWNLOAD AND UNTAR NGINX SOURCE CODE
echo "Downloading nginx source code..."  
wget --quiet $nginx_url  
echo "Unpacking nginx source code..."  
tar -xzf $nginx_tar

## CLONE NGINX-RTMP-MODULE
echo "Cloning nginx RTMP module git repository..."  
git clone $rtmp_url

## CONFIGURE, COMPILE AND INSTALL!
cd $nginx_fld  
./configure --add-module=../nginx-rtmp-module
make  
make install

## CLEANUP TIME!
echo "Cleaning up left over folders & files..."  
rm -rf $nginx_fld  
rm -rf $nginx_tar  
rm -rf nginx-rtmp-module

if [[ $git_installed == 0 ]]; then  
    echo "git was not installed earlier. Uninstalling git"
    apt remove --purge -qqq git
fi

if [[ $pcre_dev_installed == 0 ]]; then  
    echo "libpcre3-dev was not installed earlier. Uninstalling libpcre3-dev..."
    apt remove --purge -qqq libpcre3-dev
fi

if [[ $be_installed == 0 ]]; then  
    echo "build-essential was not installed earlier. Uninstalling build-essential..."
    apt remove --purge -qqq build-essential
fi

if [[ $wget_installed == 0 ]]; then  
    echo "wget was not installed earlier. Uninstalling wget..."
    apt remove --purge -qqq wget
fi

if [[ $pcre_installed == 0 ]]; then  
    echo "libpcre3 was not installed earlier. Uninstalling libpcre..."
    apt remove --purge -qqq libpcre3
fi

if [[ $libssl_dev_installed == 0 ]]; then  
    echo "libssl-dev was not installed earlier. Uninstalling libssl-dev..."
    apt remove --purge -qqq libssl-dev
fi

echo " "  
echo "NGINX and the RTMP server module has been installed on your system!"  

Please note that this script has been built for Debian-based operating system. Compiling it manually on other systems is not that difficult at all: you just need to include the module with a flag for the configure script.

Configuring NGINX

Once you've got the modified NGINX version installed on your server, it's time to edit the NGINX configuration so that NGINX will serve RTMP traffic.

The default configuration file location for NGINX is /usr/local/nginx/conf/nginx.conf
Add the following configuration to the end of this file:

rtmp {  
    server {
        listen 1935;
        chunk_size 8192;

        application stream {
            live on;
            record off;

            allow publish 127.0.0.1;
            deny publish all;
            allow play all;
        }
    }
}

Now you are ready to go, you can start nginx on your server

/usr/local/nginx/sbin/nginx


You can stop nginx like this:

/usr/local/nginx/sbin/nginx -s stop


Thanks for reading and have fun streaming!