How to install WireGuard VPN on QNAP NAS?

June 25, 2022

This article talks about how to install WireGuard vpn server on qnap nas, and also introduces install WireGuard vpn client on mac and linux. So you can access qnap nas remotely.

install wireguard on qnap

TABLE OF CONTENT


In the previous post, I’ve talked about how to access qnap nas remotely from outside network without auxiliary APP. However, this is less secure compared to vpn.

Why do you need a VPN?

QNAP provides a “QVPN Service” software to facilitate VPN settings. The built-in VPN servers include: QBelt, OpenVPN, WireGuard, etc. This article mainly introduces the configuration of WireGuard.

A virtual private network(VPN) extends a private network onto a public network, enabling a user to send and receive data to and from the private network across the public network, as if the user were directly connected to the private network. And VPN uses asymmetric encryption to make communication more secure.

What is WireGuard?

WireGuard is an extremely simple and very fast cross-platform VPN tool that uses SOTA cryptography, supports Windows, macOS, BSD, iOS, Android. It is designed to perform better than OpenVPN. For details, please refer to the official website.

QNAP: VPN Server Configuration

  1. Download the “QVPN Service” software in AppCenter
  1. Open “QVPN service”, select “WireGuard” in “VPN Server”
  1. Server configuration
  • Fill in the “Server name”
  • Click “Generate Keypairs” to generate the public key and private key of the QNAP server. Here the public key is “BQ7s----”
  • “IP address”, “listening port” keep the default values
  • “DNS Server”: DNS server you like, you can also use the “DNS Quick Wizard” to quick select
  • Click on “Enable WireGuard VPN server”

In this way, the server-side configuration is half-complete. Next, we need to jump to the following VPN client configuration, MAC Client or Linux Client, and then proceed to the following Peer configuration.

  1. Peer configuration
  • Click on “Add Peer”
  • "Peer name": The specific client name
  • "Public Key": Fill in the Client’s Public Key. In this article, the public key on the MAC client is “IYA7----”, and Linux client is “bTST----”
  • "Allowed Ips": Client IP address is generated by default, which needs to be consistent with the client’s “Interface.Address”, see below
  • "Persistent Keepalive": 10 seconds by default, which needs to be consistent with the client’s “Peer.PersistentKeepalive”, see below

Finally, click “Apply” and wait for a while. We can see that network traffic is generated in “Tx/Rx” of the Peer Table, indicating that our tunnel is successfully established.

MAC: VPN Client Configuration

The configuration method of the MAC side is similar to that of the Windows side. Here, the MAC side is used as an example.

  1. Download WireGuard software
    Download the macOS version of the wireguard software at here, and it will jump to the App Store for download.
  2. Click “+” to create a new tunnel

By default, the public key and private key of the client will be generated. Here, the public key is “IYA7----",Fill in the tunnel name in “name”: “macos”,Check “ethernet” and “wi-fi” in on-demand. Then fill in the information in the text box below, as shown in the following figure. Note: [Interface] is client information, [Peer] is server information.

  • Interface.Address: Ip address of the client under the VPN network, which is consistent with the ip address assigned by the “Add Peer” of the server side configuration (See QNAP Server Configuration=>Peer configuration=>Allowed IPs. You should go back to QNAP server side, and click ‘Add Peer’ to get this information)
  • Peer.PublicKey: Public Key of the QNAP server, in this article, the public key of the QNAP server is “BQ7s----”
  • Peer.AllowediPs: Fill in which traffic to be forward through the VPN tunnel, here we fill in the VPN’s sub-network, which is 198.18.7.0/24. You can also fill in 0.0.0.0/0, which means forward all traffic throught the VPN tunnel
  • Peer.Endpoint: Ip address and port number of the QNAP server. When we test in the LAN, we can fill in the LAN ip address of the QNAP, and change it to the WAN ip address of QNAP after going outside
  • Peer.PersistentKeepalive: 10 here and keep it consistent with the peer on the server
  1. Click Save, a reminder will pop up, click “Allow”
  1. Go to “System Preferences”->“Network” in MAC

You will find that a new virtual network “macos” has been added, which is the tunnel we just created. “Send” and “Received” are empty, indicating that there is no network traffic for the time being.

Now we go back to the QNAP server side->Peer Configuration to complete the Peer configuration.

Linux: VPN Client Configuration

The Linux side is not provided in the configuration of the official document. The configuration methods of each Linux distribution are similar. Here, the configuration on the alpinelinux side is introduced.

  1. Download the software
$ apk add wireguard-tools
  1. Generate the client’s PublicKey and PrivateKey
$ wg genkey | tee private | wg pubkey > public
$ cat public
bTST----
$ cat private
kFq9----
  1. Create a tunnel configuration file: /etc/wireguard/firfox.conf

The configuration file must be placed in the /etc/wireguard/ directory. The name before .conf is the name of the virtual tunnel, and the name we take here is firefox.

The content of this configuration file is consistent with the configuration of the MAC client, and you can refer to MAC client configuration part. Note: [Interface] is the client information, and [Peer] is the server information.

[Interface]
PrivateKey = kFq----
Address = 198.18.7.4/32
[Peer]
PublicKey = BQ7S----
AllowedIPs = 198.18.7.0/24
Endpoint = 192.168.1.12:51820
PersistentKeepalive = 10
  1. Quickly configure the tunnel
$ wg-quick up firefox
  1. View the tunnel
$ ifconfig

You can see that there is one more virtual tunnel established named “firefox”.

Now we go back to the QNAP server side->Peer Configuration to complete the Peer configuration.

Not finished yet

After all configuration, you can type NAS’s VPN ip address to access QNAP.

As mentioned above, in the LAN environment of the client’s “Peer.Endpoint”, you can directly fill in the LAN ip address and port of the NAS, but in the WAN environment, you need to fill in the public network ip address or domain name of the NAS here. You can refer to this article on how to apply for a free domain name for the NAS and configure DDNS to bind the public network ip.

In general, our NAS is in a sub-network under the router, so we need to configure port forwarding on the router, and forward the router’s 51820 to the NAS LAN ip 51820. The specific configuration method can also refer to this article.

References

1. Official configuration documentation
2. Alpine WireGuard Configuration

Tags

Post a Comment

0 Comments