wireguard
On Server
Install wireguard-tools on the server.
1sudo -i
1cd /etc/wireguard
umask 077
1wg genkey | tee server_private_key | wg pubkey > server_public_key
1wg genkey | tee client_private_key | wg pubkey > client_public_key
1 echo "
2 [Interface]
3 Address = 10.0.0.1/24
4 SaveConfig = true
5 PrivateKey = $(cat server_private_key)
6 ListenPort = 51900
7
8 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
9 PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
10
11 [Peer]
12 PublicKey = $(cat client_public_key)
13 AllowedIPs = 10.0.0.2/32
14 " > /etc/wireguard/wg0.conf
1echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/wg.conf
1systemctl enable --now wg-quiqck@wg0
1chown -R root:root /etc/wireguard/
1chmod -R og-rwx /etc/wireguard/\*
Forward traffic from port 51900 to the server.
Client
Be root.
Install wireguard-tools on the client.
Copy the client private key and server public key to the server (or just fill in the variables).
server_ip=your server's public ip
echo "
[Interface]
Address = 10.0.0.2/32
PrivateKey = $(cat client_private_key)
DNS = 9.9.9.9
[Peer]
PublicKey = $(cat server_public_key)
Endpoint = $(echo $server_ip:51900)
AllowedIPs = 0.0.0.0/0, ::/0
" > /etc/wireguard/wg0-client.conf
wg-quick up wg0-client
Extras
Multiple Peers
Add multiple peers by copying the [peer] section (they each get called peer).
Make a QR Code for Mobile Users
Make a standard client configuration, then:
1qrencode -t ansiutf8 < /etc/wireguard/mobile_user.conf