wireguard

2 min read · networking VPN

On Server

Install wireguard-tools on the server.

1su root
2cd /etc/wireguard

umask 077

1wg genkey | tee server_private_key | wg pubkey > server_public_key

1wg genkey | tee client_private_key | wg pubkey > client_public_key

 1    echo "
 2    [Interface]
 3    Address = 10.0.0.1/24
 4    SaveConfig = true
 5    PrivateKey = $(cat server_private_key)
 6    ListenPort = 51900
 7    
 8    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 9    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
10    
11    [Peer]
12    PublicKey = $(cat client_public_key)
13    AllowedIPs = 10.0.0.2/32
14    " > /etc/wireguard/wg0.conf

1echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/wg.conf

1systemctl enable --now wg-quiqck@wg0

1chown -R root:root /etc/wireguard/

1chmod -R og-rwx /etc/wireguard/*

Forward traffic from port 51900 to the server.

Client

Be root.

Install wireguard-tools on the client.

Copy the client private key and server public key to the server (or just fill in the variables).

 1server_ip=$PUBLIC_IP
 2
 3echo "
 4[Interface]
 5Address = 10.0.0.2/32
 6PrivateKey = $(cat client_private_key)
 7DNS = 9.9.9.9
 8
 9[Peer]
10PublicKey = $(cat server_public_key)
11Endpoint = $(echo $server_ip:51900)
12AllowedIPs = 0.0.0.0/0, ::/0
13" > /etc/wireguard/wg0-client.conf
14
15wg-quick up wg0-client

Extras

Multiple Peers

Add multiple peers by copying the [peer] section (they each get called peer).

Make a QR Code for Mobile Users

Make a standard client configuration, then:

1qrencode -t ansiutf8 < /etc/wireguard/mobile_user.conf