Wireguard

Server

Step 1 — Installing WireGuard and Generating a Key Pair

sudo apt install wireguard
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Step 2 — Choosing IPv4 and IPv6 Addresses

Step 3 — Creating a WireGuard Server Configuration

sudo vim /etc/wireguard/wg0.conf
[Interface]
PrivateKey = server_private_key
Address = 10.10.10.1/24
ListenPort = 53249
SaveConfig = true

Step 4 — Adjusting the WireGuard Server’s Network Configuration

sudo vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
sudo sysctl -p
# Output
net.ipv6.conf.all.forwarding = 1
net.ipv4.ip_forward = 1

Step 5 — Configuring the WireGuard Server’s Firewall

ip route list default
# Output
default via 203.0.113.1 dev eth0 proto static
sudo vim /etc/wireguard/wg0.conf

At the bottom of the file after the SaveConfig = true line, paste the following lines:

# change eth0 to relavant interface name
PostUp = ufw route allow in on wg0 out on ens3
PostUp = iptables -t nat -I POSTROUTING -o ens3 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o ens3 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on ens3
PreDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

Step 6 — Starting the WireGuard Server

sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service
sudo systemctl status wg-quick@wg0.service

Peer

mkdir ~/wireguard | wg genkey | sudo tee ~/wireguard/private.key
sudo chmod go= ~/wireguard/private.key
sudo cat ~/wireguard/private.key | wg pubkey | sudo tee ~/wireguard/public.key

Creating the WireGuard Peer’s Configuration File

sudo vim /etc/wireguard/wg0.conf
resolvectl dns ens3

Add the following lines to the file, substituting in the various data into the highlighted sections as required:

[Interface]
PrivateKey = peer_private_key
Address = 10.10.10.2/24
DNS = 

[Peer]
PublicKey = server_public_key
AllowedIPs = 10.10.10.0/24
Endpoint = ip:53249

The first key is the private key generated on the peer. The first address line uses an IPv4 address from the subnet chosen earlier. The second address line uses an IPv6 address from the subnet chosen earlier.

The second key is the public key generated on the server. The AllowedIPs uses the IPv4 and IPv6 ranges chosen before that instruct the peer to only send traffic over the VPN if the destination system has an IP address in either range. You can omit the IPv6 addresses if you are only using the IPv4 connection.

Adding the Peer's Public Key to the Wireguard Server

Check the public key on the Wireguard peer.

sudo cat ~/wireguard/public.key

Run the following command on your Wireguard server.

sudo wg set wg0 peer "peer_key" allowed-ips 10.10.10.2

To update the allowed-ips for an existing peer, run the above command again by changing the IP address.

Check the status of the tunnel on the server.

sudo wg
interface: wg0
 public key: U9uE2kb/nrrzsEU58GD3pKFU3TLYDMCbetIsnV8eeFE=
 private key: (hidden)
 listening port: 53249

peer: PeURxj4Q75RaVhBKkRTpNsBPiPSGb5oQijgJsTa29hg=
 allowed ips: 10.10.10.2/32
PreviousDockerNextWindows

Last updated