Wireguard
Server
Step 1 — Installing WireGuard and Generating a Key Pair
sudo apt install wireguard
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
Step 2 — Choosing IPv4 and IPv6 Addresses
Step 3 — Creating a WireGuard Server Configuration
sudo vim /etc/wireguard/wg0.conf
[Interface]
PrivateKey = server_private_key
Address = 10.10.10.1/24
ListenPort = 53249
SaveConfig = true
Step 4 — Adjusting the WireGuard Server’s Network Configuration
sudo vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
sudo sysctl -p
# Output
net.ipv6.conf.all.forwarding = 1
net.ipv4.ip_forward = 1
Step 5 — Configuring the WireGuard Server’s Firewall
ip route list default
# Output
default via 203.0.113.1 dev eth0 proto static
sudo vim /etc/wireguard/wg0.conf
At the bottom of the file after the SaveConfig = true
line, paste the following lines:
# change eth0 to relavant interface name
PostUp = ufw route allow in on wg0 out on ens3
PostUp = iptables -t nat -I POSTROUTING -o ens3 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o ens3 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on ens3
PreDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
Step 6 — Starting the WireGuard Server
sudo systemctl enable [email protected]
sudo systemctl start [email protected]
sudo systemctl status [email protected]
Peer
mkdir ~/wireguard | wg genkey | sudo tee ~/wireguard/private.key
sudo chmod go= ~/wireguard/private.key
sudo cat ~/wireguard/private.key | wg pubkey | sudo tee ~/wireguard/public.key
Creating the WireGuard Peer’s Configuration File
sudo vim /etc/wireguard/wg0.conf
resolvectl dns ens3
Add the following lines to the file, substituting in the various data into the highlighted sections as required:
[Interface]
PrivateKey = peer_private_key
Address = 10.10.10.2/24
DNS =
[Peer]
PublicKey = server_public_key
AllowedIPs = 10.10.10.0/24
Endpoint = ip:53249
The first key is the private key generated on the peer. The first address line uses an IPv4 address from the subnet chosen earlier. The second address line uses an IPv6 address from the subnet chosen earlier.
The second key is the public key generated on the server. The AllowedIPs
uses the IPv4 and IPv6 ranges chosen before that instruct the peer to only send traffic over the VPN if the destination system has an IP address in either range. You can omit the IPv6 addresses if you are only using the IPv4 connection.
Adding the Peer's Public Key to the Wireguard Server
Check the public key on the Wireguard peer.
sudo cat ~/wireguard/public.key
Run the following command on your Wireguard server.
sudo wg set wg0 peer "peer_key" allowed-ips 10.10.10.2
To update the allowed-ips
for an existing peer, run the above command again by changing the IP address.
Check the status of the tunnel on the server.
sudo wg
interface: wg0
public key: U9uE2kb/nrrzsEU58GD3pKFU3TLYDMCbetIsnV8eeFE=
private key: (hidden)
listening port: 53249
peer: PeURxj4Q75RaVhBKkRTpNsBPiPSGb5oQijgJsTa29hg=
allowed ips: 10.10.10.2/32
Last updated