skip to content
Dawid Rycerz

Wireguard is fast, simple (around 4k lines of code) and secure VPN. From my perspective as a user, a configuration is as simple as in SSH.

Installation

Add repository and install package (for other systems go to official docs)

Terminal window
add-apt-repository ppa:wireguard/wireguard
apt-get update
apt-get install -y wireguard

Ensure that you enabled forwarding in sysctl.

Terminal window
echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/wg.conf
echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.d/wg.conf
sysctl --system

Configuration

  1. Create server and client keys

    Terminal window
    wg genkey | tee server.private.key | wg pubkey > server.public.key
    wg genkey | tee client.private.key | wg pubkey > client.public.key

  2. touch /etc/wireguard/wg0.conf and put config for VPN interface:

     [Interface]
     Address=<server VPN ip>/24
     PrivateKey = <server private key>
     ListenPort = 51820
     PostUp = iptables -t nat -A POSTROUTING -o <server NAT interface> -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o <server NAT interface> -j MASQUERADE
     PostDown = iptables -t nat -D POSTROUTING -o <server NAT interface> -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o <server NAT interface> -j MASQUERADE
    

     [Peer]
     PublicKey = <client public key>
     AllowedIPs = <client VPN ip>/32

    Example:

     [Interface]
     Address=192.168.101.1/24
     PrivateKey = mHjrLYUTKbrGqJViVOHfQX9dN0Sn49gJNoof68nbJHA=
     ListenPort = 51820
     PostUp = iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
     PostDown = iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
    

     [Peer]
     PublicKey = XKT1Ctj5b+gjXc1gMtOdxNEpc9UUM2TsXaFdAyABd3w=
     AllowedIPs = 192.168.101.2/32

  3. Run VPN server with wg-quick up

  4. Create config for client

    [Interface]
    Address = <client VPN ip>/24
    PrivateKey = <Client Private Key>
    ListenPort = 21841
    DNS = <dns ip 1>,<dns ip 2>
    

    [Peer]
    PublicKey = <server public key>
    Endpoint = <server bridge interface address>:51820
    AllowedIPs = 0.0.0.0/0

    Example:

    [Interface]
    Address = 192.168.101.2/32
    PrivateKey = 0AQI65ehzszpXf9f2FWEABX90PX+gv5DJH3/mkZ/eW8=
    ListenPort = 21841
    DNS = 1.1.1.1,1.1.0.0
    

    [Peer]
    PublicKey = ccDLW5zKussL3ejxMqWpx1uZMfN09bkGAirCWXZWp0s=
    Endpoint = 192.168.1.5:51820
    AllowedIPs = 0.0.0.0/0

  5. Install client software https://www.wireguard.com/install/ and paste client config