WireGuard
This guide covers setting up a WireGuard VPN server and client.
Server Side Setup
1. Update System
Log into your server and make sure the system is up to date.
apt-get update && apt-get upgrade
Reboot if there are updates that require it.
2. Enable IP Forwarding
We need to enable IP Forwarding. IP forwarding is the ability for an operating system to accept incoming network packets on one interface, recognize that they are not meant for the system itself, but that they should be passed on to another network.
Edit the file /etc/sysctl.conf and uncomment the line:
net.ipv4.ip_forward=1
Now reboot or run these commands to activate the changes:
sysctl -p
3. Install WireGuard
Run the command below to install WireGuard:
apt-get install wireguard
4. Configure WireGuard Server
Go to the WireGuard config directory:
cd /etc/wireguard
Generate the public and private keys for the server:
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
View the private key to copy it for the server config file:
cat privatekey
Create the /etc/wireguard/wg0.conf file:
vim /etc/wireguard/wg0.conf
Add the following configuration (replace <Your Private Key Goes Here>):
[Interface]
PrivateKey = <Your Private Key Goes Here>
Address = 10.100.10.100/24
ListenPort = 51820
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -o %i -j ACCEPT
5. Start & Stop the Server
To test that the server works, bring up the interface:
wg-quick up wg0
To take it down:
wg-quick down wg0
To enable wg0 interface on boot:
systemctl enable wg-quick@wg0
Manage the service:
systemctl start wg-quick@wg0
systemctl stop wg-quick@wg0
systemctl status wg-quick@wg0
Linux Client Side Setup
1. Install WireGuard
Make sure the system is up to date.
apt-get update && apt-get upgrade
Install WireGuard:
apt-get install wireguard
2. Configure Client Side
Go to the WireGuard config directory:
cd /etc/wireguard
Generate the public and private keys for the client:
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
View and copy the private key:
cat privatekey
Create the /etc/wireguard/wg-client.conf file:
vim /etc/wireguard/wg-client.conf
Add the following configuration (replace placeholders):
[Interface]
PrivateKey = <Your Client Private Key Goes Here>
Address = 10.100.10.150/24
DNS = 1.1.1.1
[Peer]
PublicKey = <Server Public Key>
AllowedIPs = 0.0.0.0/0
Endpoint = <Server IP Address>:51820
Test the client:
wg-quick up wg-client
wg-quick down wg-client
3. Adding Clients to Server
To add a client as a peer on the server, you can use the wg command.
Add a peer:
wg set wg0 peer <Client Public Key> allowed-ips <Client IP Address>
Example:
wg set wg0 peer cVU13uIpVWxCPE4RYWawViI= allowed-ips 10.100.10.150
To remove a client peer:
wg set wg0 peer <Client Public Key> remove
Example:
wg set wg0 peer c0PKOPgKlrla+c9SwU= remove
Note: Once both sides have been configured and WireGuard restarted, the systems should be able to communicate.
4. Test Client and Server Connectivity
Check WireGuard status:
wg show
Ping the server from the client:
ping 10.100.10.100
Test internet connectivity:
ping 1.1.1.1
Turning on the UFW Firewall on the Server
It is easy to enable the UFW firewall. We need to open port 22 (TCP) for SSH management and 51820 (UDP) for WireGuard.
ufw allow 22/tcp
ufw allow 51820/udp
ufw enable