How to Setup WireGuard

From Linux Delta
Jump to: navigation, search

How to Setup WireGuard

Author: Kernellinux


Overview The following guide will walk you through setting up a WireGuard server and client. WireGuard is a free and open-source software application and communication protocol that implements virtual private network techniques to create secure point-to-point connections in routed or bridged configurations. It is run as a module inside the Linux kernel and aims for better performance than the IPsec and OpenVPN tunneling protocols.


System Requirements

1. A Machine with Ubuntu 18.04 LTS or later


Step-By-Step Guide


Step 1: Add the WireGuard repository and install the software on the server.

add-apt-repository ppa:wireguard/wireguard
apt-get update
apt-get install wireguard-dkms wireguard-tools linux-headers-$(uname -r)


Step 2: Generate a public and private certificate on the server

umask 077
wg genkey | tee server_private_key | wg pubkey > server_public_key
wg genpsk > server_preshared_key

Step 3: Create the server configuration file (/etc/wireguard/wg0.conf) using the template provided here.

[Interface]
Address = 10.100.100.1/24
SaveConfig = true
PrivateKey = 
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING     -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING  -o eth0 -j MASQUERADE
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.100.100.2/32


Step 4: Enable IPv4 forwarding so that we can access the rest of the LAN and not just the server itself.

Open /etc/sysctl.conf and comment out the following line

net.ipv4.ip_forward=1

Step 5: Restart the server, or use the following commands for the IP forwarding to take effect without restarting the server

sysctl -p
echo 1 > /proc/sys/net/ipv4/ip_forward


Step 5: Start WireGuard on the Server and enable WireGuard to start automatically when the server starts.

chown -v root:root /etc/wireguard/wg0.conf
chmod -v 600 /etc/wireguard/wg0.conf
wg-quick up wg0
systemctl enable wg-quick@wg0.service 


Step 6: Add the WireGuard repository and install the software on the client.

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard-dkms wireguard-tools linux-headers-$(uname -r)


Step 7: Generate a public and private certificate on the client

wg genkey | tee client_private_key | wg pubkey > client_public_key


Step 8: Create the client configuration file (/etc/wireguard/wg0-client.conf) using the template provided here.

[Interface]
Address = 10.100.100.2/32
PrivateKey =
[Peer]
PublicKey =
PresharedKey = 
Endpoint = :51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21


Step 9: Start the WireGuard Client

sudo wg-quick up wg0-client