Setting up a wireguard VPN

In this quick tutorial I show you how to create a wireguard VPN on a remote linux server and connect a linux client in 5 minutes.

On server and client

$ sudo apt install wireguard wireguard-tools - install wireguard

$ sudo su - change user to root

# cd /etc/wireguard - change folder

# umask 077 - set permissions for newly created files

# wg genkey | tee privatekey | wg pubkey > publickey - generate private and public key pair

On server

Create wireguard server config file

In /etc/wireguard create wg0.conf with the content:

Make sure to change <server-private-key> to the contents of the server privatekey file, <client-public-key> to the contents of the client publickey file and <default-network-interface> to the default network interface name on your server (eth0 or similar). The FORWARD...MASQUERADE iptables rule ensures all traffic will be routed through the server to the internet.

[Interface]
Address = 10.10.10.1
PrivateKey = <server-private-key>
ListenPort = 51820
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o <default-network-interface> -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o <default-network-interface> -j MASQUERADE

[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.10.10.2/32

Enable IP forwarding

# sysctl -w net.ipv4.ip_forward=1 And to make the changes persistent edit /etc/sysctl.conf # nano /etc/sysctl.conf And change or insert the following line:

...
net.ipv4.ip_forward = 1
...

On client

Create wireguard client config file

In /etc/wireguard create wg0.conf with the content:

For routing the whole internet connection through the server type 0.0.0.0/0, ::/0 in the AllowedIPs field. If you want to connect only to your server type the networks IP address and mask E.q. 10.10.10.0/32.

[Interface]
Address = 10.10.10.2
PrivateKey = <client-private-key>
ListenPort = 21841
# Use Clouddlare openDNS to avoid DNS leak
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = <server-public-key>
Endpoint = <server-ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0

# Keep alive UDP connection behind NAT
PersistentKeepalive = 25

On server and client

# chown -R root:root /etc/wireguard/ - make sure only root can access them

# chmod -R og-rwx /etc/wireguard/* - make sure only root can access them

# systemctl enable wg-quick@wg0.service - enable wireguard on startup

# wg-quick up wg0 - start up wireguard

Test it

# wg - print the current connection info

You should get something like this on the server side:

interface: wg0
  public key: <edited>
  private key: (hidden)
  listening port: 51820

peer: <edited>
  endpoint: <edited>:17205
  allowed ips: 10.10.10.2/32
  latest handshake: 1 minute, 40 seconds ago
  transfer: 30.70 MiB received, 29.97 MiB sent

And on the client side:

interface: wg0
  public key: <edited>
  private key: (hidden)
  listening port: 21841
  fwmark: 0xca6c

peer: <edited>
  endpoint: <edited>:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 40 seconds ago
  transfer: 56.52 MiB received, 107.58 MiB sent
  persistent keepalive: every 25 seconds

Check your IP address. You should see your servers IP address.

Closing notes

You can add more clients by editing the server config files and adding more [Peer] sections with the appropriate client public key and unique IP address.

For more info visit wireguard homepage or Stavros Korokithakis blog with a more detailed description on the configuration.