Linux - Wireguard Server and Peer Configuration
Linux - Wireguard Server and Peer Configuration
Wireguard is a new VPN tool that is vastly easier to setup than the popular alternative OpenVPN. Also reports state that it is also superior in speed and reliability.
Setup
General
Installation
Most package managers should have the required packages named
wireguard-tools wireguard-dkms
Install them on both your server and client(s).
Note: very soon, Wireguard will become baked into the Linux kernel by default and wireguard-dkms will not be needed anymore.
Generation of private and public key pair
(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null) wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey
Replace wg0 with your desired network device id throughout the article if needed.
This generates a private key and automatically inserts as a configuration line to /etc/wireguard/wg0.conf and a public key saved to /etc/wireguard/publickey automatically. Run it on both your server and client(s) respectively.
Server
Edit /etc/wireguard/wg0.conf
[Interface] # Private key, automatically generated by above command on the server (should be only 44 characters as of writing) PrivateKey = -auto generated- # Private IPv4 and IPv6 address of Server for peers to communicate with when connected, you can replace `123.210` and `123:210` with anything you like throughout the article Address = 10.123.210.1/24,fd00:123:210::1/112 # Listen port, can be any port you like including 53 if you don't use it for DNS. Must be the same throughout the article. ListenPort = 51820 # Setup IPv4 and IPv6 iptables to forward the network of peers through the server, not required if only a LAN connection is required (optional) PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE # Save the configuration to the file on every shutdown, personally I prefer it off because I find it easier to edit the configuration directly rather than to rely on tools SaveConfig = false # CLIENT 1 [Peer] # Public key of the peer, generated by the above command on the peer (also should be only 44 characters as of writing) PublicKey = -auto generated and copied here- # Allow IPv4 and IPv6 range from 10.123.210.1-10.123.210.254 and fd00:123:210::1-fd00:123:210::ffff respectively AllowedIPs = 10.123.210.0/24,fd00:123:210::0/112 # CLIENT 2 [Peer] # Public key of the peer, generated by the above command on the peer (also should be only 44 characters as of writing) PublicKey = -auto generated and copied here- # Allow IPv4 and IPv6 range from 10.123.210.1-10.123.210.254 and fd00:123:210::1-fd00:123:210::ffff respectively AllowedIPs = 10.123.210.0/24,fd00:123:210::0/112 # ... More peers if required ...
Additional step to allow forwarding (optional)
echo -e "net.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf sudo sysctl -p
Start the server
sudo systemctl enable --now wg-quick@wg0
Client(s)
Edit /etc/wireguard/wg0.conf
[Interface] # Private key, automatically generated by above command on the client (should be only 44 characters as of writing) PrivateKey = -auto generated- # Private IPv4 and IPv6 address of client, must be static IP (no clashes) because there is no DHCP provided by Wireguard as of writing. Change the `2` to an incremental number for every client Address = 10.123.210.2/32,fd00:123:210::2/128 # DNS server to use, currently set to Cloudflare DNS = 1.1.1.1 # SERVER [Peer] # Public key of server, generated by the above command on the server (only 44 characters as of writing) PublicKey = -auto generated and copied here- # Public IP of server and port configured in the server Endpoint = -public key of server-:51820 # IP ranges Wireguard will listen on and forward # AllowedIPs = 10.123.210.0/24,fd00:123:210::0/112 # ROUTE ONLY VIRTUAL PRIVATE NETWORK TRAFFIC AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, ::/0, 10.123.210.0/32 # ROUTE ALL INTERNET TRAFFIC LESS LAN THROUGH # Constant pings to keep the connection alive and not time out on inactivity PersistentKeepalive = 25
Connect to server
sudo wg-quick up wg0
Connection information
You can run these commands to check the connection
sudo wg ping 10.123.210.1
Disconnect from server
sudo wg-quick down wg0
Extra information
networkmanager-wireguard
If you use NetworkManager (especially nm-applet) you can install networkmanager-wireguard or networkmanager-wireguard-git (AUR) for Wireguard capabilities and configuration.
Forward other UDP ports to Wireguard port with iptables
On the server:
sudo iptables -t nat -I PREROUTING -i eth0 -p udp -m multiport --dports 53,80,123,161,443 -j REDIRECT --to-ports 51820
To disable:
sudo iptables -t nat -D PREROUTING -i eth0 -p udp -m multiport --dports 53,80,123,161,443 -j REDIRECT --to-ports 51820
You can add it to PostUp and PostDown. Don't forget ip6tables if needed.