sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard-dkms wireguard-tools
__PRIVATE_IP_FOR_SERVER__
is a private ipv4 that wireguard listens on (like10.90.0.1
)__PRIVATE_KEY_OF_SERVER__
is generated using instructions in addendum 1- my main network interface is
ens3
; just swap those iptable statments with your primary network interface
/etc/wireguard/wg0.conf
:
[Interface]
Address = __PRIVATE_IP_OF_SERVER__/24
PrivateKey = __PRIVATE_KEY_FOR_SERVER__
ListenPort = 51820
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
yay -S wireguard-arch wireguard-tools
__PRIVATE_IP_FOR_CLIENT__
is a private ipv4 that make up within the same subnet as__PRIVATE_IP_FOR_SERVER__
(like10.90.0.15
)__PRIVATE_KEY_OF_CLIENT__
and__PRIVATE_KEY_OF_CLIENT__
is generated using instructions in addendum 1- the section
Peer
refers the server in this case
/etc/wireguard/wg0.conf
:
[Interface]
PrivateKey = __PRIVATE_KEY_OF_CLIENT__
Address = __PRIVATE_IP_OF_CLIENT__/24
[Peer]
PublicKey = __PUBLIC_KEY_OF_SERVER__
Endpoint = __PUBLIC_IP_OF_SERVER__:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 10
On the server, each client is added as Peer
in the server config (/etc/wireguard/wg0.conf
). To prevent having to restart the wg systemd process, you can use the wg
cli utility to add the client ("peer"). This only adds the peer to the running process and you have to use the second command to sync the in-memory changes to the config file.
# add to running wg instance
wg set wg0 peer __PUBLIC_KEY_OF_SERVER__ allowed-ips __PRIVATE_IP_OF_CLIENT__
# have wg sync new peer to the config
wg-quick save wg0
# /etc/sysctl.d/ip_forward.conf:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
# generate a key
KEY=$(wg genkey)
# generate a private key from $KEY
PRIVATE_KEY=$(echo $KEY | wg pubkey)
sudo wg show