Setup Linux Wireguard server and client
Posted: | Updated: | Tags: linux networking tilServer and client setup
Install Wireguard on both server and client
sudo apt install wireguard
Create the public and private key on both server and client. Store the private keys in a secure place.
wg genkey | tee privatekey | wg pubkey > publickey
Server configuration
Create and open the file /etc/wireguard/wg0.conf. Insert the following block and view the examples on the table below.
| Variable | Exmaple |
|---|---|
<server-ip> | 10.0.1.1 |
<subnet> | 24 |
<interface> | eth0 |
<server-private-key> | kj202323j23mwnew0= |
<server-port> | 51820 |
[Interface]
Address = <server-ip>/<subnet>
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <interface> -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o <interface> -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <interface> -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o <interface> -j MASQUERADE
ListenPort = `<server-port>`
PrivateKey = <server-private-key>
Bring up Wireguard on the client
wg-quick up wg0
Client configuration
Create and open the file /etc/wireguard/wg0.conf. Insert the following block and view the examples in the table below.
| Variable | Exmaple |
|---|---|
<client-ip> | 10.0.1.5 |
<server-subnet> | 24 |
<client-private-key> | k2je2lj92wnmm-1239 |
<server-private-key> | kj202323j23mwnew0= |
<server-port> | 51820 |
<allowed-range> | 10.0.1.0/24 |
[Interface]
Address = <client-ip>/<subnet>
SaveConfig = true
ListenPort = 60270
FwMark = 0xca6c
PrivateKey = <client-private-key>
[Peer]
PublicKey = <server-public-key>
AllowedIPs = <allowed-range>
Endpoint = <server-public-ip>:<server-port>
PersistentKeepalive = 30
Bring up the wireguard on the client.
wg-quick up wg0
Add clients to the server
wg set wg0 peer <client-public-key> allowed-ips <client-ip>/32
View Wireguard peers, this can be done on both the server and client.
sudo wg
Miscellaneous
Start WireGuard on system boot.
sudo systemctlenable wg-quick@wg0
To forward all traffic to the server replace the network IP from AllowedIPs with 0.0.0.0/0, ::/0.
AllowedIPs = 0.0.0.0/0, ::/0
Allow forwarding on the server to route traffic to destinations outside the WireGuard network. Add the following lines to /etc/sysctl.conf and apply it with sysctl --system.
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
To remove a wireguard peer, replace the relevant fields with your details.
wg set <wg-interface> peer <public-key> remove
Resources
wireguard.conf by nealfennimore.