Welcome to the index page of my knowledge base, if you haven't done so, do visit my website at https://jarylchng.com.
I will mainly use this site to document stuff, most of which will likely be in the public domain.
","icon":"https://kb-static.jarylchng.com/kb-jarylchng-com/production/images/channel-c68f1f55f856ab833b4365991609dbec.png","favicon":"https://kb-static.jarylchng.com/kb-jarylchng-com/production/images/favicon-b94914f57599a477f9f72dab6bc71001.png","authors":[{"name":"Jaryl Chng"}],"language":"en-us","items":[{"id":"cGYI6ANCvu6","title":"Linux - Wireguard Server and Peer Configuration","url":"https://kb.jarylchng.com/i/linux-wireguard-server-and-peer-configuration-cGYI6ANCvu6/","content_html":"Wireguard is a new VPN tool that is vastly easier to setup than the popular alternative OpenVPN. Also reports state that it is also superior in speed and reliability.
Most package managers should have the required packages named
wireguard-tools wireguard-dkms
Install them on both your server and client(s).
Note: very soon, Wireguard will become baked into the Linux kernel by default and wireguard-dkms will not be needed anymore.
(umask 077 && printf \"[Interface]\\nPrivateKey = \" | sudo tee /etc/wireguard/wg0.conf > /dev/null)\nwg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey\n
Replace wg0 with your desired network device id throughout the article if needed.
This generates a private key and automatically inserts as a configuration line to /etc/wireguard/wg0.conf and a public key saved to /etc/wireguard/publickey automatically. Run it on both your server and client(s) respectively.
[Interface]\n# Private key, automatically generated by above command on the server (should be only 44 characters as of writing)\nPrivateKey = -auto generated-\n\n# Private IPv4 and IPv6 address of Server for peers to communicate with when connected, you can replace `123.210` and `123:210` with anything you like throughout the article\nAddress = 10.123.210.1/24,fd00:123:210::1/112\n\n# Listen port, can be any port you like including 53 if you don't use it for DNS. Must be the same throughout the article.\nListenPort = 51820\n\n# Setup IPv4 and IPv6 iptables to forward the network of peers through the server, not required if only a LAN connection is required (optional)\nPostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\nPostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE\n\n# Save the configuration to the file on every shutdown, personally I prefer it off because I find it easier to edit the configuration directly rather than to rely on tools\nSaveConfig = false\n\n\n# CLIENT 1\n[Peer]\n\n# Public key of the peer, generated by the above command on the peer (also should be only 44 characters as of writing)\nPublicKey = -auto generated and copied here-\n\n# Allow IPv4 and IPv6 range from 10.123.210.1-10.123.210.254 and fd00:123:210::1-fd00:123:210::ffff respectively\nAllowedIPs = 10.123.210.0/24,fd00:123:210::0/112\n\n\n# CLIENT 2\n[Peer]\n# Public key of the peer, generated by the above command on the peer (also should be only 44 characters as of writing)\nPublicKey = -auto generated and copied here-\n\n# Allow IPv4 and IPv6 range from 10.123.210.1-10.123.210.254 and fd00:123:210::1-fd00:123:210::ffff respectively\nAllowedIPs = 10.123.210.0/24,fd00:123:210::0/112\n\n# ... More peers if required ...\n
echo -e \"net.ipv4.ip_forward=1\\nnet.ipv6.conf.all.forwarding=1\" | sudo tee -a /etc/sysctl.d/99-sysctl.conf\nsudo sysctl -p\n
sudo systemctl enable --now wg-quick@wg0\n
[Interface]\n# Private key, automatically generated by above command on the client (should be only 44 characters as of writing)\nPrivateKey = -auto generated-\n\n# Private IPv4 and IPv6 address of client, must be static IP (no clashes) because there is no DHCP provided by Wireguard as of writing. Change the `2` to an incremental number for every client\nAddress = 10.123.210.2/32,fd00:123:210::2/128\n\n# DNS server to use, currently set to Cloudflare\nDNS = 1.1.1.1\n\n\n# SERVER\n[Peer]\n# Public key of server, generated by the above command on the server (only 44 characters as of writing)\nPublicKey = -auto generated and copied here-\n\n# Public IP of server and port configured in the server\nEndpoint = -public key of server-:51820\n\n# IP ranges Wireguard will listen on and forward\n# AllowedIPs = 10.123.210.0/24,fd00:123:210::0/112 # ROUTE ONLY VIRTUAL PRIVATE NETWORK TRAFFIC\nAllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, ::/0, 10.123.210.0/32 # ROUTE ALL INTERNET TRAFFIC LESS LAN THROUGH\n\n# Constant pings to keep the connection alive and not time out on inactivity\nPersistentKeepalive = 25\n
sudo wg-quick up wg0\n
You can run these commands to check the connection
sudo wg\nping 10.123.210.1\n
sudo wg-quick down wg0\n
If you use NetworkManager (especially nm-applet) you can install networkmanager-wireguard or networkmanager-wireguard-git (AUR) for Wireguard capabilities and configuration.
On the server:
sudo iptables -t nat -I PREROUTING -i eth0 -p udp -m multiport --dports 53,80,123,161,443 -j REDIRECT --to-ports 51820\n
To disable:
sudo iptables -t nat -D PREROUTING -i eth0 -p udp -m multiport --dports 53,80,123,161,443 -j REDIRECT --to-ports 51820\n
You can add it to PostUp and PostDown. Don't forget ip6tables if needed.