Setup

General

Installation

Most package managers should have the required packages named

wireguard-tools wireguard-dkms

Install them on both your server and client(s).

Note: very soon, Wireguard will become baked into the Linux kernel by default and wireguard-dkms will not be needed anymore.

Generation of private and public key pair

(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey

Replace wg0 with your desired network device id throughout the article if needed.

This generates a private key and automatically inserts as a configuration line to /etc/wireguard/wg0.conf and a public key saved to /etc/wireguard/publickey automatically. Run it on both your server and client(s) respectively.

Server

Edit /etc/wireguard/wg0.conf

[Interface]
# Private key, automatically generated by above command on the server (should be only 44 characters as of writing)
PrivateKey = -auto generated-

# Private IPv4 and IPv6 address of Server for peers to communicate with when connected, you can replace `123.210` and `123:210` with anything you like throughout the article
Address = 10.123.210.1/24,fd00:123:210::1/112

# Listen port, can be any port you like including 53 if you don't use it for DNS. Must be the same throughout the article.
ListenPort = 51820

# Setup IPv4 and IPv6 iptables to forward the network of peers through the server, not required if only a LAN connection is required (optional)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Save the configuration to the file on every shutdown, personally I prefer it off because I find it easier to edit the configuration directly rather than to rely on tools
SaveConfig = false


# CLIENT 1
[Peer]

# Public key of the peer, generated by the above command on the peer (also should be only 44 characters as of writing)
PublicKey = -auto generated and copied here-

# Allow IPv4 and IPv6 range from 10.123.210.1-10.123.210.254 and fd00:123:210::1-fd00:123:210::ffff respectively
AllowedIPs = 10.123.210.0/24,fd00:123:210::0/112


# CLIENT 2
[Peer]
# Public key of the peer, generated by the above command on the peer (also should be only 44 characters as of writing)
PublicKey = -auto generated and copied here-

# Allow IPv4 and IPv6 range from 10.123.210.1-10.123.210.254 and fd00:123:210::1-fd00:123:210::ffff respectively
AllowedIPs = 10.123.210.0/24,fd00:123:210::0/112

# ... More peers if required ...

Additional step to allow forwarding (optional)

echo -e "net.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.d/99-sysctl.conf
sudo sysctl -p

Start the server

sudo systemctl enable --now wg-quick@wg0

Client(s)

Edit /etc/wireguard/wg0.conf

[Interface]
# Private key, automatically generated by above command on the client (should be only 44 characters as of writing)
PrivateKey = -auto generated-

# Private IPv4 and IPv6 address of client, must be static IP (no clashes) because there is no DHCP provided by Wireguard as of writing. Change the `2` to an incremental number for every client
Address = 10.123.210.2/32,fd00:123:210::2/128

# DNS server to use, currently set to Cloudflare
DNS = 1.1.1.1


# SERVER
[Peer]
# Public key of server, generated by the above command on the server (only 44 characters as of writing)
PublicKey = -auto generated and copied here-

# Public IP of server and port configured in the server
Endpoint = -public key of server-:51820

# IP ranges Wireguard will listen on and forward
# AllowedIPs = 10.123.210.0/24,fd00:123:210::0/112 # ROUTE ONLY VIRTUAL PRIVATE NETWORK TRAFFIC
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, ::/0, 10.123.210.0/32 # ROUTE ALL INTERNET TRAFFIC LESS LAN THROUGH

# Constant pings to keep the connection alive and not time out on inactivity
PersistentKeepalive = 25

Connect to server

sudo wg-quick up wg0

Connection information

You can run these commands to check the connection

sudo wg
ping 10.123.210.1

Disconnect from server

sudo wg-quick down wg0

Extra information

networkmanager-wireguard

If you use NetworkManager (especially nm-applet) you can install networkmanager-wireguard or networkmanager-wireguard-git (AUR) for Wireguard capabilities and configuration.

Forward other UDP ports to Wireguard port with iptables

On the server:

sudo iptables -t nat -I PREROUTING -i eth0 -p udp -m multiport --dports 53,80,123,161,443 -j REDIRECT --to-ports 51820

To disable:

sudo iptables -t nat -D PREROUTING -i eth0 -p udp -m multiport --dports 53,80,123,161,443 -j REDIRECT --to-ports 51820

You can add it to PostUp and PostDown. Don't forget ip6tables if needed.

More reading

https://github.com/pirate/wireguard-docs#Interface