Install WireGuard.
$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt install wireguard
Enable IP Forwarding. Open /etc/sysctl.conf
and uncomment the #net.ipv4.ip_forward=1
line.
net.ipv4.ip_forward=1
$ umask 077
$ wg genkey | tee privatekey | wg pubkey > publickey
Replace eth0
with <your network interface>.
# /etc/wireguard/wg0.conf
[Interface]
Address = <Private Address for VPN. e.g., 10.10.0.1/24>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <Server Private Key>
[Peer]
PublicKey = <Client Public Key>
AllowedIPs = <Client Unique IP. e.g., 10.10.0.2/32>
Other iptables rule:
Copied from https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/
# Track VPN connection iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Allowing incoming VPN traffic on the listening port iptables -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j ACCEPT # Allow both TCP and UDP recursive DNS traffic iptables -A INPUT -s 10.200.200.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -s 10.200.200.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT # Allow forwarding of packets that stay in the VPN tunnel iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT # Set up nat iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE
If you want to add a new client, add a new [Peer]
section to wg0.conf
# Enable WireGuard interface
$ wg-quick up wg0
# Disable WireGuard interface
$ wg-quick down wg0
# Enable the interface as a service.
$ systemctl enable [email protected]
$ sudo ufw allow 51820/udp
$ sudo ufw enable
$ sudo wg show
interface: wg0
public key: <Server Public Key>
private key: (hidden)
listening port: <Listen Port>
- WireGuard for Windows from the homepage.
- WireGuard for Android from PlayStore.
Client config:
[Interface]
PrivateKey = <Client Private Key>
Address = <Client IP. e.g., 10.10.0.2/32>
[Peer]
PublicKey = <Server Public Key>
AllowedIPs = 0.0.0.0/0
Endpoint = <Server IP:Port>
Share the client config via QRCode:
$ qrencode -t ansiutf8 < wgclient.conf